LAMEHUG◇ July 2025◎ 7 min read

First Known LLM-Powered Malware
with Links to APT28

Analyzing the first documented malware that integrates large language model capabilities directly into its attack methodology, attributed to Russian state-sponsored actors.

Variants

Attribution

APT28

Target

Ukraine

First Seen

Jul 2025

TL;DR

Phishing email with ZIP → PyInstaller .pif executable → Connects to Hugging Face API → LLM generates recon commands → Exfiltrates via SFTP/HTTP

CONTENTS

Overview Infection Chain Variants Attribution IoCs

Technical Overview

On July 17, 2025, Ukraine's CERT-UA publicly reported LAMEHUG—the first known malware that integrates large language model (LLM) capabilities directly into its attack methodology. The malware uses Qwen2.5-Coder-32B-Instruct via Hugging Face's API for real-time command generation.

◎Technical Innovation

Unlike traditional malware with hardcoded commands, LAMEHUG sends natural language descriptions of attack objectives to an LLM, which generates fresh command sequences each time. This makes signature-based detection nearly impossible.

Infection Chain

Step 1 of 8

◉

Phishing Email Delivery

APT28 Operators

Attackers send phishing emails impersonating Ukrainian ministry officials. Emails contain ZIP archive named 'Додаток.pdf.zip' (Attachment.pdf.zip).

From: boroda70@meta[.]ua (compromised)
Subject: [Ministry Document]
Attachment: Додаток.pdf.zip

◈ Sent via LeVPN infrastructure (192.36.27.37)

Malware Variants

FILENAME

Додаток.pif (Attachment.pif)

LURE TYPE

Fake ministry PDF

EXFILTRATION

HTTP POST

MD5 HASH

abe531e9f1e642c4...

LLM PROMPT USED

text

"Make a list of commands to create folder C:\Programdata\info and to gather computer information, hardware information, process and services information, networks information, AD domain information..."

Attribution Assessment

CERT-UA attributes LAMEHUG to APT28 (Fancy Bear), associated with Russia's GRU Unit 26165. Several factors suggest this is PoC testing rather than sophisticated operational deployment.

◉

Overall Attribution: APT28 (Fancy Bear)

Confidence: Moderate (per CERT-UA)

Indicators of Compromise

Showing 12 indicators

TYPE	INDICATOR	DESCRIPTION
File	abe531e9f1e642c47260fac40dc41f59	Додаток.pif MD5
File	3ca2eaf204611f3314d802c8b794ae2c	AI_generator_v0.9 MD5
File	f72c45b658911ad6f5202de55ba6ed5c	AI_image_v0.95 MD5
File	81cd20319c8f0b2ce499f9253ce0a6a8	image.py MD5
Network	144.126.202.227	SFTP C2 server
Network	stayathomeclasses.com	HTTP exfil domain
Network	boroda70@meta.ua	Compromised email account
Network	192.36.27.37	Email infrastructure (LeVPN)
API	router.huggingface.co/hyperbolic/v1/chat/completions	LLM API endpoint
API	router.huggingface.co/nebius/v1/images/generations	Image gen API
Host	%PROGRAMDATA%\info\	Data staging directory
Host	%PROGRAMDATA%\info\info.txt	System info collection