{
	"id": "4a24121d-8658-4998-ad64-8415e5ead91d",
	"created_at": "2026-04-29T02:20:38.911277Z",
	"updated_at": "2026-04-29T08:21:12.928078Z",
	"deleted_at": null,
	"sha1_hash": "253556b00cbd96b9f078e1066e29c6a7ef23f394",
	"title": "From Prompt to Payload: LAMEHUG’s LLM-Driven Cyber Intrusion | Splunk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5199735,
	"plain_text": "From Prompt to Payload: LAMEHUG’s LLM-Driven Cyber\r\nIntrusion | Splunk\r\nBy Splunk Threat Research Team, Teoderick Contreras\r\nPublished: 2025-09-25 · Archived: 2026-04-29 02:03:16 UTC\r\nLast July 2025, CERT-UA identified a new and unusually sophisticated threat: LAMEHUG, a malware family that\r\nuniquely integrates artificial intelligence into its attack workflow. Unlike traditional malware, LAMEHUG\r\nleverages large language models (LLMs) hosted on Hugging Face to dynamically generate commands for\r\nreconnaissance, data theft, and system manipulation in real time. Delivered via spear-phishing emails disguised as\r\nofficial documents, it targets Windows environments, harvesting credentials and sensitive files while adapting its\r\nbehavior to evade detection.\r\nThis approach represents a new step in malware development, moving beyond simple automation to attacks that\r\nadapt their behavior in real time, making them harder to predict and defend against. In this blog, the Splunk Threat\r\nResearch Team (STRT) analyzes the LAMEHUG malware, examining its tactics and techniques to provide\r\ninsights that can help SOC analysts and blue teamers to identify and respond to such threats.\r\nAnalysis\r\nPhishing: Spearphishing Attachment (T1566.001)\r\nAccording to CERT-UA, this malware was distributed as a phishing attachment disguised as an AI canvas or\r\nimage generator application. This is also reflected in the file names used, such as\r\nAI_generator_uncensored_Canvas_PRO_v0.9.exe and AI_image_generator_v0.95.exe.\r\nFigure 01 shows the core Python script of one sample, which pretends to function as an image generator by\r\naccepting user prompts and generating images through the Hugging Face API. However, the script also reveals its\r\nmalicious behavior: immediately after the initialization of the Image_API_URL variable, a separate thread is\r\nlaunched that calls the LLM_QUERY_EX() function responsible for executing the malware’s malicious\r\nactivities.\r\nhttps://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html\r\nPage 1 of 16\n\nFigure 01: LAMEHUG Main() and LLM_QUERY_EX Thread\r\nAnother variant of the LAMEHUG malware decodes and drops a dummy PDF file, designed to appear as a\r\nlegitimate document when the victim opens the payload. Figure 02 illustrates the core routine of this variant: after\r\nlaunching a thread to execute the LLM_QUERY_EX() function, the malware proceeds to call the xlsx_open()\r\nfunction, which is responsible for dropping the decoy PDF file.\r\nFigure 02: LAMEHUG Main() and LLM_QUERY_EX Thread\r\nhttps://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html\r\nPage 2 of 16\n\nWindows Command Shell (T1059.003)\r\nThe xlsx_open() function is responsible for decoding a large Base64-encoded string, which represents a dummy\r\nPDF file. This file is dropped into the C:\\ProgramData directory and then executed via a cmd.exe subprocess, as\r\nshown in Figure 3.\r\nFigure 03: Decoding and Dropping Decoy PDF File\r\nFigure 04 illustrates how the large Base64 string can be decoded to extract the dummy PDF file, which is used to\r\ntrick the victim into believing the phishing attachment is a legitimate document. Figure 05 provides a snippet of\r\nthe decoded PDF, revealing that the content specifically targeted a government agency or department.\r\nhttps://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html\r\nPage 3 of 16\n\nFigure 04: Base64 Decoding of Dummy PDF File\r\nFigure 05: The Dummy PDF File\r\nLLM Query\r\nThis malware leverages the LLM Qwen 2.5-Coder-32B-Instruct model through the HuggingFace[.]co service\r\nAPI to generate Windows commands, executed with system administrator–level privileges. The malicious\r\ncommands are primarily used to:\r\n1. Collect system information and save the output to C:\\ProgramData\\info\\info.txt.\r\n2. Recursively copy documents from various targeted directories into C:\\ProgramData\\info, consolidating\r\nsensitive files for potential exfiltration.\r\nFigure 06 shows a code snippet from the LLM_QUERY_EX() function, which constructs the prompt message\r\nsent to the LLM via the HuggingFace API. The function then executes the LLM’s response Windows command\r\nshell instructions used to steal information from the compromised host.\r\nhttps://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html\r\nPage 4 of 16\n\nFigure 06: The LLM Query Setup of LAMEHUG\r\nSystem Information Discovery (T1082) and Automated Collection (T1119)\r\nBy intercepting and analyzing the LLM’s responses to the prompt queries issued by the LAMEHUG malware,\r\nSTRT was able to reconstruct the Windows commands executed on the compromised host for the purpose of data\r\ntheft. Figure 7 illustrates the LLM’s responses for two separate prompt queries generated by the malware. These\r\ncommands leverage utilities such as systeminfo, wmic, whoami, and dsquery to collect detailed system\r\ninformation, while xcopy.exe is used to gather targeted documents from multiple folder paths.\r\nFigure 07: LAMEHUG System Information Discovery and FIle Collection\r\nExfiltration Over C2 Channel(T1041)\r\nhttps://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html\r\nPage 5 of 16\n\nAll of the data and information collected by LAMEHUG malware is exfiltrated to its command-and-control (C2)\r\nserver. Figure 8 illustrates one such C2 server using the SSH protocol. The figure reveals the IP address of the\r\nserver, as well as the username and password credentials used by the malware to transmit the stolen data. This\r\ndemonstrates how the malware establishes a direct, authenticated connection to the remote server to securely\r\ntransfer sensitive information from the compromised host.\r\nFigure 08: LAMEHUG SSH C2 Server\r\nAnother variant of this malware encodes the LLM query prompt message sent to the LLM model and also uses\r\nHTTP POST requests to exfiltrate sensitive data from the compromised host to its C2 server. Figure 9 illustrates\r\nthe Base64-encoded prompt message, as well as the HTTPS C2 server endpoint:\r\nstayathomeclasses[.]com/slpw/up[.]php.\r\nhttps://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html\r\nPage 6 of 16\n\nFigure 09: LAMEHUG HTTPS C2 Server\r\nDetection\r\nWindows Wmic CPU Discovery\r\nThe following analytic detects the use of WMIC (Windows Management Instrumentation Command-line) for\r\nCPU discovery, often executed with commands such as “wmic cpu get name” This behavior is commonly\r\nassociated with reconnaissance, where adversaries seek to gather details about system hardware, assess processing\r\npower, or determine if the environment is virtualized.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=E\r\n where `process_wmic` (Processes.process=\"* cpu*\")\r\n by Processes.action Processes.dest Processes.original_file_name\r\n Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_\r\n | `drop_dm_object_name(Processes)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nhttps://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html\r\nPage 7 of 16\n\nFigure 10: Windows Wmic CPU Discovery Detection\r\nWindows Wmic DiskDrive Discovery\r\nThe following analytic detects the use of Windows Management Instrumentation Command-line (WMIC) for disk\r\ndrive discovery activities on a Windows system. This process involves monitoring commands such as “wmic\r\ndiskdrive” which are often used by administrators for inventory and diagnostics but can also be leveraged by\r\nattackers to enumerate hardware details for malicious purposes.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=E\r\n where `process_wmic` (Processes.process=\"* diskdrive*\")\r\n by Processes.action Processes.dest Processes.original_file_name\r\n Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_\r\n | `drop_dm_object_name(Processes)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nhttps://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html\r\nPage 8 of 16\n\nFigure 11: Windows Wmic DiskDrive Discovery Detection\r\nWindows Wmic Memory Chip Discovery\r\nThe following analytic detects the execution of Windows Management Instrumentation Command-line (WMIC)\r\ncommands related to memory chip discovery on a Windows system. Specifically, it monitors instances where\r\ncommands such as “wmic memorychip” are used to retrieve detailed information about installed RAM modules.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=E\r\n where `process_wmic` (Processes.process=\"* memorychip*\")\r\n by Processes.action Processes.dest Processes.original_file_name\r\n Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_\r\n | `drop_dm_object_name(Processes)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nhttps://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html\r\nPage 9 of 16\n\nFigure 12: Windows Wmic Memory Chip Discovery Detection\r\nWindows Wmic Network Discovery\r\nThe following analytic detects the execution of Windows Management Instrumentation Command-line (WMIC)\r\ncommands used for network interface discovery on a Windows system. Specifically, it identifies commands such\r\nas “wmic nic” that retrieve detailed information about the network adapters installed on the device.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=E\r\n where `process_wmic` (Processes.process=\"* nic*\")\r\n by Processes.action Processes.dest Processes.original_file_name\r\n Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_\r\n | `drop_dm_object_name(Processes)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nhttps://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html\r\nPage 10 of 16\n\nFigure 13: Windows Wmic Network Discovery Detection\r\nWindows Wmic Systeminfo Discovery\r\nThe following analytic detects the execution of Windows Management Instrumentation Command-line (WMIC)\r\ncommands used for computer system discovery on a Windows system. Specifically, it monitors for commands\r\nsuch as “wmic computersystem” that retrieve detailed information about the computer’s model, manufacturer,\r\nname, domain, and other system attributes.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=E\r\n where `process_wmic` (Processes.process=\"* computersystem*\")\r\n by Processes.action Processes.dest Processes.original_file_name\r\n Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid\r\n Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path\r\n Processes.process Processes.process_exec Processes.process_guid Processes.process_hash\r\n Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path\r\n Processes.user Processes.user_id Processes.vendor_product\r\n | `drop_dm_object_name(Processes)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nhttps://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html\r\nPage 11 of 16\n\nFigure 14: Windows Wmic Systeminfo Discovery Detection\r\nWindows Net System Service Discovery\r\nThe following analytic detects the enumeration of Windows services using the net start command, which is a built-in utility that lists all running services on a system. Adversaries, system administrators, or automated tools may\r\nuse this command to gain situational awareness of what services are active, identify potential security software, or\r\ndiscover opportunities for privilege escalation and lateral movement.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=E\r\n where `process_net` (Processes.process=\"* start*\")\r\n by Processes.action Processes.dest Processes.original_file_name\r\n Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_\r\n | `drop_dm_object_name(Processes)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nhttps://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html\r\nPage 12 of 16\n\nFigure 15: Windows Net System Service Discovery Detection\r\nWindows File Collection Via Copy Utilities\r\nThe following analytic detects the use of Windows command-line copy utilities, such as xcopy.exe, to\r\nsystematically collect files from user directories and consolidate them into a centralized location on the system.\r\nThis activity is often indicative of malicious behavior, as threat actors frequently use such commands to gather\r\nsensitive information, including documents with .doc, .docx, and .pdf extensions.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=E\r\n where `process_copy` Processes.process IN (\"*.doc\",\"*.docx*\",\"*.xls*\",\"*.xlsx*\",\"*.ppt*\",\"*.pptx*\",\"*.log*\",\"*\r\n by Processes.action Processes.dest Processes.original_file_name\r\n Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_\r\n | `drop_dm_object_name(Processes)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nhttps://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html\r\nPage 13 of 16\n\nFigure 16: Windows File Collection Via Copy Utilities Detection\r\nWindows AI Platform DNS Query\r\nThe following analytic detects DNS queries initiated by the Windows AI Platform to domains associated with\r\nHugging Face, a popular provider of machine learning models and services. Monitoring for such DNS requests is\r\nimportant because it can reveal when systems are reaching out to external AI platforms, which may indicate the\r\nuse of third-party AI resources or the transfer of sensitive data outside the organization’s environment.\r\n`sysmon` EventCode=22 process_name IN (\"python.exe\", \"cmd.exe\", \"rundll32.exe\",\"powershell.exe\", \"pwsh.exe\") Qu\r\n | rename dvc as dest\r\n | stats count min(_time) as firstTime max(_time) as lastTime\r\n by answer answer_count dest process_exec process_guid process_name query query_count reply_code_id signature s\r\n vendor_product QueryName QueryResults QueryStatus\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nhttps://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html\r\nPage 14 of 16\n\nFigure 17: Windows AI Platform DNS Query Detection\r\nOverall LAMEHUG Splunk Analytic Story consists of 14 detections.\r\nIOC\r\nSHA256 Hashes Description\r\n384e8f3d300205546fb8c9b9224011b3b3cb71adc994180ff55e1e6416f65715 LAMEHUG\r\n766c356d6a4b00078a0293460c5967764fcd788da8c1cd1df708695f3a15b777 LAMEHUG\r\nbdb33bbb4ea11884b15f67e5c974136e6294aa87459cdc276ac2eea85b1deaa3 LAMEHUG\r\nd6af1c9f5ce407e53ec73c8e7187ed804fb4f80cf8dbd6722fc69e15e135db2e LAMEHUG\r\nLearn More\r\nThis blog helps security analysts, blue teamers and Splunk customers identify LAMEHUG malware by enabling\r\nthe community to discover related tactics, techniques, and procedures used by threat actors and adversaries. You\r\ncan implement the detections in this blog using the Enterprise Security Content Updates app or the Splunk\r\nSecurity Essentials app. To view the Splunk Threat Research Team's complete security content repository, visit\r\nresearch.splunk.com.\r\nFeedback\r\nhttps://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html\r\nPage 15 of 16\n\nAny feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on\r\ntheSlack channel #security-research. Follow these instructions. If you need an invitation to our Splunk user groups\r\non Slack.\r\nContributors\r\nWe would like to thank Teoderick Contreras for authoring this post and the entire Splunk Threat Research Team\r\nfor their contributions: Michael Haag, Nasreddine Bencherchali, Lou Stella, Bhavin Patel, Rod Soto, Eric\r\nMcGinnis, Patrick Bareiss, Raven Tait and Jose Hernandez.\r\nAI \u0026 ML for Security Use Cases\r\nDownload this free guide to enhance security with AI and ML.\r\nGet the free guide\r\nSource: https://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html\r\nhttps://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html"
	],
	"report_names": [
		"lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html"
	],
	"threat_actors": [],
	"ts_created_at": 1777429238,
	"ts_updated_at": 1777450872,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/253556b00cbd96b9f078e1066e29c6a7ef23f394.pdf",
		"text": "https://archive.orkl.eu/253556b00cbd96b9f078e1066e29c6a7ef23f394.txt",
		"img": "https://archive.orkl.eu/253556b00cbd96b9f078e1066e29c6a7ef23f394.jpg"
	}
}