The new malware family LameHug utilizes LLM (Large Language Model) to generate commands that are executed on compromised systems running Windows.
As reported by Bleeping Computer, LameHug is written in Python and uses the Hugging Face API to interact with the Qwen 2.5-Coder-32B-Instruct LLM, which is capable of generating commands according to specified prompts. It is noted that using Hugging Face’s infrastructure can help ensure the stealth of communications, allowing the breach to remain undetected for a longer period.
This model, created by Alibaba Cloud, is open-source and specifically designed for code generation, reasoning, and executing programming-related instructions. It is capable of transforming natural language descriptions into executable code (in multiple languages) or shell commands.
LameHug was discovered on July 10 of this year when employees of Ukrainian executive authorities received malicious emails sent from compromised accounts. The emails contained a ZIP archive with the LameHug loader, which was masqueraded as files like Attachment.pif, AI_generator_uncensored_Canvas_PRO_v0.9.exe, and image.py.
In infected systems, LameHug was tasked with executing commands for reconnaissance and data theft, which were dynamically generated using requests to the LLM.
The collected system information was saved in a text file (info.txt), and the malware recursively searched for documents in folders such as Documents, Desktop, and Downloads. It then transmitted the collected data to its operators using SFTP or HTTP POST requests.
The publication notes that LameHug is the first documented malware using LLM to execute malicious tasks.
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs
According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'
A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…
Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →