From Prompt to Payload: LAMEHUG’s LLM-Driven Cyber
Intrusion | Splunk
By Splunk Threat Research Team, Teoderick Contreras
Published: 2025-09-25 · Archived: 2026-04-29 02:03:16 UTC
Last July 2025, CERT-UA identified a new and unusually sophisticated threat: LAMEHUG, a malware family that
uniquely integrates artificial intelligence into its attack workflow. Unlike traditional malware, LAMEHUG
leverages large language models (LLMs) hosted on Hugging Face to dynamically generate commands for
reconnaissance, data theft, and system manipulation in real time. Delivered via spear-phishing emails disguised as
official documents, it targets Windows environments, harvesting credentials and sensitive files while adapting its
behavior to evade detection.
This approach represents a new step in malware development, moving beyond simple automation to attacks that
adapt their behavior in real time, making them harder to predict and defend against. In this blog, the Splunk Threat
Research Team (STRT) analyzes the LAMEHUG malware, examining its tactics and techniques to provide
insights that can help SOC analysts and blue teamers to identify and respond to such threats.
Analysis
Phishing: Spearphishing Attachment (T1566.001)
According to CERT-UA, this malware was distributed as a phishing attachment disguised as an AI canvas or
image generator application. This is also reflected in the file names used, such as
AI_generator_uncensored_Canvas_PRO_v0.9.exe and AI_image_generator_v0.95.exe.
Figure 01 shows the core Python script of one sample, which pretends to function as an image generator by
accepting user prompts and generating images through the Hugging Face API. However, the script also reveals its
malicious behavior: immediately after the initialization of the Image_API_URL variable, a separate thread is
launched that calls the LLM_QUERY_EX() function responsible for executing the malware’s malicious
activities.
https://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html
Page 1 of 16

Figure 01: LAMEHUG Main() and LLM_QUERY_EX Thread
Another variant of the LAMEHUG malware decodes and drops a dummy PDF file, designed to appear as a
legitimate document when the victim opens the payload. Figure 02 illustrates the core routine of this variant: after
launching a thread to execute the LLM_QUERY_EX() function, the malware proceeds to call the xlsx_open()
function, which is responsible for dropping the decoy PDF file.
Figure 02: LAMEHUG Main() and LLM_QUERY_EX Thread
https://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html
Page 2 of 16

Windows Command Shell (T1059.003)
The xlsx_open() function is responsible for decoding a large Base64-encoded string, which represents a dummy
PDF file. This file is dropped into the C:\ProgramData directory and then executed via a cmd.exe subprocess, as
shown in Figure 3.
Figure 03: Decoding and Dropping Decoy PDF File
Figure 04 illustrates how the large Base64 string can be decoded to extract the dummy PDF file, which is used to
trick the victim into believing the phishing attachment is a legitimate document. Figure 05 provides a snippet of
the decoded PDF, revealing that the content specifically targeted a government agency or department.
https://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html
Page 3 of 16

Figure 04: Base64 Decoding of Dummy PDF File
Figure 05: The Dummy PDF File
LLM Query
This malware leverages the LLM Qwen 2.5-Coder-32B-Instruct model through the HuggingFace[.]co service
API to generate Windows commands, executed with system administrator–level privileges. The malicious
commands are primarily used to:
1. Collect system information and save the output to C:\ProgramData\info\info.txt.
2. Recursively copy documents from various targeted directories into C:\ProgramData\info, consolidating
sensitive files for potential exfiltration.
Figure 06 shows a code snippet from the LLM_QUERY_EX() function, which constructs the prompt message
sent to the LLM via the HuggingFace API. The function then executes the LLM’s response Windows command
shell instructions used to steal information from the compromised host.
https://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html
Page 4 of 16

Figure 06: The LLM Query Setup of LAMEHUG
System Information Discovery (T1082) and Automated Collection (T1119)
By intercepting and analyzing the LLM’s responses to the prompt queries issued by the LAMEHUG malware,
STRT was able to reconstruct the Windows commands executed on the compromised host for the purpose of data
theft. Figure 7 illustrates the LLM’s responses for two separate prompt queries generated by the malware. These
commands leverage utilities such as systeminfo, wmic, whoami, and dsquery to collect detailed system
information, while xcopy.exe is used to gather targeted documents from multiple folder paths.
Figure 07: LAMEHUG System Information Discovery and FIle Collection
Exfiltration Over C2 Channel(T1041)
https://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html
Page 5 of 16

All of the data and information collected by LAMEHUG malware is exfiltrated to its command-and-control (C2)
server. Figure 8 illustrates one such C2 server using the SSH protocol. The figure reveals the IP address of the
server, as well as the username and password credentials used by the malware to transmit the stolen data. This
demonstrates how the malware establishes a direct, authenticated connection to the remote server to securely
transfer sensitive information from the compromised host.
Figure 08: LAMEHUG SSH C2 Server
Another variant of this malware encodes the LLM query prompt message sent to the LLM model and also uses
HTTP POST requests to exfiltrate sensitive data from the compromised host to its C2 server. Figure 9 illustrates
the Base64-encoded prompt message, as well as the HTTPS C2 server endpoint:
stayathomeclasses[.]com/slpw/up[.]php.
https://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html
Page 6 of 16

Figure 09: LAMEHUG HTTPS C2 Server
Detection
Windows Wmic CPU Discovery
The following analytic detects the use of WMIC (Windows Management Instrumentation Command-line) for
CPU discovery, often executed with commands such as “wmic cpu get name” This behavior is commonly
associated with reconnaissance, where adversaries seek to gather details about system hardware, assess processing
power, or determine if the environment is virtualized.
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=E
 where `process_wmic` (Processes.process="* cpu*")
 by Processes.action Processes.dest Processes.original_file_name
 Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_
 | `drop_dm_object_name(Processes)`
 | `security_content_ctime(firstTime)`
 | `security_content_ctime(lastTime)`
https://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html
Page 7 of 16

Figure 10: Windows Wmic CPU Discovery Detection
Windows Wmic DiskDrive Discovery
The following analytic detects the use of Windows Management Instrumentation Command-line (WMIC) for disk
drive discovery activities on a Windows system. This process involves monitoring commands such as “wmic
diskdrive” which are often used by administrators for inventory and diagnostics but can also be leveraged by
attackers to enumerate hardware details for malicious purposes.
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=E
 where `process_wmic` (Processes.process="* diskdrive*")
 by Processes.action Processes.dest Processes.original_file_name
 Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_
 | `drop_dm_object_name(Processes)`
 | `security_content_ctime(firstTime)`
 | `security_content_ctime(lastTime)`
https://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html
Page 8 of 16

Figure 11: Windows Wmic DiskDrive Discovery Detection
Windows Wmic Memory Chip Discovery
The following analytic detects the execution of Windows Management Instrumentation Command-line (WMIC)
commands related to memory chip discovery on a Windows system. Specifically, it monitors instances where
commands such as “wmic memorychip” are used to retrieve detailed information about installed RAM modules.
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=E
 where `process_wmic` (Processes.process="* memorychip*")
 by Processes.action Processes.dest Processes.original_file_name
 Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_
 | `drop_dm_object_name(Processes)`
 | `security_content_ctime(firstTime)`
 | `security_content_ctime(lastTime)`
https://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html
Page 9 of 16

Figure 12: Windows Wmic Memory Chip Discovery Detection
Windows Wmic Network Discovery
The following analytic detects the execution of Windows Management Instrumentation Command-line (WMIC)
commands used for network interface discovery on a Windows system. Specifically, it identifies commands such
as “wmic nic” that retrieve detailed information about the network adapters installed on the device.
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=E
 where `process_wmic` (Processes.process="* nic*")
 by Processes.action Processes.dest Processes.original_file_name
 Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_
 | `drop_dm_object_name(Processes)`
 | `security_content_ctime(firstTime)`
 | `security_content_ctime(lastTime)`
https://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html
Page 10 of 16

Figure 13: Windows Wmic Network Discovery Detection
Windows Wmic Systeminfo Discovery
The following analytic detects the execution of Windows Management Instrumentation Command-line (WMIC)
commands used for computer system discovery on a Windows system. Specifically, it monitors for commands
such as “wmic computersystem” that retrieve detailed information about the computer’s model, manufacturer,
name, domain, and other system attributes.
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=E
 where `process_wmic` (Processes.process="* computersystem*")
 by Processes.action Processes.dest Processes.original_file_name
 Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
 Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
 Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
 Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
 Processes.user Processes.user_id Processes.vendor_product
 | `drop_dm_object_name(Processes)`
 | `security_content_ctime(firstTime)`
 | `security_content_ctime(lastTime)`
https://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html
Page 11 of 16

Figure 14: Windows Wmic Systeminfo Discovery Detection
Windows Net System Service Discovery
The following analytic detects the enumeration of Windows services using the net start command, which is a built-in utility that lists all running services on a system. Adversaries, system administrators, or automated tools may
use this command to gain situational awareness of what services are active, identify potential security software, or
discover opportunities for privilege escalation and lateral movement.
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=E
 where `process_net` (Processes.process="* start*")
 by Processes.action Processes.dest Processes.original_file_name
 Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_
 | `drop_dm_object_name(Processes)`
 | `security_content_ctime(firstTime)`
 | `security_content_ctime(lastTime)`
https://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html
Page 12 of 16

Figure 15: Windows Net System Service Discovery Detection
Windows File Collection Via Copy Utilities
The following analytic detects the use of Windows command-line copy utilities, such as xcopy.exe, to
systematically collect files from user directories and consolidate them into a centralized location on the system.
This activity is often indicative of malicious behavior, as threat actors frequently use such commands to gather
sensitive information, including documents with .doc, .docx, and .pdf extensions.
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=E
 where `process_copy` Processes.process IN ("*.doc","*.docx*","*.xls*","*.xlsx*","*.ppt*","*.pptx*","*.log*","*
 by Processes.action Processes.dest Processes.original_file_name
 Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_
 | `drop_dm_object_name(Processes)`
 | `security_content_ctime(firstTime)`
 | `security_content_ctime(lastTime)`
https://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html
Page 13 of 16

Figure 16: Windows File Collection Via Copy Utilities Detection
Windows AI Platform DNS Query
The following analytic detects DNS queries initiated by the Windows AI Platform to domains associated with
Hugging Face, a popular provider of machine learning models and services. Monitoring for such DNS requests is
important because it can reveal when systems are reaching out to external AI platforms, which may indicate the
use of third-party AI resources or the transfer of sensitive data outside the organization’s environment.
`sysmon` EventCode=22 process_name IN ("python.exe", "cmd.exe", "rundll32.exe","powershell.exe", "pwsh.exe") Qu
 | rename dvc as dest
 | stats count min(_time) as firstTime max(_time) as lastTime
 by answer answer_count dest process_exec process_guid process_name query query_count reply_code_id signature s
 vendor_product QueryName QueryResults QueryStatus
 | `security_content_ctime(firstTime)`
 | `security_content_ctime(lastTime)`
https://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html
Page 14 of 16

Figure 17: Windows AI Platform DNS Query Detection
Overall LAMEHUG Splunk Analytic Story consists of 14 detections.
IOC
SHA256 Hashes Description
384e8f3d300205546fb8c9b9224011b3b3cb71adc994180ff55e1e6416f65715 LAMEHUG
766c356d6a4b00078a0293460c5967764fcd788da8c1cd1df708695f3a15b777 LAMEHUG
bdb33bbb4ea11884b15f67e5c974136e6294aa87459cdc276ac2eea85b1deaa3 LAMEHUG
d6af1c9f5ce407e53ec73c8e7187ed804fb4f80cf8dbd6722fc69e15e135db2e LAMEHUG
Learn More
This blog helps security analysts, blue teamers and Splunk customers identify LAMEHUG malware by enabling
the community to discover related tactics, techniques, and procedures used by threat actors and adversaries. You
can implement the detections in this blog using the Enterprise Security Content Updates app or the Splunk
Security Essentials app. To view the Splunk Threat Research Team's complete security content repository, visit
research.splunk.com.
Feedback
https://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html
Page 15 of 16

Any feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on
theSlack channel #security-research. Follow these instructions. If you need an invitation to our Splunk user groups
on Slack.
Contributors
We would like to thank Teoderick Contreras for authoring this post and the entire Splunk Threat Research Team
for their contributions: Michael Haag, Nasreddine Bencherchali, Lou Stella, Bhavin Patel, Rod Soto, Eric
McGinnis, Patrick Bareiss, Raven Tait and Jose Hernandez.
AI & ML for Security Use Cases
Download this free guide to enhance security with AI and ML.
Get the free guide
Source: https://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html
https://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html
Page 16 of 16