Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Russian APT28. Show all posts
Russian APT28
Data Theft LameHug LLM malware Russian APT28

LameHug Malware Crafts Real-Time Windows Data-Theft Commands Using AI LLM

 

LameHug, a novel malware family, generates commands for execution on compromised Windows systems using a large language model (LLM). 

Russia-backed threat group APT28 (also known as Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, and Forest Blizzard) was attributed for the assaults after LameHug was identified by Ukraine's national cyber incident response team (CERT-UA). Written in Python, the malware communicates with the Qwen 2.5-Coder-32B-Instruct LLM via the Hugging Face API, which allows it to generate commands in response to prompts. 

Alibaba Cloud developed the LLM, which is open-source and designed to produce code, reason, and follow coding-focused instructions. It can translate natural language descriptions into executable code (in several languages) or shell commands. CERT-UA discovered LameHug after receiving reports on July 10 of malicious emails received from hacked accounts impersonating ministry officials and attempting to disseminate malware to executive government organisations.

The emails include a ZIP attachment that contains a LameHub loader. CERT-UA identified at least three variants: 'Attachment.pif,' 'AI_generator_uncensored_Canvas_PRO_v0.9.exe,' and 'image.py.’ 

With a medium degree of confidence, the Ukrainian agency links this action to the Russian threat group APT28. In the reported attacks, LameHug was tasked with carrying out system reconnaissance and data theft directives generated dynamically by the LLM. LameHug used these AI-generated instructions to gather system information and save it to a text file (info.txt), recursively search for documents in critical Windows directories (Documents, Desktop, Downloads), then exfiltrate the data over SFTP or HTTP POST. 

LameHug is the first publicly known malware that uses LLM to carry out the attacker's duties. From a technical standpoint, this could signal a new attack paradigm in which threat actors can modify their techniques throughout a compromise without requiring new payloads. 

Furthermore, employing Hugging Face infrastructure for command and control may help to make communication more stealthy, allowing the intrusion to remain undetected for a longer period of time. The malware can also avoid detection by security software or static analysis tools that search for hardcoded commands by employing dynamically generated commands. CERT-UA did not specify if LameHug's execution of the LLM-generated commands was successful.
Read more »
trending cybersecurity news
cyber attack Cyber Attacks cybersecurity news Russian APT28 trending cybersecurity news

Russian APT28 Targets Ukraine Using Signal to Deliver New Malware Families

 

The Russian state-sponsored threat group APT28, also known as UAC-0001, has been linked to a fresh wave of cyberattacks against Ukrainian government targets, using Signal messenger chats to distribute two previously undocumented malware strains—BeardShell and SlimAgent. 

While the Signal platform itself remains uncompromised, its rising adoption among government personnel has made it a popular delivery vector for phishing attacks. Ukraine’s Computer Emergency Response Team (CERT-UA) initially discovered these attacks in March 2024, though critical infection vector details only surfaced after ESET notified the agency in May 2025 of unauthorised access to a “gov.ua” email account. 

Investigations revealed that APT28 used Signal to send a macro-laced Microsoft Word document titled "Акт.doc." Once opened, it initiates a macro that drops two payloads—a malicious DLL file (“ctec.dll”) and a disguised PNG file (“windows.png”)—while modifying the Windows Registry to enable persistence via COM-hijacking. 

These payloads execute a memory-resident malware framework named Covenant, which subsequently deploys BeardShell. BeardShell, written in C++, is capable of downloading and executing encrypted PowerShell scripts, with execution results exfiltrated via the Icedrive API. The malware maintains stealth by encrypting communications using the ChaCha20-Poly1305 algorithm. 

Alongside BeardShell, CERT-UA identified another tool dubbed SlimAgent. This lightweight screenshot grabber captures images using multiple Windows API calls, then encrypts them with a combination of AES and RSA before local storage. These are presumed to be extracted later by an auxiliary tool. 

APT28’s involvement was further corroborated through their exploitation of vulnerabilities in Roundcube and other webmail software, using phishing emails mimicking Ukrainian news publications to exploit flaws like CVE-2020-35730, CVE-2021-44026, and CVE-2020-12641. These emails injected malicious JavaScript files—q.js, e.js, and c.js—to hijack inboxes, redirect emails, and extract credentials from over 40 Ukrainian entities. CERT-UA recommends organisations monitor traffic linked to suspicious domains such as “app.koofr.net” and “api.icedrive.net” to detect any signs of compromise.
Read more »
Subscribe to: Posts (Atom)