LAMEHUG malware family

Incidents implicated systems

インシデント 12202 Report
LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

2025-07-10

Ukraine's CERT-UA and Cato CTRL reported LAMEHUG, the first known malware to integrate a large language model (Qwen2.5-Coder-32B-Instruct via Hugging Face) for real-time command generation. Attributed with moderate confidence to APT28 (Fancy Bear), the malware reportedly targeted Ukrainian officials through phishing emails. The LLM is reported to have dynamically generated reconnaissance and data-exfiltration commands executed on infected systems.

Related Entities

APT28

Incidents involved as Deployer

インシデント 1220
2 レポート
LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

Fancy Bear

Incidents involved as Deployer

インシデント 1220
2 レポート
LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

Alibaba

Incidents involved as Developer

インシデント 1220
2 レポート
LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

hugging face

Incidents involved as Developer

インシデント 1220
2 レポート
LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

Government of Ukraine

影響を受けたインシデント

インシデント 1220
2 レポート
LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

Ukrainian government ministries

影響を受けたインシデント

インシデント 1220
2 レポート
LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

Ukrainian government officials

影響を受けたインシデント

インシデント 1220
2 レポート
LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

Public sector information systems

影響を受けたインシデント

インシデント 1220
2 レポート
LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

National cybersecurity infrastructure of Ukraine

影響を受けたインシデント

インシデント 1220
2 レポート
LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

State institutions targeted by espionage operations

影響を受けたインシデント

インシデント 1220
2 レポート
LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

Qwen2.5-Coder-32B-Instruct

Incidents implicated systems

インシデント 1220
2 レポート
LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

Hugging Face API platform

Incidents implicated systems

インシデント 1220
2 レポート
LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

PyInstaller-compiled Python executables

Incidents implicated systems

インシデント 1220
2 レポート
LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

Flux AI image generation API

Incidents implicated systems

インシデント 1220
2 レポート
LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

stayathomeclasses[.]com exfiltration endpoint

Incidents implicated systems

インシデント 1220
2 レポート
LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

144[.]126[.]202[.]227 SFTP server

Incidents implicated systems

インシデント 1220
2 レポート
LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack