A new family of malware called LameHug is infecting systems around the world using the very same tech that powers AI chatbots like ChatGPT, Gemini, Perplexity and Claude. Discovered by the Ukrainian national cyber incident response team (CERT-UA), the malware uses large language models to generate and run commands to infect and steal information from Windows PCs.
CERT-UA says that the attacks are from the Russian threat group APT028. Written in the popular coding language Python, LameHug uses APIs from Hugging Face and is powered by Qwen-2.5-Coder-32B-Instruct, an open-sourced large language model developed by Alibaba Cloud to generate and send commands.
As is the case with AI chatbots like Gemini, ChatGPT and Perplexity, the large language model can convert instructions given in natural language into executable code or shell commands. In an email sent by the group to Ukrainian government authorities impersonating ministry officials, the payload delivering the LameHug malware was hidden in a ZIP archive that contained files named “AI_generator_uncensored_Canvas_PRO_0.9.exe” and “image.py”.
The malware used commands that allowed APT-28, the threat group that sent these emails, to extract information about the infected Windows PC and search for text and PDF documents stored in the Documents, Downloads and Desktop folders. This information was then sent to a remotely controlled server, but as of now, it is unclear how the LLM-powered attack was carried out.
According to a recently issued advisory by the threat intelligence sharing platform IBM X-Force Exchange, this is the first documented case where a malware is using LLMs to write executable commands, which “allows threat actors to adapt their practice during a compromise without needing new payloads, potentially making the malware harder to detect by security software or static analysis tools.” The news comes after security analysis firm Check Point said that it discovered a new malware called Skynet that evades detection by AI tools.
© IE Online Media Services Pvt Ltd
