New "LameHug" Malware Deploys AI-Generated Commands
Ukrainian authorities have identified a new malware, dubbed LameHug, that leverages an AI-powered large language model (LLM) to generate commands for execution on compromised Windows systems. The National Computer Emergency Response Team of Ukraine (CERT-UA) discovered the malicious software in recent cyber-attacks targeting the nation's security and defense sector.
The attacks have been linked, with moderate confidence, to the ATP28 hacking group, which is known to be controlled by Russian special services. This connection is not surprising, given APT28's long history of targeting Ukraine with cyber-attacks dating back to at least 2004. The group has also been known to target organizations supporting Ukraine in its war effort against the Russian Federation.
In a July 17 update, CERT-UA revealed that emails containing an attachment named "Додаток.pdf.zip" (Attachment.pdf.zip) were disseminated among executive bodies, purportedly sent from a representative of a relevant ministry. The ZIP archive contained a similarly named file with a .pif extension. This file, converted using the Python-based PyInstaller tool, has been classified by CERT-UA as the malicious software LameHug.
LameHug Malware Leverages Open Source LLM
The malware is developed in Python and relies on the Hugging Face API to interact with the open-source Qwen2.5-Coder-32B-Instruct LLM from Alibaba. This innovative approach allows threat actors to adapt their tactics during a compromise without needing new payloads, potentially making the malware harder to detect by security software or static analysis tools.
"This unique approach enables the use of large language models for generating execution commands," said an IBM X-Force OSINT advisory. "It's a game-changer in the world of cyber threats."
CERT-UA specialists said that a compromised email account was used to disseminate emails containing the malicious software. The attackers likely exploited human psychology, making it appear as though the email was coming from a legitimate source.
A Threat Actor's Toolbox
APT28 is a well-known threat actor group linked with the Russian military intelligence agency (GRU). It has been active since at least 2004 and has long been targeting Ukraine with cyber-attacks. In 2023, CERT-US reported that APT28 attempted a cyber-attack against a Ukrainian critical power infrastructure facility.
In 2025, research identified that APT28 had successfully leveraged a zero-day vulnerability in MDaemon Email Server (CVE-2024-11182) against Ukrainian companies. The group has also been known to target organizations supporting Ukraine in its war effort against the Russian Federation.
A Growing Concern
The use of AI-powered malware like LameHug is a growing concern for cybersecurity professionals and policymakers alike. As threat actors continue to adapt and evolve, it's essential that security software and tools keep pace with these advancements.
Western logistics and tech firms delivering aid to Ukraine have been targeted by an APT28 cyber-espionage campaign over the past two years. This latest malware discovery highlights the ongoing threat posed by APT28 and underscores the need for vigilance and cooperation in the face of this ever-evolving threat landscape.