Purported Deepfake Scam Videos Depict JG…

BackLAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

Jul 10, 20252 reportsSeverity: SubstantialToolHigh confidence

APT28 (Fancy Bear) deployed LAMEHUG malware that integrated the Qwen2.5-Coder-32B-Instruct large language model to dynamically generate system reconnaissance and data exfiltration commands, targeting Ukrainian government officials through phishing emails in July 2025.

On July 10, 2025, Ukraine's CERT-UA discovered LAMEHUG, the first known malware integrating large language model capabilities directly into its attack methodology. The malware was attributed to APT28 (Fancy Bear) with moderate confidence and targeted Ukrainian government officials through phishing emails impersonating ministry officials. The emails contained ZIP archives with PyInstaller-compiled Python executables disguised as PDF attachments. LAMEHUG's defining characteristic was its integration of the Qwen2.5-Coder-32B-Instruct LLM via Hugging Face API, using approximately 270 tokens for authentication. The malware sent base64-encoded prompts to the LLM requesting commands for system information gathering and document harvesting. Multiple variants were discovered including files named 'Додаток.pif', 'AI_generator_uncensored_Canvas_PRO_v0.9.exe', and 'AI_image_generator_v0.95.exe'. The LLM generated comprehensive reconnaissance commands that collected hardware information, running processes, network configuration, user details, and complete Active Directory structure enumeration. Data exfiltration occurred through SFTP servers and HTTP POST requests to compromised hosting resources. CERT-UA assessed this as a proof-of-concept exploration of LLM integration in state-sponsored cyber operations.

Domain classification, causal taxonomy, severity scores, and national security assessments were LLM-classified and may contain errors.

Risk Domain

4Malicious Actors & Misuse

4.2Cyberattacks, weapon development or use, and mass harm

Using AI systems to develop cyber weapons (e.g., by coding cheaper, more effective malware), develop new or enhance existing weapons (e.g., Lethal Autonomous Weapons or chemical, biological, radiological, nuclear, and high-yield explosives), or use weapons to cause mass harm.

Causal Classification

Entity

Human

Due to a decision or action made by humans

Intent

Intentional

Due to an expected outcome from pursuing a goal

Timing

Post-deployment

Occurring after the AI model has been trained and deployed

Harm Severity Assessment

Highest Score:3 — Substantial(Financial Loss, inferred)

National Security Assessment

Overall Score(4/5)

Stakeholders

Developers: Alibaba, Hugging Face
Deployers: Apt28, Fancy Bear
Harmed Parties: Government Of Ukraine, Ukrainian Government Ministries, Ukrainian Government Officials, Public Sector Information Systems, National Cybersecurity Infrastructure Of Ukraine, State Institutions Targeted By Espionage Operations

AI System Classification

Primary Purpose: Code Generation
Secondary Purpose: Malware Detection
Behaviour Type: Tool
EU AI Act Risk Level: 2 High Risk
Occurrences: 1

Population Impact

No population impact data reported.

External Links

View on AI Incident Database