Skip to content

Novel malware found using AI-generated commands

  • by
  • 2 min read

Ukrainian cybersecurity authorities have discovered a novel malware that abuses an AI-powered large language model (LLM) to generate commands for running on infected systems. The malware is named LameHug and is actively being used in cyberattacks against the country’s security and defense sector.

According to a report by the National Computer Emergency Response Team of Ukraine (CERT-UA), the malware is developed in Python. The malware relies on the Hugging Face API to interact with the open-source Qwen2.5-Coder-32B-Instruct LLM from the Chinese company Alibaba.

It starts off the infection chain by gathering basic system information on the infected system. These include the hardware configuration, running processes, services, network connections, and more. It also recursively searches for Microsoft Office documents, including text and PDF files, within the Documents, Downloads, and Desktop folders of the infected Windows PCs.

This is an image of lamehug code cert ua
Example of the malware infection chain. | Source: CERT-UA

The initial attack chain remains the same as any other malware attack, with compromised email accounts being used to send emails containing the malware. Emails containing an attachment named Додаток.pdf.zip were sent to multiple executive bodies, “purportedly sent from a representative of a relevant ministry.” Its command and control (C2) infrastructure is also hosted on “legitimate but compromised resources.”

Given Ukraine’s long-standing conflict with Russia, an obvious guess as to the malware’s creator would fall on Russian hacking groups. CERT-UA has assessed with “moderate confidence” that the malware is in fact linked to the UAC-0001 hacking group, also called APT28. The group allegedly operates under the Russian special services and is often used for espionage-based cyber attacks.

Indicators of threats and other relevant information about the malware have been compiled in a separate technical report from CERT-UA. An IMB X-Force OSINT advisory also warns about LameHug’s use of AI models to generate its own execution commands based on local system context.

In the News: Google sues Badbox 2.0 botnet operators

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of dark web hacker security

Security flaw in Dahua CCTVs allows remote access

This is an image of python windows featured

Hackers are targeting Python developers with fake PyPI sites

This is an image of apple featured 2323424823

Apple patches Safari bug; Already exploited in Chrome

This is an image of dark web hacker security

Vibe coding platform breach exposes corporate apps

This is an image of dark web hacker security

Fake apps are stealing data blackmailing users on Asian mobile networks

This is an image of ransomware 32988sd

FBI collects dues from Chaos ransomware gang; $2.4 million in crypto seized

>