The National Cybersecurity Response Team of Ukraine (CERT-UA) has warned of an ongoing campaign targeting the national security and defense sector. The attacks, attributed with moderate confidence to the Russian-linked cyber espionage group UAC-0001 aka APT28, leverage a sophisticated new tool named ‘Lamehug’, a Python-based malware using large language model (LLM) capabilities.
According to CERT-UA, the attack was first reported on July 10, 2025, following the distribution of malicious emails to various government agencies. Disguised as official correspondence from a representative of a sectoral ministry, the emails contained a ZIP archive, containing a .pif executable file, created using PyInstaller from Python source code and identified by CERT-UA as the Lamehug malware.
Lamehug is integrated with Qwen 2.5-Coder-32B-Instruct, a powerful LLM accessed via the HuggingFace API. The model is used to interpret static text instructions and generate executable commands on the infected system. This approach allows the malware to dynamically respond to input descriptions and execute a broad range of malicious activities.
Upon execution, Lamehug performs the following actions:
-
Collects and stores system information (hardware specs, processes, services, network connections) in %PROGRAMDATA%infoinfo.txt
-
Recursively searches for and copies Office documents (including .docx, .xlsx, .pdf, .txt) from Documents, Downloads, and Desktop folders to %PROGRAMDATA%info
-
Exfiltrates the data using SFTP or HTTP POST requests, depending on the malware variant
CERT-UA discovered at least two alternate builds of the malware: "AI_generator_uncensored_Canvas_PRO_v0.9.exe" and "image.py." The two versions differ from each other in some aspects, particularly in how they exfiltrate stolen data.
The emails used in the campaign originated from a compromised email account. The command-and-control infrastructure is hosted on legitimate but compromised servers, CERT-UA noted.
In a recent report, Cisco Talos detailed a Malware-as-a-Service (MaaS) operation that employs the Amadey malware to deliver various payloads. The operation relies on fake GitHub accounts to host malicious files, plugins, and tools, likely to bypass web filters and simplify distribution.
Talos found that the tactics and infrastructure used in the observed campaign overlap with a SmokeLoader phishing attack from early 2025, which targeted Ukrainian entities. Specifically, the Emmenhtal loader, previously linked to the SmokeLoader campaign, was repurposed in this MaaS operation to distribute Amadey.
Unlike earlier variants distributed via email, the newer Emmenhtal samples were found on public GitHub repositories and used to deploy Amadey instead of SmokeLoader. Emmenhtal (also referred to as “PEAKLIGHT” by Mandiant) is a sophisticated, multi-stage downloader, which has been active since at least April 2024. Amadey is a modular botnet malware first sold on Russian-speaking forums in 2018. It collects system information and downloads additional malware, with plugin capabilities that allow it to expand its functionality.