Newly emergent LameHug malware was disclosed by Ukraine's Computer Emergency Response Team to have been leveraging Alibaba Cloud's Qwen 2.5-Coder-32B-Instruct open-source large language model to facilitate command generation in targeted Windows systems, BleepingComputer reports.
Attacks believed to have been conducted by Russian state-sponsored threat operation APT28, also known as Fancy Bear, Sofacy, Forest Blizzard, and STRONTIUM, commenced with the use of breached email accounts to distribute ministry official-spoofing messages, which include a ZIP attachment with the LameHug loader. Execution of LameHug allowed the delivery of artificial intelligence-generated commands then used to pilfer system data and identify documents on Windows' Documents, Downloads, and Desktop folders, which are then exfiltrated through HTTP POST or SFTP requests. While CERT-UA has not detailed the success of LameHug's AI-generated commands, such use of LLMs could prompt intrusions that are not only more flexible but also more clandestine.
Attacks believed to have been conducted by Russian state-sponsored threat operation APT28, also known as Fancy Bear, Sofacy, Forest Blizzard, and STRONTIUM, commenced with the use of breached email accounts to distribute ministry official-spoofing messages, which include a ZIP attachment with the LameHug loader. Execution of LameHug allowed the delivery of artificial intelligence-generated commands then used to pilfer system data and identify documents on Windows' Documents, Downloads, and Desktop folders, which are then exfiltrated through HTTP POST or SFTP requests. While CERT-UA has not detailed the success of LameHug's AI-generated commands, such use of LLMs could prompt intrusions that are not only more flexible but also more clandestine.



