AI-Powered LAMEHUG Malware from APT28 Targets Windows Users

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 
July 19, 2025 2 min read

Novel Malware from APT28

Recent attacks by the Russian cyberespionage group APT28 have seen the deployment of malware that generates commands by querying large language models (LLMs). This malware, known as LAMEHUG, has been used in spear phishing campaigns aimed at Ukrainian government entities. The CERT-UA report indicates that phishing emails were sent from a compromised email account, impersonating ministry representatives.

Dishonest person in a Russian cyber security room hacking systems
Image courtesy of CSO Online

The malware was contained in a ZIP archive with a .pif file extension, although other extensions such as .exe and .py have also been observed. This group, also known as Sofacy or Fancy Bear, is linked to the GRU, Russia's military intelligence service, and has been active in cyber operations since 2004.

Querying LLM APIs in Real-Time

LAMEHUG's unique feature is its direct querying capability to LLM APIs. It utilizes the APIs from Hugging Face, a major platform for hosting LLMs. The malware generates commands by instructing the Qwen 2.5-Coder-32B-Instruct model to behave as a Windows system administrator. It collects system information and executes commands to exfiltrate data, including recursively copying documents from user folders.

The malware is written in Python and compiled into an executable binary using PyInstaller. Variants of LAMEHUG have been identified with different functionalities regarding data exfiltration. The command-and-control server for the malware was hosted on compromised infrastructure.

Phishing Campaign and Malware Distribution

On July 10, 2025, CERT-UA identified the phishing campaign targeting executive authorities in Ukraine. The emails contained ZIP files labeled as ministry documents, leading to the download of the LAMEHUG payload. The malware's ability to adapt its command generation through LLMs marks a significant evolution in attack strategies.

Phishing email and decoy document
Image courtesy of Cyber Insider

The attackers utilized a compromised email account for distribution, and the malware's data exfiltration capabilities included sending captured information to attacker-controlled servers via SFTP or HTTP POST requests. The flexibility of LAMEHUG allows it to adapt across different environments, enhancing the malware's effectiveness while reducing detection risk.

Implications for Cybersecurity

The emergence of LAMEHUG illustrates the increasing sophistication of cyber threats. By leveraging AI to dynamically generate commands, attackers can automate and adapt their strategies in real-time. This trend emphasizes the need for robust cybersecurity solutions, such as Gopher Security's AI-Powered Zero Trust Platform, which provides comprehensive security across various devices, apps, and environments by utilizing peer-to-peer encrypted tunnels and quantum-resistant cryptography.

As threats evolve, organizations must remain vigilant and consider advanced technologies like Gopher Security's AI Ransomware Kill Switch and Micro-Segmentation for Secure Environments to enhance their defenses against such attacks.

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 

MBA-credentialed cybersecurity expert specializing in Post-Quantum Cybersecurity solutions with proven capability to reduce attack surfaces by 90%.

Related Articles

Ransomware Attacks Target Russian Vodka and Healthcare Sectors

The Novabev Group, parent company of the Beluga vodka brand, experienced a ransomware attack on July 14, 2025, causing significant disruptions. The attack affected WineLab, the company's liquor store chain, leading to a three-day closure of over 2,000 locations in Russia. The company reported that the attack crippled its IT infrastructure, particularly point-of-sale systems and online services. Novabev Group stated, "The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands."

By Alan V Gutnov July 19, 2025 3 min read
Read full article

Retail Sector Faces Surge in Ransomware Attacks: A 2025 Analysis

Publicly disclosed ransomware attacks on the retail sector globally surged by 58% in Q2 2025 compared to Q1, with UK-based firms being particularly targeted, according to a report by BlackFog. This spike in attacks follows high-profile breaches affecting retailers like Marks & Spencer (M&S), The Co-op, and Harrods, attributed to the threat actor known as Scattered Spider.

By Alan V Gutnov July 19, 2025 2 min read
Read full article

AI-Driven Lcryx Ransomware Emerges in Cryptomining Botnet

A cryptomining botnet active since 2019 has incorporated a likely AI-generated ransomware known as Lcryx into its operations. Recent analysis by the FortiCNAPP team at FortiGuard Labs identified the first documented incident linking H2miner and Lcryx ransomware. This investigation focused on a cluster of virtual private servers (VPS) utilized for mining Monero.

By Edward Zhou July 19, 2025 3 min read
Read full article

Preventing ClickFix Attacks: Safeguarding Against Human Error

ClickFix is an emerging social engineering technique utilized by threat actors to exploit human error. This technique involves misleading users into executing malicious commands under the guise of providing "quick fixes" for common computer issues. Threat actors use familiar platforms and deceptive prompts to encourage victims to paste and run harmful scripts.

By Alan V Gutnov July 19, 2025 3 min read
Read full article