1
As AI creates a stir in the tech world, it has now grabbed the attention of threat actors for automating attack strategies. According to a recent CERT Ukraine advisory, a new malware, identified as “LAMEHUG,” has surfaced online that is entirely based on artificial intelligence (AI).
LAMEHUG AI Malware Hints At Emerging Cyberthreats
In a recent advisory from the Computer Emergency Response Team of Ukraine (CERT-UA), their researchers have found a new AI-powered malware in the wild.
This AI malware, dubbed “LAMEHUG,” uses artificial intelligence to devise malicious commands in real-time. This adaptability and automation seemingly empower the threat actors to conduct more potent attacks on their target systems with precision.
As explained, the researchers found this malware following a report of the malware’s distribution among “executive authorities”. Specifically, the target officials received a malicious .zip file, allegedly from a legit yet compromised email account. According to CERT-UA advisory [translated],
CERT-UA received information about the distribution among executive authorities, allegedly on behalf of a representative of the relevant ministry, of emails with an attachment in the form of the file “Appendix.pdf.zip”.
Analyzing the archive made the researchers find the executable file with a .pif extension. CERT-UA named this malicious Python executable as “LAMEHUG”.
Inspecting this executable revealed further details about the new malware, the most interesting thing being its reliance on artificial intelligence. Written in Python, this malware uses Hugging Face AI API to generate commands based on the text description.
It uses LLM Qwen 2.5-Coder-32B-Instruct via the huggingface[.]co service API to generate commands based on statically entered text (description) for their subsequent execution on a computer.
After successfully infiltrating the target device, the malware performs various malicious functions, particularly gathering system information, system identifiers, and network details. Moreover, it also accesses and exfiltrates stored documents after scanning the system for Microsoft Office documents and PDF files.
Malware Potentially Links Back To Russian APT28
While the exact identity of the threat actors behind this malware remains unclear, CERT-UA could trace back its link to Russian state actors APT28. As mentioned in an update,
CERT-UA assesses with moderate confidence that this activity is linked to the UAC-0001 (APT28) hacking group, which is controlled by Russian special services.
APT28, also known as Sofacy, Fancy Bear, Strontium, and Pawn Storm, is a long known Russian state actor group that has conducted several cyber-espionage attacks globally. Formed in early 2000s, the threat actors have been involved in key cyberattacks against government entities across Europe, such as Germany, the Netherlands, and Ukraine, and the United States.
Over time, the group has employed various strategies to infiltrate target networks. And now, the discovery of LAMEHUG malware indicates just another strategy from the threat actors to evolve into a more evasive group.
According to IBM X-Force, this capability empowers threat actors to “adapt their tactics” in real-time without requiring additional payloads. Moreover, with an AI-powered malware that connects to a C&C from an external infrastructure such as Hugging Face, the threat actors potentially improvise their attack capabilities, ensuring more evasive operations for longer durations.
Let us know your thoughts in the comments.
