Skip to Content
logologo
AI Incident Database
Open TwitterOpen RSS FeedOpen FacebookOpen LinkedInOpen GitHub
Open Menu
Discover
Submit
  • Welcome to the AIID
  • Discover Incidents
  • Spatial View
  • Table View
  • List view
  • Entities
  • Taxonomies
  • Submit Incident Reports
  • Submission Leaderboard
  • Blog
  • AI News Digest
  • Risk Checklists
  • Random Incident
  • Sign Up
Collapse
Discover
Submit
  • Welcome to the AIID
  • Discover Incidents
  • Spatial View
  • Table View
  • List view
  • Entities
  • Taxonomies
  • Submit Incident Reports
  • Submission Leaderboard
  • Blog
  • AI News Digest
  • Risk Checklists
  • Random Incident
  • Sign Up
Collapse
Entities

State institutions targeted by espionage operations

Incidents Harmed By

Incident 12202 Report
LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

2025-07-10

Ukraine's CERT-UA and Cato CTRL reported LAMEHUG, the first known malware to integrate a large language model (Qwen2.5-Coder-32B-Instruct via Hugging Face) for real-time command generation. Attributed with moderate confidence to APT28 (Fancy Bear), the malware reportedly targeted Ukrainian officials through phishing emails. The LLM is reported to have dynamically generated reconnaissance and data-exfiltration commands executed on infected systems.

More

Related Entities
Other entities that are related to the same incident. For example, if the developer of an incident is this entity but the deployer is another entity, they are marked as related entities.
 

Entity

APT28

Incidents involved as Deployer
  • Incident 1220
    2 Reports

    LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

More
Entity

Fancy Bear

Incidents involved as Deployer
  • Incident 1220
    2 Reports

    LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

More
Entity

Alibaba

Incidents involved as Developer
  • Incident 1220
    2 Reports

    LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

More
Entity

hugging face

Incidents involved as Developer
  • Incident 1220
    2 Reports

    LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

More
Entity

Government of Ukraine

Incidents Harmed By
  • Incident 1220
    2 Reports

    LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

More
Entity

Ukrainian government ministries

Incidents Harmed By
  • Incident 1220
    2 Reports

    LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

More
Entity

Ukrainian government officials

Incidents Harmed By
  • Incident 1220
    2 Reports

    LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

More
Entity

Public sector information systems

Incidents Harmed By
  • Incident 1220
    2 Reports

    LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

More
Entity

National cybersecurity infrastructure of Ukraine

Incidents Harmed By
  • Incident 1220
    2 Reports

    LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

More
Entity

Qwen2.5-Coder-32B-Instruct

Incidents implicated systems
  • Incident 1220
    2 Reports

    LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

More
Entity

Hugging Face API platform

Incidents implicated systems
  • Incident 1220
    2 Reports

    LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

More
Entity

LAMEHUG malware family

Incidents implicated systems
  • Incident 1220
    2 Reports

    LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

More
Entity

PyInstaller-compiled Python executables

Incidents implicated systems
  • Incident 1220
    2 Reports

    LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

More
Entity

Flux AI image generation API

Incidents implicated systems
  • Incident 1220
    2 Reports

    LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

More
Entity

stayathomeclasses[.]com exfiltration endpoint

Incidents implicated systems
  • Incident 1220
    2 Reports

    LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

More
Entity

144[.]126[.]202[.]227 SFTP server

Incidents implicated systems
  • Incident 1220
    2 Reports

    LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

More

Research

  • Defining an “AI Incident”
  • Defining an “AI Incident Response”
  • Database Roadmap
  • Related Work
  • Download Complete Database

Project and Community

  • About
  • Contact and Follow
  • Apps and Summaries
  • Editor’s Guide

Incidents

  • All Incidents in List Form
  • Flagged Incidents
  • Submission Queue
  • Classifications View
  • Taxonomies

2024 - AI Incident Database

  • Terms of use
  • Privacy Policy
  • Open twitterOpen githubOpen rssOpen facebookOpen linkedin
  • 6f6c5a5