- A new phishing campaign in Ukraine delivers Malware called LAMEHUG using compromised email accounts.
- LAMEHUG uses a large language model, Qwen2.5-Coder-32B-Instruct by Alibaba Cloud, to generate and execute system commands.
- The campaign is linked with medium confidence to Russian state-backed group APT28.
- Attackers target executive government officials, seeking to steal system data and documents using legitimate cloud services as cover.
- Recent findings also reveal malware attempts to bypass Artificial Intelligence analyses using prompt injection techniques.
On July 18, 2025, the Computer Emergency Response Team of Ukraine (CERT-UA) reported a phishing campaign aimed at delivering malware known as LAMEHUG. The campaign used hacked email accounts that appeared to be from ministry officials, targeting government executives in Ukraine.
According to CERT-UA, the scheme was uncovered after suspicious emails were reported on July 10, 2025. These emails contained a ZIP file with three different versions of the LAMEHUG malware: “Додаток.pif,” “AI_generator_uncensored_Canvas_PRO_v0.9.exe,” and “image.py.” The agency attributed the activity with medium confidence to the Russian state-aligned group APT28.
LAMEHUG is written in Python and relies on the Qwen2.5-Coder-32B-Instruct large language model from Alibaba Cloud, which is designed for coding tasks. CERT-UA said, “It uses the LLM Qwen2.5-Coder-32B-Instruct via the huggingface[.]co service API to generate commands based on statically entered text (description) for their subsequent execution on a computer.” The malware can collect basic host details and search for .txt and .pdf files in key user folders like Documents, Downloads, and Desktop. Stolen data is sent to attacker-controlled servers through secure file transfer protocol (SFTP) or HTTP POST requests.
Attackers used the Hugging Face and Llama platforms to access the model, blending in with legitimate cloud traffic. CERT-UA stated that the abuse of trusted cloud infrastructure makes detection more challenging.
In related findings, security researchers from Check Point recently detected a malware called Skynet that tries to resist artificial intelligence analysis. Skynet employs “prompt injection,” which are tricks embedded into the malware code that tell AI-powered security tools to ignore detection commands or return false negatives. As quoted by Check Point, “First, we had the Sandbox, which led to hundreds of sandbox escape and evasion techniques; now, we have the AI malware auditor. The natural result is hundreds of attempted AI audit escape and evasion techniques. We should be ready to meet them as they arrive.”
CERT-UA did not report the overall success rate of the LAMEHUG campaign. The agency continues to monitor phishing and malware strategies that use advanced coding models and legitimate enterprise services to avoid detection.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- U.S. States Advance Blockchain Plans with Focus on Infrastructure
- Cardano Launches on Blockchain.com, Unlocking 37M User Access
- ChinaAMC HK Launches World’s First RMB Tokenized Money Market Fund
- Major Exchange Delists Ten Tokens Amid Regulatory Review
- Myriad Markets: ETH, XRP, and PUMP Airdrop Predictions Shift Rapidly
