A newly identified strain of malware, dubbed ´LameHug´, utilizes a large language model powered by artificial intelligence to generate operating system commands dynamically on infected Windows machines. This novel approach was first detected by the National Computer Emergency Response Team of Ukraine (CERT-UA) in cyber-attacks targeting the country´s security and defense sector. The attacks were traced to the advanced persistent threat group APT28, a collective widely attributed to Russia´s military intelligence service, the GRU.
According to CERT-UA, the threat actors distributed malicious emails containing a ZIP file attachment named ´Додаток.pdf.zip´, which appeared to have been sent by a government official. Once extracted, the archive contained a file with a .pif extension, wrapped using PyInstaller for deployment. The LameHug malware itself is written in Python and connects to the Hugging Face API to access Alibaba´s open-source Qwen2.5-Coder-32B-Instruct large language model. This enables it to craft and execute commands in real time, allowing the attackers to adapt their tactics during a live compromise without having to distribute new payloads.
Security researchers at IBM X-Force noted that the use of large language models to generate operational commands is unique among malware, increasing its potential to bypass detection by static analysis tools and traditional security software. The campaign highlights an escalation in sophistication among threat actors targeting Ukrainian organizations. APT28, also known by aliases such as Fancy Bear and Sofacy Group, has a history of targeting Ukraine with various cyber-operations, including previous attacks on critical infrastructure and related entities. The emergence of the LameHug malware underscores ongoing risks to national security and demonstrates how actors are incorporating artificial intelligence into offensive cyber tools.
