A new Russia-based family of malware has been observed using a large language model (LLM) to issue commands on compromised systems in real time, which can potentially improve attacker capability by allowing them to shift tactics during an attack without having to introduce new payloads. The Russian malware was first spotted by Ukraine’s national cyber incident response team (CERT-UA) and is being attributed to the state-sponsored group APT28, perhaps better known as Fancy Bear or STRONTIUM.
Russian malware targets Windows, uses Hugging Face API for commands
The new Russian malware, “LameHug,” draws its name from using the Hugging Face API to interact with the Qwen 2.5-Coder-32B-Instruct LLM (an Alibaba Cloud flagship chatbot). It caught the attention of CERT-UA on July 10 by way of phishing emails sent from compromised accounts that were used to impersonate officials of the country’s Cabinet of Ministers. The attackers sent the LameHug attachment as executables posing as “uncensored” AI generators as well as PIF configuration and Python script files.
The LLM can reportedly be used both to receive remote instructions and complete pre-assigned tasks on its own. Researchers with the agency observed it harvesting system information and saving it to text files, as well as exfiltrating data from key Windows directories via SFTP or HTTP POST requests after recursively searching them.
The Russian malware is the first observed in the wild that has incorporated LLM support. However, one big caveat is that CERT-UA has not commented on whether the LLM commands were actually successful. While its effectiveness is thus still very much in question, the theoretical benefit of it is increased cover for the malware given that security software will not be able to detect hardcoded commands and that use of the Hugging Face infrastructure adds a layer of legitimacy.
LLM use in malware development continues to make slow but steady progress
While the Russian malware is the first known to chain its operations to a specific LLM, a June report from Check Point Research notes another sample found in the wild that embeds what appear to be prompt injection commands for any LLM that might try to parse it. However, it appears to be an unsophisticated experiment and fails when tested against multiple major LLMs.
Since LLMs became widely available with the initial public release of ChatGPT in late 2022, there has been great fear about their capability to create and enhance malware. But as of yet, that fear has not been proven to be warranted. Criminals are getting aid from LLMs in polishing some of the details of their approaches, such as improving the presentation of their phishing messages. But their coding capability has thus far proven to be largely insufficient to produce anything approaching a sophisticated piece of malware. That capability has shown some small improvement with this year’s updates to some of the major LLMs, which are now becoming more competent at “vibe coding” (or producing functional applications solely through prompt instructions). Testing has thus far determined certain models can produce very simple malware once jailbroken, such as keyloggers and ransomware, usually requiring at least “minimal” tweaking by experienced hands. At minimum the tools are not sufficient for a novice to simply bumble in and ask a chatbot to create malware for it, but their utility as a time-saver or force enhancer to more experienced criminals is beginning to grow.
The GRU-backed Fancy Bear is one of the groups most likely to be at the forefront of successfully experimenting with these tools. It has been active since 2004, and has been developing its own home-grown varieties of Russian malware since at least 2012. Most foreign APT groups prefer to operate in the shadows as much as possible and never become “household names” that the average person would be familiar with, but Fancy Bear made itself one of the few exceptions with a series of high-profile attacks beginning in the mid-2010s: a long campaign of targeting journalists in other countries (particularly the US), a damaging offensive attack against the German parliament in 2015, death threats against the spouses of US military soldiers (used as a false flag to stoke fears of Islamic terror attacks), and a revenge attack against the World Anti-Doping Agency in 2016 after Russian athletes were banned from the Olympics among numerous other examples. The group made its way back into the news recently as the leading suspect behind the proliferation of the “Authentic Antics” malware, which is targeted at capturing credentials and access tokens for Microsoft email accounts and has been seen in use since 2023.
Aditya Sood, VP of Security Engineering and AI Strategy at Aryaka, provides some additional technical insight on the new Russian malware capability and what can be done in terms of effective detection and defense: “The LameHug malware utilizes the Qwen 2.5-Coder-32B-Instruct Large Language Model (LLM) to craft its commands dynamically. This indicates that attackers are weaponizing AI for malicious operations. Considering the LameHug design, the malicious code utilizes AI capabilities via an API to generate prompt-centric commands by querying the LLM in real-time for system reconnaissance and data theft, directly on the compromised Windows system. Instead of relying on static, pre-defined commands that deployed security solutions can easily fingerprint, LameHug’s integration of an LLM enables it to adapt its tactics and create novel commands on the fly, effectively making it a polymorphic threat at the command level and potentially evading defenses for extended periods. Cyberattacks on government bodies, especially during times of active conflict, must be met with proactive measures to mitigate breaches. The potential leakage of classified information could have catastrophic consequences for the targeted agency, making it imperative to act swiftly and decisively.”
“To effectively combat AI-powered malware like LameHug, organizations must deploy AI-enhanced EDR/XDR for behavioral anomaly detection and network traffic analysis. The adoption of a Zero Trust Architecture (ZTA) with strong MFA and segmentation is crucial to limit lateral movement. Furthermore, comprehensive security awareness training against AI-generated social engineering, as well as proactive threat hunting, are essential to ensure organizations stay ahead of these evolving threats,” added Sood.

