Incident 1220: LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

Description: Ukraine's CERT-UA and Cato CTRL reported LAMEHUG, the first known malware to integrate a large language model (Qwen2.5-Coder-32B-Instruct via Hugging Face) for real-time command generation. Attributed with moderate confidence to APT28 (Fancy Bear), the malware reportedly targeted Ukrainian officials through phishing emails. The LLM is reported to have dynamically generated reconnaissance and data-exfiltration commands executed on infected systems.

Tools

New Report New Response DiscoverView History

Entities

View all entities

Alleged: hugging face and Alibaba developed an AI system deployed by Fancy Bear and APT28, which harmed Ukrainian government officials , Ukrainian government ministries , State institutions targeted by espionage operations , Public sector information systems , National cybersecurity infrastructure of Ukraine , Government of Ukraine and National security and intelligence stakeholders.

Alleged implicated AI systems: stayathomeclasses[.]com exfiltration endpoint , Qwen2.5-Coder-32B-Instruct , PyInstaller-compiled Python executables , LAMEHUG malware family , Hugging Face API platform , Flux AI image generation API and 144[.]126[.]202[.]227 SFTP server

Incident Stats

Incident ID

1220

Report Count

Incident Date

2025-07-10

Editors

Daniel Atherton

Applied Taxonomies

MIT

MIT Taxonomy Classifications

Machine-Classified

Taxonomy Details

Risk Subdomain

4.2. Cyberattacks, weapon development or use, and mass harm

Risk Domain

Malicious Actors & Misuse

Entity

Human

Timing

Post-deployment

Intent

Intentional

Incident Reports

Reports Timeline

UAC-0001 cyberattacks on the security and defense sector using the LAMEHUG software tool, which uses LLM (large language model) (CERT-UA#16039)

cert.gov.ua

Cato CTRL™ Threat Research: Analyzing LAMEHUG – First Known LLM-Powered Malware with Links to APT28 (Fancy Bear)

catonetworks.com

cert.gov.ua · 2025

AI Translated

AIID editor's note: See the original source of this report for the extra technical data that CERT-UA provides.

General information

On 10.07.2025, the National Cyber Incident, Cyber Attack, and Cyber Threat Response Team CERT-UA received inf…

catonetworks.com · 2025

Executive Summary

On July 17, 2025, Ukraine's Computer Emergency Response Team (CERT-UA) publicly reported LAMEHUG, which is being documented as the first known malware that integrates large language model (LLM) capabilities directly into …

Variants

A "variant" is an AI incident similar to a known case—it has the same causes, harms, and AI system. Instead of listing it separately, we group it under the first reported incident. Unlike other incidents, variants do not need to have been reported outside the AIID. Learn more from the research paper.

Seen something similar?

Previous Incident Next Incident