LameHug malware uses AI to create data-theft commands on infected Windows systems. Ukraine links it to the Russia-nexus APT28 group.
Ukrainian CERT-UA warns of a new malware strain dubbed LameHug that uses a large language model (LLM) to generate commands to be executed on compromised Windows systems.
Ukrainian experts attribute the malware to the Russia-linked group APT28 (aka UAC-0001, Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM).
“An obvious feature of LAMEHUG is the use of LLM (large language model), used to generate commands based on their textual representation (description).” reads the alert published by CERT-UA. “With a moderate level of confidence, the activity is associated with the activity of UAC-0001 (APT28).”
On July 10, 2025, CERT-UA identified a phishing campaign targeting executive authorities with a ZIP file posing as a ministry document.
The archive contained LAMEHUG malware disguised as a .pif file, built in Python via PyInstaller. The experts found two variants with different data theft methods. Attackers used a compromised email account and hosted their infrastructure on legitimate but compromised platforms.
LAMEHUG uses LLM Qwen 2.5-Coder-32B-Instruct via the huggingface[.]co service API to generate commands based on statically entered text (description).
Qwen 2.5-Coder-32B-Instruct is a large open-source language model developed by Alibaba’s Qwen team, specifically optimized for coding tasks.
The malware gathers system info and searches for Office, PDF, and TXT files in common folders. It stores the data locally, then exfiltrates it via SFTP or HTTP POST.
“In particular, it provides for the collection (and storage in the “%PROGRAMDATA%\info\info.txt” file) of basic information about the computer (hardware, processes, services, network connections), as well as recursive search for Microsoft Office documents (including TXT, PDF) in the “Documents”, “Downloads” and “Desktop” directories and their copying to the “%PROGRAMDATA%\info\” folder. Exfiltration of the received information and files (in different versions of the program) can be carried out using SFTP or HTTP POST requests.” continues the alert.
LameHug is the first known malware to use an LLM to generate attack commands, enabling threat actors to adapt their attack chain on actual needs.
The report also includes cyber threat indicators.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
