Analyzing LAMEHUG

Description

LAMEHUG, discovered on July 10, 2025, is the first known malware integrating large language model capabilities into its attack methodology. Attributed to APT28 (Fancy Bear) with moderate confidence, it targeted Ukrainian government officials through phishing emails containing malicious executables. The malware uses the LLM Qwen2.5-Coder-32B-Instruct via Hugging Face's API to generate dynamic attack commands. Multiple variants were identified, with different data exfiltration methods. The attack appears to be a proof-of-concept exploration of LLM integration in state-sponsored cyber operations, demonstrating sophisticated reconnaissance capabilities through AI-generated commands. This development signals a new era of AI-incorporated malware operations, posing challenges for traditional cybersecurity approaches.