A newly discovered malware strain named LameHug is using artificial intelligence to dynamically generate malicious commands on compromised Windows systems, according to a recent alert from Ukrainian cybersecurity authorities.

The Computer Emergency Response Team of Ukraine (CERT-UA) uncovered this threat in a recent wave of cyber-attacks aimed at organizations within the country’s security and defense infrastructure. Investigators have linked the campaign to the APT28 group, also known as Fancy Bear, which is believed to operate under the direction of Russian military intelligence.

Malware Delivered via Phishing with Malicious Attachments

According to CERT-UA’s July 17 update, the attack began with emails impersonating officials from Ukrainian ministries, sent to government entities. The messages included a compressed file named “Додаток.pdf.zip” (“Attachment.pdf.zip”) which, once extracted, revealed a .pif file disguised with a similar name.

This executable was developed using PyInstaller, a Python packaging tool, and has been identified as the LameHug malware.

LameHug Uses LLM to Generate Commands in Real Time

What sets LameHug apart from conventional malware is its use of a large language model (LLM) to generate commands on the fly. The malware is written in Python and connects to the Hugging Face API to interface with Qwen2.5-Coder-32B-Instruct, an open-source LLM developed by Alibaba.

According to IBM X-Force OSINT, this is an innovative use of AI that allows attackers to adjust their behavior during an active intrusion—without needing to download new payloads. This approach may help the malware evade traditional security tools that rely on static analysis or known indicators of compromise.

CERT-UA also noted that the phishing campaign originated from a previously compromised email account, further enhancing the credibility of the malicious messages.

APT28 Continues Its Longstanding Campaign Against Ukraine

APT28, also known by aliases such as Sednit, Pawn Storm, and Forest Blizzard, has been conducting cyber-espionage and disruptive attacks since at least 2004. The group has a long history of targeting Ukraine and its allies, particularly during periods of geopolitical tension.

In 2023, CERT-UA reported that APT28 attempted to disrupt critical power infrastructure in Ukraine. In 2025, new findings revealed that the group had exploited a zero-day vulnerability in MDaemon Email Server (CVE-2024-11182) as part of its offensive toolkit.

Most recently, reports in May indicated that APT28 had also been targeting Western logistics and tech firms involved in delivering aid to Ukraine, suggesting a broader strategy of undermining international support.

Source: https://www.infosecurity-magazine.com/news/new-lamehug-malware-deploys/