1. Home
  2. Software
  3. LAMEHUG

LAMEHUG

LAMEHUG is Python-based information stealer first identified in July 2025 by Ukraine's Computer Emergency Response Team (CERT-UA) in phishing emails targeting Ukrainian government officials. LAMEHUG is the first known malware to integrate artificial intelligence (AI) directly into its attack workflow by querying large language models (LLMs) hosted on Hugging Face to dynamically generate reconnaissance, data theft, and system manipulation commands in real time. LAMEHUG has been attributed to APT28. [1][2][3]

ID: S9035
Associated Software: PROMPTSTEAL
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 21 April 2026
Last Modified: 23 April 2026
Version Permalink

Associated Software Descriptions

Name Description
PROMPTSTEAL

[2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

LAMEHUG can use dsquery to enumerate domain user information.[3]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

LAMEHUG can use HTTP POST requests to exfiltrate data from compromised hosts to C2.[1]
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

LAMEHUG can xcopy for file collection on targeted systems.[1]
Enterprise T1119 Automated Collection

LAMEHUG can recursively copy files from targeted directories on victim hosts.[1][2]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

LAMEHUG can use cmd.exe to display a decoy file to spearphishing victims.[1]
.006 Command and Scripting Interpreter: Python

LAMEHUG can use Python scripts for execution.[1][2]
Enterprise T1132 Data Encoding

LAMEHUG can encode queries sent to LLMs.[1]
Enterprise T1005 Data from Local System

LAMEHUG has the ability to collect system information and files of interest from compromised systems.[1][2]
Enterprise T1074 .001 Data Staged: Local Data Staging

LAMEHUG can save collected data and files of interest in C:\ProgramData\info\ to consolidate for exfiltration.[1][2]
Enterprise T1140 Deobfuscate/Decode Files or Information

LAMEHUG can decode and drop a decoy file attached to spearphishing emails.[1]
Enterprise T1482 Domain Trust Discovery

LAMEHUG can gather Active Directory domain information.[2]
Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

LAMEHUG can use SSH to transfer information to C2.[1]
Enterprise T1041 Exfiltration Over C2 Channel

LAMEHUG can exfiltrate collected system information and documents to C2.[1][2]
Enterprise T1083 File and Directory Discovery

LAMEHUG can target directories on victim machines for file collection.[1][2]
Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

LAMEHUG payloads have been disguised with legitimate looking filenames including AI_generator_uncensored_Canvas_PRO_v0.9.exe and AI_image_generator_v0.95.exe.[1][2]
Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

LAMEHUG can use dsquery to gather domain group information.[3]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

LAMEHUG has been distributed through spearphishing emails with various AI-themed malicious attachments.[1]
Enterprise T1057 Process Discovery

LAMEHUG can gather process information on targeted systems.[2][3]
Enterprise T1082 System Information Discovery

LAMEHUG has the ability to execute Windows commands returned from C2 to gather system information.[1][2]
Enterprise T1016 System Network Configuration Discovery

LAMEHUG can enumerate network information on compromised hosts.[2]
Enterprise T1033 System Owner/User Discovery

LAMEHUG can use whoami to enumerate the system user.[1]
Enterprise T1007 System Service Discovery

LAMEHUG can gather service information on targeted systems.[2][3]
Enterprise T1204 .002 User Execution: Malicious File

LAMEHUG has been executed through victim interaction with malicious email attachments made to look like legitimate AI applications or documents.[1]
Enterprise T1102 .002 Web Service: Bidirectional Communication

LAMEHUG has used the Hugging Face API to query the Qwen2.5-Coder-32B-Instruct LLM to generate one-line Windows commands for the collection of system information and documents in specific folders on compromised hosts. LAMEHUG subsequently executed the returned commands and exfiltrated the collected files and information to adversary-controlled C2 servers.[2][1]
Enterprise T1047 Windows Management Instrumentation

LAMEHUG can use wmic to collect system information.[1]

Groups That Use This Software

ID Name References
G0007 APT28

APT28 has used LAMEHUG against targets in Ukraine.[2][3]

References

  1. Conteras, T., Splunk Research Team. (2025, September 25). From Prompt to Payload: LAMEHUG’s LLM-Driven Cyber Intrusion. Retrieved April 21, 2026.
  2. Google Threat Intelligence Group. (2025, November 5). GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools. Retrieved March 31, 2026.
  1. Simonovich, V. (2025, July 23). Cato CTRL™ Threat Research: Analyzing LAMEHUG – First Known LLM-Powered Malware with Links to APT28 (Fancy Bear) . Retrieved April 21, 2026.