Artificial intelligence (AI) is becoming increasingly intelligent and can help with many things. However, on the other hand, its development can also pose new threats.

Now, many people are starting to use generative AI, but it turns out hackers are also exploiting it.

One example is malware called LameHug. This malicious program utilizes the LLM (Large Language Model) to steal important files from victims’ computers.

So, how can AI be used to create malware like this? To find out, read the full review below!

What is LameHug Malware?

LameHug is a new malware that is quite worrying because it uses artificial intelligence in its attacks.

This malware was originally discovered by CERT-UA, Ukraine’s national cyber response team, with its primary target being the country’s defense and security sector.

Its uniqueness lies in its operation: LameHug utilizes LLM (Large Language Model) technology to dynamically generate malicious commands within compromised Windows systems.

The attack method is quite classic, yet effective. The perpetrators spread fake emails purporting to be from official ministries.

The email contains a ZIP attachment with a file name like “??????.pdf.zip.” When opened, this file hides the LameHug malware with a .pif extension.

Analysis revealed that LameHug was written in Python and packaged using PyInstaller. It also communicates with an open-source AI model called Qwen2.5-Coder-32B-Instruct created by Alibaba via the Hugging Face API.

This collaboration allows LameHug to craft malicious commands as needed, without having to carry a fixed payload, making it more difficult for security systems to detect.

The alleged perpetrator of this attack is APT28, a long-known hacking group linked to the Russian military intelligence agency, the GRU.

This group has also carried out several attacks in Ukraine, including targeting vital energy infrastructure and exploiting zero-day security vulnerabilities such as CVE-2024-11182.

While its primary target is currently Ukraine, LameHug’s adaptive, AI-based methods give it the potential to spread more widely.

Why is LameHug Called Generative AI Malware?

LameHug is a new type of malware that differs from previous generations. Instead of using static commands, it utilizes LLM-based artificial intelligence.

This technology allows LameHug to craft attacks directly on the victim’s device.

The AI model used, Alibaba Cloud’s Qwen 2.5-Coder-32B-Instruct, is accessed through Hugging Face’s public API and has the ability to convert natural language commands into system instructions like PowerShell or CMD.

Instead of sending the entire attack logic from the start, LameHug waits until it’s active on the target device, then sends a prompt to the AI to get commands tailored to the compromised system.

Therefore, there’s no fixed attack pattern; everything depends on the situation on the victim’s device. This flexibility makes LameHug extremely difficult to detect by traditional antivirus software.

For example, it can create commands to access private folders and send the results to the attacker’s server via SFTP or HTTP POST, without storing any persistent script within itself.

This leaves virtually no trace. In fact, communication traffic with the AI API appears to be normal traffic, adding to the detection challenge.

This is what makes LameHug generative malware: it not only uses AI but also makes it a control center to design attacks in real time, as needed.

How Does LameHug Spread to Victims’ Computers?

LameHug isn’t spread randomly, but through highly targeted spear-phishing attacks.

The attackers impersonate government agencies and use compromised email accounts to send malicious attachments to government institutions in Ukraine.

The attachments are ZIP files named “???????.pdf.zip,” which, when opened, contain files such as “Attachment.pif,” “AI_generator_uncensored_Canvas_PRO_v0.9.exe,” or “image.py.”

These file names are deliberately crafted to appear official or compelling, such as important PDF documents or proprietary AI software.

Once opened, the LameHug malware is executed. These executables are packaged using Python’s PyInstaller, allowing them to run on Windows without arousing suspicion.

This clever disguise, combined with the delivery from a seemingly legitimate email address, makes victims more susceptible to deception, especially if they are accustomed to receiving attachments from government agencies or are interested in AI technology.

What makes LameHug dangerous is not only its technical sophistication, but also the way it exploits the victim’s trust and curiosity to seamlessly penetrate a system.

Once executed, it immediately connects to an AI model and tailors its attacks to the conditions of the infected system.

What Does LameHug Do on a Victim’s System?

After successfully infecting a victim’s computer, LameHug doesn’t immediately attack with built-in commands.

Instead, the malware sends a prompt to Alibaba Cloud’s LLM-based AI service, Qwen 2.5-Coder-32B-Instruct, via the public API on Hugging Face.

The LLM responds with a system command tailored to the victim’s computer’s conditions, which LameHug executes immediately.

This process can repeat itself as long as the malware is active, allowing for highly flexible and responsive attacks tailored to the target’s environment.

LameHug’s primary functions include gathering system information, searching for important files in Documents or the Desktop, and then stealing and sending the data to the hacker’s server via HTTP POST or SFTP.

What makes LameHug special is its dynamic and modular nature. Because all commands are generated directly by the LLM based on each computer’s individual conditions, the attack pattern is never the same.

Two devices can receive different instructions depending on the operating system, file structure, and access permissions.

This approach offers a significant advantage to attackers because strategies can be changed during an attack without changing the malware, while simultaneously evading antivirus detection.

Why Is LameHug So Difficult to Detect by Antiviruses?

One of the main reasons LameHug is so dangerous is because it’s difficult to detect by traditional antivirus software. This isn’t typical malware that carries a fixed list of commands or pre-embedded attack code.

Instead, LameHug leverages the power of Large Language Models (LLMs) to construct its own attack commands on-the-fly, based on the victim’s system conditions.

Because these commands are generated dynamically (on-the-fly) by AI, there are no fixed signatures for antivirus software or pattern-based detection systems to use.

This makes static analysis, a technique typically used to search for malicious instructions in code, ineffective.

Furthermore, communication between LameHug and its AI server doesn’t appear suspicious.

The malware uses Hugging Face’s public API to access Alibaba’s Qwen 2.5-Coder-32B model, and this communication occurs over the standard HTTP protocol.

As a result, data traffic in and out of an infected system can appear to be normal cloud activity, such as when someone accesses an AI service or online API.

LameHug also doesn’t store a large payload (malicious code or attack tools) in its original file. The initial file the victim runs is just a lightweight loader that then interacts with the AI to plan its next steps.

Because no large payload is embedded from the start, the file appears clean when scanned. However, in reality, it paves the way for subsequent attacks.

IBM X-Force calls this approach novel in the malware world because it can adapt its strategy directly on the victim’s system without the need for re-deployment of the malware.

Can Personal Computers Also Be Targeted?

Although LameHug initially targeted devices belonging to government officials, that doesn’t mean personal computers are safe from this threat. As long as you’re using a Windows operating system and aren’t careful, the risk remains.

The method of distribution is simple: via a .zip or .pif file that can be sent via email or disguised as a regular attachment. Once opened, LameHug activates and begins working undetected.

Because the malicious commands are generated directly by AI based on the conditions of the compromised device, the attack is highly adaptive. This means anyone can be targeted, even a home computer.

Is LameHug Dangerous for Crypto Users?

LameHug has not been known to directly attack exchange platforms or blockchain networks. However, that doesn’t mean crypto users can rest easy.

On the contrary, this malware has the potential to steal sensitive data stored locally on computers, especially for users who regularly back up their wallets or other important data without additional protection.

What makes LameHug dangerous is its ability to access common folders like Downloads, Documents, and Desktop.

Once inside, it uses AI to generate file search commands based on relevant keywords. So, even if the file name or location is inconspicuous, LameHug can still find it.

At-risk files include seed phrases or private keys in .txt or .json format, wallet files like .dat files, QR code snapshots, CSV reports from exchanges or asset tracking apps, and even screenshots containing OTPs, 2FA, or exchange account passphrases.

If any of these files are stolen, hackers can instantly access your crypto assets. They don’t need to guess passwords or hack servers; they can simply open files you’ve stored yourself.

With artificial intelligence helping them find those files, the time it takes can be very short.

Anti-LameHug Tips for Crypto Users

To avoid falling victim to sophisticated attacks like LameHug, it’s important to implement protective measures early on. Here are some practical ways to keep your crypto assets secure:

1. Don’t store seed phrases or private keys on your computer or in the cloud.

Storing sensitive data like this on online devices is very risky, as it can easily be accessed by unauthorized parties. Store it offline or use physical media, such as paper notes, that are kept secure.

2. Use a hardware wallet for crypto asset storage.

These devices are specifically designed for storing digital assets offline and are ideal for long-term protection because they are less susceptible to remote hacking.

3. Avoid opening suspicious files from unknown sources.

Be wary of ZIP or EXE files sent via email, especially if they claim to be airdrops or crypto giveaways. These files are often used to spread malware like LameHug.

4. Always update your antivirus and enable behavior-based protection such as EDR.

EDR technology can detect suspicious behavior even if a file hasn’t been identified as a virus, providing additional protection against new threats.

5. Don’t log in to your Exchange account from a public computer or someone else’s computer.

Computers that aren’t your own can be infected with malware without the user’s knowledge. Avoid this risk by only using personal devices that you trust to be secure.

Conclusion: AI Isn’t Always Safe, but You Can Be Alert

So, that was an interesting discussion about “Beware! LameHug Malware Uses LLM to Steal Files,” which you can read in full at the INDODAX Academy crypto academy.

In conclusion, the LameHug case is clear evidence that artificial intelligence isn’t always used for good.

Technology that should be helpful can instead be exploited by irresponsible parties to launch more cunning and difficult-to-detect cyberattacks.

Therefore, you also need to be smarter about maintaining your digital security. The more sophisticated the attack, the more important it is to understand how it works and protect yourself with the right steps.

Ultimately, knowledge and vigilance remain the main weapons. As long as you understand the risks and exercise caution, threats like LameHug can be avoided.

By the way, besides expanding your investment horizons, you can also stay updated with the latest crypto news and monitor digital asset price movements directly on the INDODAX Market. For a more personalized trading experience, explore our OTC trading service at INDODAX. Don’t forget to activate notifications to stay up-to-date with the latest information about digital assets, blockchain technology, and various other trading opportunities, only at INDODAX Academy.

You can also follow our latest news on Google News for faster and more reliable access to information. For an easy and secure trading experience, download the best crypto app from INDODAX on the App Store or Google Play Store.

Maximize your crypto assets with the INDODAX Earn feature, a practical way to earn passive income from your holdings.

Also follow our social media here: Instagram, X, Youtube & Telegram

FAQ

1.What is LameHug Malware?
LameHug is malware that uses Large Language Models (LLMs) to create malicious commands in real-time on a victim’s computer.

2.Does LameHug use AI?
Yes. LameHug uses AI models like Alibaba’s Qwen 2.5 to create data-stealing commands.

3.How does LameHug infect a computer?
It typically occurs via suspicious ZIP files from phishing emails with the extension .pif, .exe, or .py.

4.What does LameHug do on a computer?
It steals critical files, collects system information, and sends it to the hacker’s server over the network.

5.Can antivirus programs detect LameHug?
Difficult. Because LameHug writes its commands dynamically, many traditional antivirus programs fail to detect it.

6.How can you protect yourself from LameHug?
Don’t open email attachments carelessly, keep your antivirus updated, and use network monitoring whenever possible.

Author: Boy