LameHug: First AI-Powered Malware Linked to Russia’s APT28

TL;DR

LameHug, a newly discovered malware, uses AI to generate data-theft commands on infected Windows systems. Ukrainian authorities have attributed this malware to the Russia-linked APT28 group. This marks the first known instance of malware utilizing a large language model (LLM) to adapt its attack methods based on real-time needs.

LameHug Malware: AI-Powered Data Theft Linked to Russia’s APT28

Ukrainian CERT-UA has issued a warning about a novel malware strain named LameHug. This malware employs a large language model (LLM) to generate and execute commands on compromised Windows systems, representing a significant advancement in cyber threat tactics.

Attribution to APT28

Ukrainian cybersecurity experts have linked LameHug to the Russia-associated group APT28, also known by various aliases such as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM ¹. The attribution is based on the malware’s sophisticated use of AI and its targeted phishing campaign.

Key Features of LameHug

LameHug stands out due to its integration of the LLM Qwen 2.5-Coder-32B-Instruct, an open-source language model developed by Alibaba’s Qwen team. This model is specifically optimized for coding tasks and is utilized via the Hugging Face service API to generate commands ².

Phishing Campaign and Infection Method

On July 10, 2025, CERT-UA detected a phishing campaign targeting executive authorities. The campaign involved a ZIP file disguised as a ministry document. The archive contained LameHug malware, disguised as a .pif file, built in Python using PyInstaller. Two variants of the malware were identified, each employing different data theft methods ³.

Data Theft and Exfiltration

LameHug gathers system information and searches for Office, PDF, and TXT files in common folders such as “Documents,” “Downloads,” and “Desktop.” The collected data is stored locally and then exfiltrated via SFTP or HTTP POST requests. The malware’s adaptability, enabled by its use of LLM, allows threat actors to tailor their attack chain based on real-time needs ⁴.

Cyber Threat Indicators

The report by CERT-UA includes detailed cyber threat indicators to help organizations detect and mitigate the threat posed by LameHug. This information is crucial for cybersecurity professionals to enhance their defenses against such advanced threats ⁵.

Conclusion

LameHug represents a new era in cyber threats, where AI is leveraged to create dynamic and adaptable malware. The attribution to APT28 underscores the ongoing cyber warfare and the need for robust cybersecurity measures. Organizations must stay vigilant and adapt their security strategies to counter such evolving threats.

Additional Resources

For further insights, check:

• CERT-UA Alert on LameHug
• Security Affairs Article on LameHug

1. “Russia-linked APT28 targets Western logistics entities and technology firms.” Security Affairs. Retrieved 2025-07-18. ↩︎

2. “Qwen 2.5-Coder-32B-Instruct.” Alibaba Qwen Team. Retrieved 2025-07-18. ↩︎

3. “CERT-UA identifies phishing campaign.” Security Affairs. Retrieved 2025-07-18. ↩︎

4. “LameHug Malware Exfiltration Methods.” CERT-UA. Retrieved 2025-07-18. ↩︎

5. “Cyber Threat Indicators for LameHug.” CERT-UA. Retrieved 2025-07-18. ↩︎