Ethical Hacking News
The Computer Emergency Response Team (CERT-UA) has discovered a malware campaign called LAMEHUG, which is linked to APT28, a Russian state-sponsored hacking group. The malware was found to be using large language models for phishing attacks and has been attributed with medium confidence to the APT28 group.
The Computer Emergency Response Team (CERT-UA) has discovered a phishing campaign linked to APT28, also known as Fancy Bear. The malware, codenamed LAMEHUG, is designed to deliver malware and uses a large language model called Qwen2.5-Coder-32B-Instruct to generate commands. The malware can harvest basic information about a compromised host and search for documents using the Hugging Face service API. The use of legitimate services like Hugging Face for command-and-control operations highlights the evolving nature of cyber threats. As GenAI technology becomes more integrated into security solutions, threat actors will likely continue to evolve their tactics, requiring organizations to stay vigilant and proactive in protecting themselves.
The Computer Emergency Response Team (CERT-UA) of Ukraine has made a crucial discovery that sheds light on the growing threat landscape in the cyber world. Recently, the team revealed details about a phishing campaign designed to deliver malware codenamed LAMEHUG. According to CERT-UA, this malware is linked to APT28, also known as Fancy Bear, Forest Blizzard, Sednit, Sofacy, and UAC-0001 – a well-known Russian state-sponsored hacking group.
The discovery was made after receiving reports about suspicious emails sent from compromised accounts that impersonated ministry officials. These emails contained a ZIP archive with three different variants of the LAMEHUG payload: "Додаток.pif," "AI_generator_uncensored_Canvas_PRO_v0.9.exe," and "image.py." The malware was found to be developed using Python and leverages Qwen2.5-Coder-32B-Instruct, a large language model developed by Alibaba Cloud that's specifically fine-tuned for coding tasks like generation, reasoning, and fixing.
The Qwen2.5-Coder-32B-Instruct model is available on platforms such as Hugging Face and Llama, making it easily accessible to threat actors looking to exploit its capabilities. CERT-UA has noted that the malware uses this large language model via the huggingface[.]co service API to generate commands based on statically entered text (description) for their subsequent execution on a computer.
The generated commands allow operators to harvest basic information about the compromised host and search recursively for TXT and PDF documents in "Documents", "Downloads" and "Desktop" directories. This captured information is then transmitted to an attacker-controlled server using SFTP or HTTP POST requests, which makes it currently not known how successful the LLM-assisted attack approach was.
The use of Hugging Face infrastructure for command-and-control (C2) operations serves as a reminder of how threat actors are weaponizing legitimate services that are prevalent in enterprise environments to blend in with normal traffic and sidestep detection. This development highlights the evolving nature of cyber threats, as threat actors continue to explore new avenues to evade security measures.
This discovery comes weeks after Check Point revealed an unusual malware artifact dubbed Skynet, which employs prompt injection techniques to resist analysis by artificial intelligence (AI) code analysis tools. The emergence of LAMEHUG and its use of large language models for phishing campaigns underscores the importance of staying vigilant against these types of threats.
As GenAI technology becomes increasingly integrated into security solutions, history has taught us that we should expect attempts like this to grow in volume and sophistication. Check Point warned that "First, we had the sandbox, which led to hundreds of sandbox escape and evasion techniques; now, we have the AI malware auditor. The natural result is hundreds of attempted AI audit escape and evasion techniques. We should be ready to meet them as they arrive."
This latest development serves as a stark reminder of the cat-and-mouse game that exists between cybersecurity experts and threat actors. As threat actors continue to evolve their tactics, it is imperative for organizations to stay informed about emerging threats like LAMEHUG and take proactive measures to protect themselves.
In conclusion, the discovery by CERT-UA highlights the growing importance of staying vigilant against phishing campaigns linked to state-sponsored hacking groups. Organizations must remain aware of these evolving threats and implement robust security measures to prevent such incidents from occurring in the first place.
Related Information:
https://www.ethicalhackingnews.com/articles/CERT-UA-Discovers-LAMEHUG-Malware-A-Phishing-Campaign-Linked-to-Russian-State-Sponsored-Hacking-Group-APT28-ehn.shtml
https://thehackernews.com/2025/07/cert-ua-discovers-lamehug-malware.html
Published: Fri Jul 18 08:02:07 2025 by llama3.2 3B Q4_K_M
