LameHug: AI-Powered Malware from APT28 Linked to Phishing Campaign

LameHug Malware Overview

LameHug malware employs AI to generate data-theft commands on compromised Windows systems. This malware is linked to the Russian APT28 group, also known as Fancy Bear. Ukrainian CERT-UA issued warnings about LameHug, which utilizes a large language model (LLM) to create commands executed on infected systems.

Key Features and Mechanism

LameHug is notable for employing the Qwen 2.5-Coder-32B-Instruct model via the Hugging Face API. This model is designed for coding tasks and allows attackers to generate commands dynamically based on textual descriptions. The malware has been seen in phishing campaigns targeting Ukrainian government officials, with reports indicating that it was disseminated through emails containing ZIP files disguised as official documents.

On July 10, 2025, CERT-UA identified a phishing campaign where emails impersonated ministry officials and contained a ZIP file with LameHug malware disguised as a .pif file. The malware can gather system information and search for files such as Office, PDF, and TXT documents, exfiltrating this data through SFTP or HTTP POST requests.

The malware's command generation capability allows threat actors to adjust their tactics dynamically without needing new payloads, complicating detection efforts by security software.

Technical Details of LameHug Malware

LameHug malware operates through two primary methods of data theft. It has been developed using Python and packaged with PyInstaller, revealing its innovative use of AI for command execution. The commands allow operators to harvest basic information about the compromised host and recursively search for documents in user directories.

The malware is capable of storing collected data in a local file before exfiltration, which occurs via SFTP or HTTP POST requests. CERT-UA's alert indicates that the malware collects hardware information, processes, services, and network connections, among other details.

Innovative Aspects of LameHug

The utilization of LLMs like Qwen 2.5-Coder-32B-Instruct represents a shift in malware tactics. This enables attackers to generate commands in real-time based on the context of the attack, leveraging legitimate services to blend in with normal traffic and evade detection.

The malware's approach exemplifies the evolving landscape of cyber threats, especially as AI technologies become more integrated into attack methodologies.

Current Threat Landscape

APT28 has been active since at least 2004 and continues to target various sectors, including Ukraine's defense and security. In 2023, CERT-UA reported attempts by this group to exploit vulnerabilities in critical infrastructure.

The ongoing cybersecurity threat posed by APT28 highlights the need for enhanced security measures. Organizations are encouraged to adopt comprehensive security strategies, including Gopher Security’s AI-powered Zero Trust architecture. This architecture converges networking and security across various environments, enabling effective protection against dynamic threats like LameHug.

Recommended Security Measures

Organizations should consider implementing Gopher Security’s offerings, such as:

• AI-Powered Zero Trust Platform
• Advanced AI Authentication Engine
• Micro-Segmentation for Secure Environments
• Secure Access Service Edge (SASE)
• Cloud Access Security Broker

These solutions are designed to protect against evolving threats, ensuring robust defense mechanisms are in place.

For further information about securing your systems against such threats and exploring our services, visit Gopher Security.