{"description": "Enterprise techniques used by LAMEHUG, ATT&CK software S9035 (v1.0)", "name": "LAMEHUG (S9035)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.002", "comment": "[LAMEHUG](https://attack.mitre.org/software/S9035) can use [dsquery](https://attack.mitre.org/software/S0105) to enumerate domain user information.(Citation: Cato LAMEHUG JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[LAMEHUG](https://attack.mitre.org/software/S9035) can use HTTP POST requests to exfiltrate data from compromised hosts to C2.(Citation: Splunk LAMEHUG SEP 2025)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "[LAMEHUG](https://attack.mitre.org/software/S9035) can xcopy for file collection on targeted systems.(Citation: Splunk LAMEHUG SEP 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1119", "comment": "[LAMEHUG](https://attack.mitre.org/software/S9035) can recursively copy files from targeted directories on victim hosts.(Citation: Splunk LAMEHUG SEP 2025)(Citation: Nov AI Threat Tracker)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[LAMEHUG](https://attack.mitre.org/software/S9035) can use `cmd.exe` to display a decoy file to spearphishing victims.(Citation: Splunk LAMEHUG SEP 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "[LAMEHUG](https://attack.mitre.org/software/S9035) can use Python scripts for execution.(Citation: Splunk LAMEHUG SEP 2025)(Citation: Nov AI Threat Tracker)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "comment": "[LAMEHUG](https://attack.mitre.org/software/S9035) can encode queries sent to LLMs.(Citation: Splunk LAMEHUG SEP 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1005", "comment": "[LAMEHUG](https://attack.mitre.org/software/S9035) has the ability to collect system information and files of interest from compromised systems.(Citation: Splunk LAMEHUG SEP 2025)(Citation: Nov AI Threat Tracker)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[LAMEHUG](https://attack.mitre.org/software/S9035) can save collected data and files of interest in `C:\\ProgramData\\info\\` to consolidate for exfiltration.(Citation: Splunk LAMEHUG SEP 2025)(Citation: Nov AI Threat Tracker)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[LAMEHUG](https://attack.mitre.org/software/S9035) can decode and drop a decoy file attached to spearphishing emails.(Citation: Splunk LAMEHUG SEP 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1482", "comment": "[LAMEHUG](https://attack.mitre.org/software/S9035) can gather Active Directory domain information.(Citation: Nov AI Threat Tracker)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[LAMEHUG](https://attack.mitre.org/software/S9035) can use SSH to transfer information to C2.(Citation: Splunk LAMEHUG SEP 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[LAMEHUG](https://attack.mitre.org/software/S9035) can exfiltrate collected system information and documents to C2.(Citation: Splunk LAMEHUG SEP 2025)(Citation: Nov AI Threat Tracker)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[LAMEHUG](https://attack.mitre.org/software/S9035) can target directories on victim machines for file collection.(Citation: Splunk LAMEHUG SEP 2025)(Citation: Nov AI Threat Tracker)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[LAMEHUG](https://attack.mitre.org/software/S9035) payloads have been disguised with legitimate looking filenames including AI_generator_uncensored_Canvas_PRO_v0.9.exe and AI_image_generator_v0.95.exe.(Citation: Splunk LAMEHUG SEP 2025)(Citation: Nov AI Threat Tracker)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1069", "showSubtechniques": true}, {"techniqueID": "T1069.002", "comment": "[LAMEHUG](https://attack.mitre.org/software/S9035) can use [dsquery](https://attack.mitre.org/software/S0105) to gather domain group information.(Citation: Cato LAMEHUG JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[LAMEHUG](https://attack.mitre.org/software/S9035) has been distributed through spearphishing emails with various AI-themed malicious attachments.(Citation: Splunk LAMEHUG SEP 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[LAMEHUG](https://attack.mitre.org/software/S9035) can gather process information on targeted systems.(Citation: Nov AI Threat Tracker)(Citation: Cato LAMEHUG JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[LAMEHUG](https://attack.mitre.org/software/S9035) has the ability to execute Windows commands returned from C2 to gather system information.(Citation: Splunk LAMEHUG SEP 2025)(Citation: Nov AI Threat Tracker)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[LAMEHUG](https://attack.mitre.org/software/S9035) can enumerate network information on compromised hosts.(Citation: Nov AI Threat Tracker)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[LAMEHUG](https://attack.mitre.org/software/S9035) can use `whoami` to enumerate the system user.(Citation: Splunk LAMEHUG SEP 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1007", "comment": "[LAMEHUG](https://attack.mitre.org/software/S9035) can gather service information on targeted systems.(Citation: Nov AI Threat Tracker)(Citation: Cato LAMEHUG JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[LAMEHUG](https://attack.mitre.org/software/S9035) has been executed through victim interaction with malicious email attachments made to look like legitimate AI applications or documents.(Citation: Splunk LAMEHUG SEP 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.002", "comment": "[LAMEHUG](https://attack.mitre.org/software/S9035) has used the Hugging Face API to query the Qwen2.5-Coder-32B-Instruct LLM to generate one-line Windows commands for the collection of system information and documents in specific folders on compromised hosts. [LAMEHUG](https://attack.mitre.org/software/S9035) subsequently executed the returned commands and exfiltrated the collected files and information to adversary-controlled C2 servers.(Citation: Nov AI Threat Tracker)(Citation: Splunk LAMEHUG SEP 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[LAMEHUG](https://attack.mitre.org/software/S9035) can use wmic to collect system information.(Citation: Splunk LAMEHUG SEP 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by LAMEHUG", "color": "#66b1ff"}]}