A sophisticated new threat has emerged in the cybersecurity landscape that represents a significant evolution in malware development.<\/p>\n
The LAMEHUG malware family, first identified by CERT-UA in July 2025, marks a concerning advancement in cyber attack methodology by integrating artificial intelligence directly into its operational framework.<\/p>\n
Unlike traditional malware that relies on static, pre-programmed instructions, LAMEHUG leverages large language models hosted on Hugging Face to dynamically generate commands for reconnaissance, data theft, and system manipulation in real-time.<\/p>\n
This innovative approach transforms how malicious software operates by enabling attacks that can adapt their behavior based on the specific environment they encounter.<\/p>\n
The malware<\/a> targets Windows environments through carefully crafted spear-phishing campaigns, disguising itself as legitimate applications such as AI image generators or canvas tools.<\/p>\n Once deployed, LAMEHUG systematically harvests sensitive information including credentials, system configurations, and documents while continuously evolving its attack patterns to evade detection mechanisms.<\/p>\n Splunk analysts identified<\/a> that LAMEHUG\u2019s deployment strategy involves sophisticated social engineering techniques, presenting itself through filenames like \u201cAI_generator_uncensored_Canvas_PRO_v0.9.exe\u201d and \u201cAI_image_generator_v0.95.exe\u201d to capitalize on current interest in AI-powered applications.<\/p>\n The malware\u2019s ability to generate contextually appropriate commands through LLM queries makes it particularly dangerous, as it can adapt to different system configurations and security measures<\/a> without requiring updates from its operators.<\/p>\n The most distinctive feature of LAMEHUG lies in its unprecedented use of large language models to generate malicious commands dynamically.<\/p>\n The malware connects to the Qwen 2.5-Coder-32B-Instruct model through HuggingFace\u2019s API infrastructure, essentially weaponizing legitimate AI services for malicious purposes.<\/p>\n This integration occurs through the LLM_QUERY_EX() function, which constructs specific prompts designed to elicit Windows administrative commands from the AI model.<\/p>\n The malware operates by sending carefully crafted prompts that instruct the LLM to act as a \u201cWindows systems administrator\u201d and generate commands for specific malicious objectives.<\/p>\n For system reconnaissance, LAMEHUG prompts the AI to create commands that establish the directory \u201cC:ProgramDatainfo\u201d and gather comprehensive system information including hardware specifications, running processes, network configurations, and Active Directory domain details, all consolidated into a single text file.<\/p>\n For data collection, the malware issues subsequent prompts requesting commands to recursively copy office documents, PDFs, and text files from user directories including Documents, Downloads, and Desktop folders to the centralized collection point.<\/p>\n The AI-generated responses utilize Windows utilities such as systeminfo, wmic, whoami, and dsquery for reconnaissance<\/a>, while xcopy.exe facilitates document harvesting across multiple folder paths.<\/p>\n This dynamic approach ensures that the malware can adapt to different Windows environments and execute contextually appropriate commands based on the AI model\u2019s understanding of system administration tasks.<\/p>\n The collected information is subsequently exfiltrated through multiple channels, including SSH connections to remote servers using hardcoded credentials, or through HTTPS POST requests to command-and-control infrastructure.<\/p>\n Some variants encode their LLM prompts in Base64 format and utilize different exfiltration endpoints, demonstrating the malware\u2019s operational flexibility and the operators\u2019 understanding of evasion techniques.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post LLM-Based LAMEHUG Malware Dynamically Generate Commands for Reconnaissance and Data Theft<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjzgrBFCycfu8-Ug2KCJSZoISvGle6ztY6BAj5w6oUKJE-rNybOsvoHn26aAtiecT0w40TUyKNfNSlqjUFDUJMwbhCQHZadlWEzexdDojGgV5T_L3uqYKUCHJz9KLMeiWKJ1EA2BzzDHFTSuZ812iwDZMFsmDSElM1q_H53xMaMmj56alml2jPO-0RGFnI\/s16000\/LAMEHUG%2520Main%28%29%2520and%2520LLM_QUERY_EX%2520Thread%2520%28Source%2520-%2520Splunk%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi_HD4cQ1flphikxHTTepUQITlM3oE_aQercIKXK_bya72ziSHKROIIyscHc0xVTQBrV-iX2sq8dzpvvxzuSzKxi1PF_VOa1mPEK5-gOtRia61bJI2IbUvYr-IjbLqQq8jSsujoSst1Apwmi1cWblnO6pYUc-wfWsRDgl0zeQCSZD2GbhHhBXfyzIWvoHc\/s16000\/The%2520LLM%2520Query%2520Setup%2520of%2520LAMEHUG%2520%28Source%2520-%2520Splunk%29.webp?ssl=1\")
Dynamic Command Generation Through LLM Integration<\/strong><\/h2>\n
def LLM_QUERY_EX():\n prompt = {\n 'messages': [\n {\n 'role': 'Windows systems administrator',\n 'content': 'Make a list of commands to create folder C:\\Programdata\\info and to gather computer information,\n hardware information, process and services information, networks information, AD domain information, to execute in\n one line and add each result to text file c:\\Programdata\\info\\info.txt. Return only commands, without markdown'}],\n 'temperature': 0.1,\n 'top_p': 0.1,\n 'model': 'Qwen\/Qwen2.5-Coder-32B-Instruct' }<\/code><\/pre>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhJA1Fzl1staIgSVrlSp4BxqHiUlnQO_PTvASX7gxDq6E7SQjEzRqbFcZQGTAKq2cWR0rxNaNX8L8VaPcYpAHaPujRvWtSm3ulMFGQglJXaDvplTYyvkZA0FOLyWOjHUXHLaHw-WKwIkSV4wdKSZxsj-3j5ZXe4khMP1TJbynoH6JWlXUC03kEulWb0A6Q\/s16000\/LAMEHUG%2520System%2520Information%2520Discovery%2520and%2520File%2520Collection%2520%28Source%2520-%2520Splunk%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjanWz88Y_tcfbFgu_b88fWFZF3-N8wT75Ol2sMr-RKPdP-EupQfAo2vC-3hCF641q9MHp8Zya0GmiPBr8RV9myAdTUdRMJvaL0XXtCOVMvDpOawmiMKPug5lOEWDQS7072Sggijvsq3rCVnsb8z1mrj7zuiFgOEXW-PwRVfFRreCwYdMTYh-vHVe8_TEE\/s16000\/LAMEHUG%2520SSH%2520C2%2520Server%2520%28Source%2520-%2520Splunk%29.webp?ssl=1\")