First AI-Powered Malware LAMEHUG Attacking Organizations With Compromised Official Email Account

The cybersecurity landscape has witnessed a groundbreaking and concerning development with the emergence of LAMEHUG, the first publicly documented malware to integrate artificial intelligence capabilities for automated cyberattacks.

This sophisticated malware, developed by the notorious Russian threat actor group APT28 (also known as UAC-0001 and Forest Blizzard), represents a significant evolution in cyber warfare tactics, particularly targeting Ukraine’s security and defense sector amid the ongoing conflict.

LAMEHUG operates through a carefully orchestrated attack chain that begins with phishing emails sent from compromised official government accounts, lending credibility to the malicious communications.

The attackers masquerade as representatives of government ministries, distributing ZIP archives containing executable files with seemingly legitimate names like “Appendix.pdf.zip.”

However, these archives contain malicious .pif files created using PyInstaller from Python source code, marking the beginning of a sophisticated infiltration process.

What sets LAMEHUG apart from conventional malware is its integration of the Qwen 2.5-Coder-32B-Instruct model accessed through the Hugging Face API.

LogPoint analysts identified that this AI-powered approach allows the malware to translate natural language instructions into executable system commands, providing unprecedented flexibility in attack execution.

The malware can dynamically generate reconnaissance and data theft commands based on textual prompts, eliminating the need for pre-programmed attack sequences.

The malware’s operational capabilities extend far beyond traditional reconnaissance tools, as it can adapt its behavior based on AI-generated responses.

This adaptive nature makes LAMEHUG particularly dangerous, as it can modify its tactics in real-time based on the target environment and the attacker’s evolving objectives.

AI-Driven Reconnaissance and Data Exfiltration Mechanism

LAMEHUG’s most sophisticated feature lies in its AI-assisted reconnaissance capabilities, which demonstrate the malware’s ability to conduct comprehensive system enumeration through dynamically generated commands.

The malware creates a staging directory at %PROGRAMDATA%info and systematically collects system information using a complex command sequence that includes over 20 different reconnaissance operations.

The AI-generated command sequence encompasses critical system information gathering, including hardware specifications through WMIC queries, network configuration details, user privileges, and Active Directory enumeration.

A typical reconnaissance sequence includes commands such as systeminfo >> %PROGRAMDATA%infoinfo.txt and wmic computersystem get name,manufacturer,model >> %PROGRAMDATA%infoinfo.txt, systematically building a comprehensive profile of the compromised system.

Following reconnaissance, LAMEHUG recursively searches through Documents, Desktop, and Downloads folders to identify and stage documents for exfiltration.

The malware then employs multiple exfiltration methods, including SFTP and HTTP POST requests, to transmit collected data to attacker-controlled infrastructure at IP addresses 144.126.202.227 and 192.36.27.37, along with domains like stayathomeclasses.com.

This multi-vector approach ensures reliable data extraction while maintaining operational security for the threat actors.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches