Skip to Content
logologo
AI Incident Database
Open TwitterOpen RSS FeedOpen FacebookOpen LinkedInOpen GitHub
Open Menu
Discover
Submit
  • Welcome to the AIID
  • Discover Incidents
  • Spatial View
  • Table View
  • List view
  • Entities
  • Taxonomies
  • Submit Incident Reports
  • Submission Leaderboard
  • Blog
  • AI News Digest
  • Risk Checklists
  • Random Incident
  • Sign Up
Collapse
Discover
Submit
  • Welcome to the AIID
  • Discover Incidents
  • Spatial View
  • Table View
  • List view
  • Entities
  • Taxonomies
  • Submit Incident Reports
  • Submission Leaderboard
  • Blog
  • AI News Digest
  • Risk Checklists
  • Random Incident
  • Sign Up
Collapse

Incident 1220: LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

Description: Ukraine's CERT-UA and Cato CTRL reported LAMEHUG, the first known malware to integrate a large language model (Qwen2.5-Coder-32B-Instruct via Hugging Face) for real-time command generation. Attributed with moderate confidence to APT28 (Fancy Bear), the malware reportedly targeted Ukrainian officials through phishing emails. The LLM is reported to have dynamically generated reconnaissance and data-exfiltration commands executed on infected systems.

Tools

New ReportNew ReportNew ResponseNew ResponseDiscoverDiscoverView HistoryView History

Entities

View all entities
Alleged: Alibaba and hugging face developed an AI system deployed by APT28 and Fancy Bear, which harmed Government of Ukraine , Ukrainian government ministries , Ukrainian government officials , Public sector information systems , National cybersecurity infrastructure of Ukraine and State institutions targeted by espionage operations.
Alleged implicated AI systems: Qwen2.5-Coder-32B-Instruct , Hugging Face API platform , LAMEHUG malware family , PyInstaller-compiled Python executables , Flux AI image generation API , stayathomeclasses[.]com exfiltration endpoint and 144[.]126[.]202[.]227 SFTP server

Incident Stats

Incident ID
1220
Report Count
2
Incident Date
2025-07-10
Editors
Daniel Atherton

Incident Reports

Reports Timeline

Incident OccurrenceUAC-0001 cyberattacks on the security and defense sector using the LAMEHUG software tool, which uses LLM (large language model) (CERT-UA#16039)Cato CTRL™ Threat Research: Analyzing LAMEHUG – First Known LLM-Powered Malware with Links to APT28 (Fancy Bear)
Loading...
UAC-0001 cyberattacks on the security and defense sector using the LAMEHUG software tool, which uses LLM (large language model) (CERT-UA#16039)

UAC-0001 cyberattacks on the security and defense sector using the LAMEHUG software tool, which uses LLM (large language model) (CERT-UA#16039)

cert.gov.ua

Loading...
Cato CTRL™ Threat Research: Analyzing LAMEHUG – First Known LLM-Powered Malware with Links to APT28 (Fancy Bear)

Cato CTRL™ Threat Research: Analyzing LAMEHUG – First Known LLM-Powered Malware with Links to APT28 (Fancy Bear)

catonetworks.com

Loading...
UAC-0001 cyberattacks on the security and defense sector using the LAMEHUG software tool, which uses LLM (large language model) (CERT-UA#16039)
cert.gov.ua · 2025
AI Translated

AIID editor's note: See the original source of this report for the extra technical data that CERT-UA provides.

General information

On 10.07.2025, the National Cyber Incident, Cyber Attack, and Cyber Threat Response Team CERT-UA received inf…

Loading...
Cato CTRL™ Threat Research: Analyzing LAMEHUG – First Known LLM-Powered Malware with Links to APT28 (Fancy Bear)
catonetworks.com · 2025

Executive Summary 

On July 17, 2025, Ukraine's Computer Emergency Response Team (CERT-UA) publicly reported LAMEHUG, which is being documented as the first known malware that integrates large language model (LLM) capabilities directly into …

Variants

A "variant" is an AI incident similar to a known case—it has the same causes, harms, and AI system. Instead of listing it separately, we group it under the first reported incident. Unlike other incidents, variants do not need to have been reported outside the AIID. Learn more from the research paper.
Seen something similar?
Previous IncidentNext Incident

Research

  • Defining an “AI Incident”
  • Defining an “AI Incident Response”
  • Database Roadmap
  • Related Work
  • Download Complete Database

Project and Community

  • About
  • Contact and Follow
  • Apps and Summaries
  • Editor’s Guide

Incidents

  • All Incidents in List Form
  • Flagged Incidents
  • Submission Queue
  • Classifications View
  • Taxonomies

2024 - AI Incident Database

  • Terms of use
  • Privacy Policy
  • Open twitterOpen githubOpen rssOpen facebookOpen linkedin
  • 6f6c5a5