Description: Ukraine's CERT-UA and Cato CTRL reported LAMEHUG, the first known malware to integrate a large language model (Qwen2.5-Coder-32B-Instruct via Hugging Face) for real-time command generation. Attributed with moderate confidence to APT28 (Fancy Bear), the malware reportedly targeted Ukrainian officials through phishing emails. The LLM is reported to have dynamically generated reconnaissance and data-exfiltration commands executed on infected systems.
Entities
View all entitiesAlleged: Alibaba and hugging face developed an AI system deployed by APT28 and Fancy Bear, which harmed Government of Ukraine , Ukrainian government ministries , Ukrainian government officials , Public sector information systems , National cybersecurity infrastructure of Ukraine and State institutions targeted by espionage operations.
Incident Stats
Incident ID
1220
Report Count
2
Incident Date
2025-07-10
Editors
Daniel Atherton
Incident Reports
Reports Timeline
Loading...
AIID editor's note: See the original source of this report for the extra technical data that CERT-UA provides.
General information
On 10.07.2025, the National Cyber Incident, Cyber Attack, and Cyber Threat Response Team CERT-UA received inf…
Loading...
Executive Summary
On July 17, 2025, Ukraine's Computer Emergency Response Team (CERT-UA) publicly reported LAMEHUG, which is being documented as the first known malware that integrates large language model (LLM) capabilities directly into …
Variants
A "variant" is an AI incident similar to a known case—it has the same causes, harms, and AI system. Instead of listing it separately, we group it under the first reported incident. Unlike other incidents, variants do not need to have been reported outside the AIID. Learn more from the research paper.
Seen something similar?