Malware LameHug Utilizes LLM to Generate Commands on Infected Machines

📟 News

Date: 21/07/2025

The new malware family LameHug utilizes LLM (Large Language Model) to generate commands that are executed on compromised systems running Windows.

As reported by Bleeping Computer, LameHug is written in Python and uses the Hugging Face API to interact with the Qwen 2.5-Coder-32B-Instruct LLM, which is capable of generating commands according to specified prompts. It is noted that using Hugging Face’s infrastructure can help ensure the stealth of communications, allowing the breach to remain undetected for a longer period.

This model, created by Alibaba Cloud, is open-source and specifically designed for code generation, reasoning, and executing programming-related instructions. It is capable of transforming natural language descriptions into executable code (in multiple languages) or shell commands.

LameHug was discovered on July 10 of this year when employees of Ukrainian executive authorities received malicious emails sent from compromised accounts. The emails contained a ZIP archive with the LameHug loader, which was masqueraded as files like Attachment.pif, AI_generator_uncensored_Canvas_PRO_v0.9.exe, and image.py.

In infected systems, LameHug was tasked with executing commands for reconnaissance and data theft, which were dynamically generated using requests to the LLM.

The collected system information was saved in a text file (info.txt), and the malware recursively searched for documents in folders such as Documents, Desktop, and Downloads. It then transmitted the collected data to its operators using SFTP or HTTP POST requests.

The publication notes that LameHug is the first documented malware using LLM to execute malicious tasks.

Related posts:
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE

Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…

Full article →
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers

Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…

Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack

Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…

Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains

watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…

Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin

Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…

Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder

According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…

Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress

According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…

Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years

Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…

Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters

According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…

Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store

According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…

Full article →