LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

July 10, 2025

The first reported case of a malware (LAMEHUG) using a large language model (Qwen2.5-Coder-32B-Instruct via Hugging Face) has been linked with moderate confidence to the threat actor group APT28 (Fancy Bear). This incident targeted Ukrainian officials through phishing emails, with the integrated LLM dynamically generating commands for reconnaissance and data exfiltration on infected systems. Such incidents underscore the urgent need for safe and secure AI practices. For those interested in shaping the governance of AI to prevent such harm, JOIN US. This incident is a prime example of how HISPI Project Cerebellum TAIM's Map function can help identify and address such risks.

HISPI Project Cerebellum TAIM - Govern, Map, Measure, Manage.

Alleged deployer

fancy-bear, apt28

Alleged developer

hugging-face, alibaba

Alleged harmed parties

ukrainian-government-officials, ukrainian-government-ministries, state-institutions-targeted-by-espionage-operations, public-sector-information-systems, national-cybersecurity-infrastructure-of-ukraine, government-of-ukraine, national-security-and-intelligence-stakeholders

Data source

Incident data is from the AI Incident Database (AIID).

When citing the database as a whole, please use:

McGregor, S. (2021) Preventing Repeated Real World AI Failures by Cataloging Incidents: The AI Incident Database. In Proceedings of the Thirty-Third Annual Conference on Innovative Applications of Artificial Intelligence (IAAI-21). Virtual Conference.

Pre-print on arXiv · Database snapshots & citation guide

We use weekly snapshots of the AIID for stable reference. For the official suggested citation of a specific incident, use the “Cite this incident” link on each incident page.

LAMEHUG Malware Reportedly Integrates Large Language Model for Real-Time Command Generation in a Purported APT28-Linked Cyberattack

Matched TAIM controls