LameHug, a new AI-driven malware linked to the Russian threat group APT28, exploits technology that are similar to powering AI chatbots like ChatGPT, Gemini, Perplexity, and Claude.
The malware uses Large Language Models (LLMs) during execution to create and execute commands, infecting Windows systems and stealing data.
Written in Python, LameHug utilizes Hugging Face APIs and is driven by Alibaba Cloud’s Qwen-2.5-Coder-32B-Instruct, an open-source LLM that generates commands for execution on compromised systems.
How It Works
1. Initial Access: Delivered via phishing campaigns targeting Ukrainian government and defense entities.
· The malware is distributed through spear-phishing emails aimed at specific organizations, leveraging social engineering to trick users into interacting with malicious content.
2. Delivery: Uses disguised executables bundled in ZIP attachments.
· The phishing emails contain ZIP files with malicious executables disguised as legitimate files (e.g., .pif,.exe, .py), designed to bypass basic security checks and lure users to open them.
3. Execution: Executes malicious code upon user interaction.
· Once the user extracts and runs the disguised executable from the ZIP file, the malware is activated on the victim's system, initiating its malicious operations.
4. Command and Control (C2): Employs Qwen 2.5-Coder-32B-Instruct AI model via Hugging Face API.
· The malware communicates with the Qwen 2.5-Coder-32B-Instruct AI model, hosted by Alibaba Cloud and accessed through the Hugging Face API, to receive instructions and generate malicious commands dynamically.
5. Collection and Reconnaissance: Sends text prompts to the AI model for reconnaissance or exploitation.
· The malware sends specific text prompts to the AI model, which responds with executable Windows commands. These commands are used to gather system information, identify vulnerabilities, or prepare for further exploitation.
6. Exfiltration: Exfiltrates data over SFTP or HTTP POST.
· Collected data is transmitted to attacker-controlled infrastructure using secure file transfer protocol (SFTP) or HTTP POST methods, ensuring the stolen information reaches the attackers' servers.
Why It Matters
Dynamic Code Paths: Attack logic adapts per target, evading static signature-based detection.
Cloud-basedC2: Malicious traffic hides within legitimate API communications (Hugging FaceAPI with bearer-token headers).
Prompt Injection: Attackers use controlled prompts to remotely define tactics,techniques, and procedures (TTPs).
Impact
Failure of Traditional IOC- and YARA-based defenses.
Traffic-based Anomaly Detection required.
Indicators Of Compromise
File Names:
· AI_generator_uncensored
· Canvas_PRO_v0.9.exe
· image.py
· info.txt
C2: Attacker-operated SFTP or POST-based endpoints
API Traffic: Requeststo huggingface.co/inference-api/v1/qwen during runtime
Artefacts:
· Scheduled tasks
· Scripts in AppData
· PowerShell logs
· SFTP artifacts
Recommendation
1. Prevention
User Awareness: Train users to be cautious of .zip attachments, even from trusted sources.
Attachment Filtering: Block risky file types like .pif, .scr, .py, and disguised .exefiles.
Restrict AIAccess: Limit endpoint access to LLM APIs (e.g, Hugging Face) via firewall or proxy.
LimitPython: Remove Python from endpoints unless explicitly required.
2. Detection & Monitoring
Watch for:
Outbound HTTPS calls to suspicious APIs (e.g., huggingface.co).
New scheduled tasks tied to suspect accounts.
Suspicious executables in AppData\Local\Temp.
Unexpected.txt, .log, or batch file creation post-login.
Use EDR to Detect:
Python activity outside usual paths.
Recursivefile scanning and data packaging behaviors.
3.Response
Quarantine compromised systems.
Capture memory and traffic for potential prompt forensics.
Rotate credentials and revoke session tokens to limit further compromise.
.png)
.png)