The new malware family LameHug utilizes LLM (Large Language Model) to generate commands that are executed on compromised systems running Windows.
As reported by Bleeping Computer, LameHug is written in Python and uses the Hugging Face API to interact with the Qwen 2.5-Coder-32B-Instruct LLM, which is capable of generating commands according to specified prompts. It is noted that using Hugging Face’s infrastructure can help ensure the stealth of communications, allowing the breach to remain undetected for a longer period.
This model, created by Alibaba Cloud, is open-source and specifically designed for code generation, reasoning, and executing programming-related instructions. It is capable of transforming natural language descriptions into executable code (in multiple languages) or shell commands.
LameHug was discovered on July 10 of this year when employees of Ukrainian executive authorities received malicious emails sent from compromised accounts. The emails contained a ZIP archive with the LameHug loader, which was masqueraded as files like Attachment.pif, AI_generator_uncensored_Canvas_PRO_v0.9.exe, and image.py.
In infected systems, LameHug was tasked with executing commands for reconnaissance and data theft, which were dynamically generated using requests to the LLM.
The collected system information was saved in a text file (info.txt), and the malware recursively searched for documents in folders such as Documents, Desktop, and Downloads. It then transmitted the collected data to its operators using SFTP or HTTP POST requests.
The publication notes that LameHug is the first documented malware using LLM to execute malicious tasks.
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet
All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…
Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…
Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024
According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…
Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update
Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →