Ethical Hacking News
A new AI-powered malware strain has been identified as LameHug, which uses large language models to generate attack commands on compromised systems. The malware is linked to Russia's APT28 group and represents a significant threat to cybersecurity, particularly for organizations with networks vulnerable to such attacks.
LameHug is an AI-powered malware linked to Russia's APT28 group. The malware uses a large language model to generate commands on infected Windows systems. LameHug marks a significant turning point in the malicious use of AI technologies. It poses a substantial threat to cybersecurity, particularly for organizations with networks that are vulnerable to such attacks. The malware gathers system information and exfiltrates data via SFTP or HTTP POST requests.
In a groundbreaking development that highlights the evolving threat landscape, cybersecurity experts have identified a novel malware strain dubbed LameHug. This artificial intelligence (AI)-powered malware has been linked to Russia's Advanced Persistent Threat (APT) group known as APT28, also referred to by various other names such as UAC-0001, Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM. The emergence of LameHug marks a significant turning point in the malicious use of AI technologies for malicious purposes.
The discovery was made by Ukrainian CERT-UA, which detected a phishing campaign targeting executive authorities with a ZIP file posing as a ministry document on July 10, 2025. Upon further investigation, it was found that the archive contained LAMEHUG malware disguised as a .pif file built in Python via PyInstaller. The experts noted two variants of the malware with different data theft methods.
One variant employed a compromised email account and hosted its infrastructure on legitimate but compromised platforms. In contrast, another variant relied on a large language model (LLM) called Qwen 2.5-Coder-32B-Instruct from the huggingface.co service API to generate commands based on statically entered text or description.
The LameHug malware uses the Qwen 2.5-Coder-32B-Instruct LLM to create data-theft commands that are executed on infected Windows systems. This allows threat actors to adapt their attack chain according to actual needs, making the malware a highly sophisticated and formidable tool for malicious actors.
According to Ukrainian experts, "An obvious feature of LAMEHUG is the use of LLM (large language model), used to generate commands based on their textual representation (description)." The report also highlighted that with a moderate level of confidence, the activity associated with LameHug was linked to the APT28 group. This implies that LameHug may be an integral component of APT28's arsenal, providing them with enhanced capabilities for espionage and data theft.
The malware gathers system information and searches for Office, PDF, and TXT files in common folders. It stores the data locally and then exfiltrates it via SFTP or HTTP POST requests. Furthermore, "In particular, it provides for the collection (and storage in the “%PROGRAMDATA%\info\info.txt” file) of basic information about the computer (hardware, processes, services, network connections), as well as recursive search for Microsoft Office documents (including TXT, PDF) in the “Documents”, “Downloads” and “Desktop” directories and their copying to the “%PROGRAMDATA%\info\” folder. Exfiltration of the received information and files (in different versions of the program) can be carried out using SFTP or HTTP POST requests."
The report also includes cyber threat indicators, which are essential tools for organizations looking to mitigate the impact of such malware on their networks.
In conclusion, LameHug represents a significant threat to cybersecurity as it leverages AI technologies to generate sophisticated commands that adapt to actual system needs. The association of LameHug with APT28 underscores the menace posed by nation-state actors seeking to exploit vulnerabilities for espionage and data theft purposes.
Summary:
LameHug is an AI-powered malware linked to Russia's APT28 group, which leverages a large language model to generate commands on infected Windows systems. This novel malware marks a significant turning point in the malicious use of AI technologies and poses a substantial threat to cybersecurity, particularly for organizations with networks that are vulnerable to such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Rise-of-LameHug-A-Revolutionary-Malware-That-Exploits-AI-for-Data-Theft-ehn.shtml
https://securityaffairs.com/180092/apt/lamehug-first-ai-powered-malware-linked-to-russias-apt28.html
Published: Fri Jul 18 06:53:46 2025 by llama3.2 3B Q4_K_M
