Russian Hackers Now Using AI to Target Government Officials in Real Time

Ukraine’s CERT UA has flagged a sophisticated Russian malware strain called LameHug malware, engineered by state backed APT28. This emerging threat uses a LLMs to generate Windows commands in real time during active attacks.

APT28 Phishing Campaign with LLMs, AI Backbone

On July 10, targeted phishing emails impersonating Ukrainian ministry officials were sent to high level government agencies. These contained ZIP attachments featuring LameHug loaders disguised as legitimate files.

For our tech-savvy readers, the malware interacts with the Qwen 2.5 Coder 32B Instruct model via HuggingFace’s API to dynamically build and execute shell commands on infected Windows machines.

How LameHug Malware Works With LLMs

• Initial compromise: Attackers delivered the malware via spoofed phishing emails.
• LLM driven commands: LameHug sends prompts to Qwen 2.5 LLMs to collect system info and locate sensitive files.
• Automated exfiltration: It retrieves data via HTTP POST or SFTP channels depending on variant.

CERT UA describes LameHug as a “proof of concept” for AI driven state sponsored malware.

LameHug attack marks the first confirmed instance of malware using a real time LLM command loop. Security experts fear that threat actors will rapidly adapt this model. Ukraine’s defense sector bears the brunt of this early wave.

How Should People Be Safe?

• Monitor for unusual API calls to LLM services

• Detect dynamic command execution on Windows endpoints

• Segment sensitive assets to prevent lateral moves

• Block unauthorized access to AI model endpoints

Security teams are urged to deploy detection rules targeting Qwen API activity merged with process execution metadata.