A new malware family, LameHug, leveraging a large language model (LLM), has been discovered targeting compromised Windows systems. Identified by Ukraine’s CERT-UA, this malware is attributed to the Russian state-backed group APT28. LameHug, written in Python, utilizes the open-source Hugging Face API tied to the Qwen 2.5-Coder-32B-Instruct LLM, enabling dynamic command generation based on user prompts. It executes tasks like system reconnaissance and data theft by generating executable shell commands. Distributed through malicious emails with ZIP attachments—such as ‘Attachment.pif’—LameHug facilitates document searches across key Windows directories and exfiltrates data via SFTP or HTTP. This marks a significant evolution in malware tactics, enabling threat actors to adjust strategies without new payloads, rendering static detection methods less effective. CERT-UA shows medium confidence in attributing these activities to APT28, marking LameHug as a pioneering instance of LLM-integrated malware.
Source link
