Ukraine Warns APT28’s New ‘LameHug’ Malware Harnesses AI for Live Attacks

Ukraine’s Computer Emergency Response Team (CERT-UA) has uncovered a novel strain of malware, dubbed “LameHug,” that exploits a large language model to generate attack commands on the fly. Investigators say the Python-based tool interacts with the Qwen2.5-Coder-32B-Instruct model—hosted on the Hugging Face platform—to convert plain-text prompts into executable code, eliminating the need for pre-configured scripts and complicating detection. CERT-UA attributes the campaign with medium confidence to the Russian military-linked hacking group APT28, also known as Fancy Bear. According to an advisory published 18 July, the attackers used compromised email accounts to send phishing messages to Ukrainian executive agencies on 10 July. The messages carried a ZIP archive (“Додаток.pdf.zip”) that unpacked one of three LameHug variants, including a .pif loader disguised as a ministry document. Once installed, LameHug gathers system details and recursively searches the Documents, Downloads and Desktop folders for Office, PDF and text files. Collected data are stored locally and exfiltrated through SFTP or HTTP POST requests. An IBM X-Force analysis notes that the on-demand command generation ‘allows threat actors to adapt their tactics during a compromise without deploying new payloads,’ potentially giving them longer dwell time inside targeted networks. Researchers say LameHug is the first publicly documented malware to embed an AI coding model directly into its command-and-control loop, signaling a new phase in the weaponisation of generative AI. CERT-UA has published indicators of compromise and urged organisations to update detection rules and tighten email security.