S9035: LAMEHUG
LAMEHUG is Python-based information stealer first identified in July 2025 by Ukraine's Computer Emergency Response Team (CERT-UA) in phishing emails targeting Ukrainian government officials. LAMEHUG is the first known malware to integrate artificial intelligence (AI) directly into its attack workflow by querying large language models (LLMs) hosted on Hugging Face to dynamically generate reconnaissance, data theft, and system manipulation commands in real time. LAMEHUG has been attributed to APT28. [1][2][3]
Analyst context for executives and security teams
LAMEHUG matters because it represents an information-stealing malware pattern where command generation is tied to large language models rather than only static attacker-written logic. In practical terms, defenders should expect reconnaissance, collection, and system manipulation activity to vary more than with fixed scripts. The ATT&CK record identifies it as Windows malware, first reported in phishing emails targeting Ukrainian government officials, with relationships to discovery, collection, command execution, web-based command-and-control, staging, archiving, encoding, and exfiltration behaviors.
Executive priority
Treat LAMEHUG as a planning case for resilience against adaptive malware and phishing-led intrusion, not just as a single malware name. Leaders should ask whether the organization can prove visibility across Windows endpoint execution, Python activity, command shell use, WMI, domain discovery, local data staging, archive creation, and outbound web service traffic. The business decision value is in validating whether SOC and incident response teams can reconstruct data-access and exfiltration paths when malware dynamically changes commands. Because ATT&CK provides no official detection text for this object, coverage should be evidenced through behavior-based controls and telemetry rather than signature-only assurances.
Technical view
For SOC, detection engineering, and IR teams, the relationship set points to a Windows-focused behavior chain: user execution of a malicious file, Python and Windows command shell execution, WMI abuse, extensive host/domain discovery, local file and directory enumeration, automated collection, local staging, archive creation, encoded C2/exfiltration over web protocols, and bidirectional communication through legitimate external web services. Validate correlations across process creation, command-line arguments, parent-child process relationships, WMI events, file/archive activity, domain enumeration commands, and outbound HTTP/S connections. Give special attention to unusual Python execution on endpoints where Python is not expected, command shells spawned from user-opened files, and discovery commands followed by staging or outbound web traffic.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Python interpreter or packaged Python executable execution evidence
- Windows Command Shell activity
- WMI execution and management events
- File and directory enumeration activity
Detection direction
- Build behavior chains rather than relying on the LAMEHUG name, since the official ATT&CK object provides no detection guidance.
- Prioritize detections that join user-executed files with Python, cmd.exe, or WMI activity, followed by discovery commands and outbound web traffic.
- Tune for legitimate administration: WMI, domain discovery, service discovery, and command shell use can be normal for IT operations, so baselines by role, host group, and administrative toolset are important.
- Validate whether web service and HTTP/S monitoring can distinguish expected business traffic from suspicious bidirectional command/output patterns without assuming all external web services are malicious.
- Look for collection progression: file discovery or local system data access followed by local staging, archive creation, encoding, and exfiltration over the same or related communications channel.
Mitigation priorities
- Strengthen phishing resistance and malicious file handling controls, because the object description identifies phishing emails and malicious-file execution as relevant context.
- Restrict and monitor unnecessary Python execution on Windows endpoints, especially where Python is not part of the approved software baseline.
- Apply least privilege and administrative segmentation to reduce the value of domain account, group, and trust discovery.
- Harden and monitor WMI and command shell usage, focusing on unauthorized execution paths and unusual parent processes.
- Ensure sensitive data locations are access-controlled and monitored so local collection and staging are harder to perform unnoticed.
Analyst notes and limits
The ATT&CK object attributes LAMEHUG to APT28 and describes it as Python-based information stealer malware that queries LLMs hosted on Hugging Face to dynamically generate commands. The relationship context gives the most useful defensive map: discovery, execution, collection, staging, archiving, C2, encoding, and exfiltration. For Glexia-style prioritization, the key question is whether the organization has evidence continuity from initial user execution through data access and outbound communications.
Official detection content is not provided. The malware platform is listed as Windows; some related ATT&CK techniques list additional platforms, but those should not be interpreted as confirmed LAMEHUG platforms without local or additional source evidence. The supplied fields do not provide indicators, hashes, command examples, infrastructure, impact details, or confirmed exposure for any specific organization.
LAMEHUG
LAMEHUG is Python-based information stealer first identified in July 2025 by Ukraine's Computer Emergency Response Team (CERT-UA) in phishing emails targeting Ukrainian government officials. LAMEHUG is the first known malware to integrate artificial intelligence (AI) directly into its attack workflow by querying large language models (LLMs) hosted on Hugging Face to dynamically generate reconnaissance, data theft, and system manipulation commands in real time. LAMEHUG has been attributed to APT28. [1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1041 | Exfiltration Over C2 Channel | LAMEHUG can exfiltrate collected system information and documents to C2.CitationSplunk LAMEHUG SEP 2025CitationNov AI Threat Tracker |
| Enterprise | T1047 | Windows Management Instrumentation | LAMEHUG can use wmic to collect system information.CitationSplunk LAMEHUG SEP 2025 |
| Enterprise | T1082 | System Information Discovery | LAMEHUG has the ability to execute Windows commands returned from C2 to gather system information.CitationSplunk LAMEHUG SEP 2025CitationNov AI Threat Tracker |
| Enterprise | T1071.001 | Web Protocols Sub-technique | LAMEHUG can use HTTP POST requests to exfiltrate data from compromised hosts to C2.CitationSplunk LAMEHUG SEP 2025 |
| Enterprise | T1033 | System Owner/User Discovery | LAMEHUG can use `whoami` to enumerate the system user.CitationSplunk LAMEHUG SEP 2025 |
| Enterprise | T1132 | Data Encoding | LAMEHUG can encode queries sent to LLMs.CitationSplunk LAMEHUG SEP 2025 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | LAMEHUG payloads have been disguised with legitimate looking filenames including AI_generator_uncensored_Canvas_PRO_v0.9.exe and AI_image_generator_v0.95.exe.CitationSplunk LAMEHUG SEP 2025CitationNov AI Threat Tracker |
| Enterprise | T1087.002 | Domain Account Sub-technique | |
| Enterprise | T1482 | Domain Trust Discovery | LAMEHUG can gather Active Directory domain information.CitationNov AI Threat Tracker |
| Enterprise | T1005 | Data from Local System | LAMEHUG has the ability to collect system information and files of interest from compromised systems.CitationSplunk LAMEHUG SEP 2025CitationNov AI Threat Tracker |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | LAMEHUG can decode and drop a decoy file attached to spearphishing emails.CitationSplunk LAMEHUG SEP 2025 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | LAMEHUG can use SSH to transfer information to C2.CitationSplunk LAMEHUG SEP 2025 |
| Enterprise | T1069.002 | Domain Groups Sub-technique | |
| Enterprise | T1016 | System Network Configuration Discovery | LAMEHUG can enumerate network information on compromised hosts.CitationNov AI Threat Tracker |
| Enterprise | T1057 | Process Discovery | LAMEHUG can gather process information on targeted systems.CitationNov AI Threat TrackerCitationCato LAMEHUG JUL 2025 |
| Enterprise | T1204.002 | Malicious File Sub-technique | LAMEHUG has been executed through victim interaction with malicious email attachments made to look like legitimate AI applications or documents.CitationSplunk LAMEHUG SEP 2025 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | LAMEHUG can use `cmd.exe` to display a decoy file to spearphishing victims.CitationSplunk LAMEHUG SEP 2025 |
| Enterprise | T1119 | Automated Collection | LAMEHUG can recursively copy files from targeted directories on victim hosts.CitationSplunk LAMEHUG SEP 2025CitationNov AI Threat Tracker |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | LAMEHUG has been distributed through spearphishing emails with various AI-themed malicious attachments.CitationSplunk LAMEHUG SEP 2025 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | LAMEHUG can save collected data and files of interest in `C:\ProgramData\info\` to consolidate for exfiltration.CitationSplunk LAMEHUG SEP 2025CitationNov AI Threat Tracker |
| Enterprise | T1007 | System Service Discovery | LAMEHUG can gather service information on targeted systems.CitationNov AI Threat TrackerCitationCato LAMEHUG JUL 2025 |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | LAMEHUG has used the Hugging Face API to query the Qwen2.5-Coder-32B-Instruct LLM to generate one-line Windows commands for the collection of system information and documents in specific folders on compromised hosts. LAMEHUG subsequently executed the returned commands and exfiltrated the collected files and information to adversary-controlled C2 servers.CitationNov AI Threat TrackerCitationSplunk LAMEHUG SEP 2025 |
| Enterprise | T1083 | File and Directory Discovery | LAMEHUG can target directories on victim machines for file collection.CitationSplunk LAMEHUG SEP 2025CitationNov AI Threat Tracker |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | LAMEHUG can xcopy for file collection on targeted systems.CitationSplunk LAMEHUG SEP 2025 |
| Enterprise | T1059.006 | Python Sub-technique | LAMEHUG can use Python scripts for execution.CitationSplunk LAMEHUG SEP 2025CitationNov AI Threat Tracker |
Groups, software, and campaigns
G0007: APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7baef16d5aea… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Splunk LAMEHUG SEP 2025
Conteras, T., Splunk Research Team. (2025, September 25). From Prompt to Payload: LAMEHUG’s LLM-Driven Cyber Intrusion. Retrieved April 21, 2026.
Open source URL -
[2]
Nov AI Threat Tracker
Google Threat Intelligence Group. (2025, November 5). GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools. Retrieved March 31, 2026.
Open source URL -
[3]
Cato LAMEHUG JUL 2025
Simonovich, V. (2025, July 23). Cato CTRL™ Threat Research: Analyzing LAMEHUG – First Known LLM-Powered Malware with Links to APT28 (Fancy Bear) . Retrieved April 21, 2026.
Open source URL -
[4]
PROMPTSTEAL
(Citation: Nov AI Threat Tracker)
-
[5]
mitre-attack S9035Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.