Associated Incidents
AIID editor's note: See the original source of this report for the extra technical data that CERT-UA provides.
General information
On 10.07.2025, the National Cyber Incident, Cyber Attack, and Cyber Threat Response Team CERT-UA received information about the distribution among executive authorities, allegedly on behalf of a representative of the relevant ministry, of emails with an attachment in the form of the file "Appendix.pdf.zip".
The aforementioned ZIP archive contained an executable file of the same name with the extension ".pif", converted using PyInstaller from the source code developed in the Python programming language, classified by CERT-UA as a (malicious) software tool LAMEHUG.
During the investigation of the incident, at least two variants of the aforementioned software tool were additionally discovered in the form of the files "AI_generator_uncensored_Canvas_PRO_v0.9.exe", "image.py" with functional differences in the method of exfiltration of data from a computer.
It should be noted that a compromised email account was used to distribute emails, and the management infrastructure was deployed on legitimate, but compromised resources.
An obvious feature of LAMEHUG is the use of LLM (large language model), used to generate commands based on their text representation (description).
With a moderate level of confidence, the activity is associated with the activities of UAC-0001 (APT28).
LAMEHUG is a program developed using the Python programming language. Uses LLM Qwen 2.5-Coder-32B-Instruct via the API of the huggingface[.]co service to generate commands based on statically entered text (description) for their subsequent execution on a computer. In particular, it provides for the collection (and storage in the file "%PROGRAMDATA%\info\info.txt") of basic information about the computer (hardware, processes, services, network connections), as well as recursive search for Microsoft Office documents (including TXT, PDF) in the "Documents", "Downloads" and "Desktop" directories and their copying to the "%PROGRAMDATA%\info" folder. Exfiltration of the received information and files (in different versions of the program) can be carried out using SFTP or HTTP POST requests.