Novel Russia-linked malware taps LLM for Windows-targeted commands

Newly emergent LameHug malware was disclosed by Ukraine's Computer Emergency Response Team to have been leveraging Alibaba Cloud's Qwen 2.5-Coder-32B-Instruct open-source large language model to facilitate command generation in targeted Windows systems, BleepingComputer reports.

Attacks believed to have been conducted by Russian state-sponsored threat operation APT28, also known as Fancy Bear, Sofacy, Forest Blizzard, and STRONTIUM, commenced with the use of breached email accounts to distribute ministry official-spoofing messages, which include a ZIP attachment with the LameHug loader. Execution of LameHug allowed the delivery of artificial intelligence-generated commands then used to pilfer system data and identify documents on Windows' Documents, Downloads, and Desktop folders, which are then exfiltrated through HTTP POST or SFTP requests. While CERT-UA has not detailed the success of LameHug's AI-generated commands, such use of LLMs could prompt intrusions that are not only more flexible but also more clandestine.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds