Ukraine’s national computer emergency response team, CERT-UA, has uncovered a new wave of cyberattacks targeting the country’s security and defense sector. The attacks involve a strain of AI-powered malware identified as LameHug. Operating under the State Service of Special Communications and Information Protection (SSSCIP), CERT-UA has attributed the campaign, with moderate confidence, to APT28, a hacking group widely believed to be under the control of Russian intelligence services.
“According to available information, emails containing an attachment named (‘Attachment[dot]pdf[dot]zip) were disseminated among executive bodies, purportedly sent from a representative of a relevant ministry,’ the CERT-UA detailed in an alert. “The aforementioned ZIP archive contained a similarly named file with a ‘[dot]pif’ extension. This file, converted using the Python-based PyInstaller tool, has been classified by CERT-UA as the (malicious) software LAMEHUG.”
It added that LameHug is software developed using the Python programming language. “A distinctive feature of this program is its utilization of an LLM (Large Language Model – a type of artificial intelligence) to generate commands based on their textual descriptions. Upon infiltration, the program is designed to gather basic system information (hardware, processes, services, network connections).”
The agency identified that the malware also conducts a recursive search for Microsoft Office documents, including TXT and PDF, within the ‘Documents,’ ‘Downloads,’ and ‘Desktop’ directories and then exfiltrates them.
CERT-UA specialists observe that a compromised email account was used to disseminate emails containing the malicious software. Furthermore, the command and control infrastructure is hosted on legitimate but compromised resources.
This isn’t the first time Ukraine’s CERT-UA has raised alarms over threats linked to APT28. About a year back, the agency disclosed a cyberattack carried out by the UAC-0063 group, which had targeted a Ukrainian scientific research institution. The attackers used Hatvibe and CherrySpy malware in the operation. CERT-UA assessed with medium confidence that UAC-0063 is connected to APT28 (UAC-0001), a threat group associated with the State Department of the Armed Forces of the Russian Federation.
Last week, the U.K.’s National Cyber Security Centre (NCSC) formally linked a cyber campaign using the malware Authentic Antics to Russia’s military intelligence agency, the GRU. The announcement coincided with new U.K. sanctions against multiple GRU units and 18 Russian individuals involved in coordinated hybrid operations targeting Western countries.
According to the NCSC, the campaign was carried out by APT28, also known as Fancy Bear, Unit 26165, Forest Blizzard, and Blue Delta, a GRU-linked hacking group known for targeting Western logistics and technology sectors.
In May, the French foreign ministry attributed a series of cyberattacks on national interests to APT28, a group linked to Russia’s military intelligence agency (GRU), and has strongly condemned its use by the Russian state. Since 2021, this attack group has been used to target or compromise a dozen French entities.
Last year, Takepoint Research identified that in the rapidly evolving cybersecurity landscape, 80% of respondents believe the benefits of AI in industrial cybersecurity outweigh its risks. AI is particularly effective in threat detection (64%), network monitoring (52%), and vulnerability management (48%), showcasing its growing role in enhancing defenses within OT (operational technology) environments. The survey identified an overreliance on AI, AI system manipulation, and false negatives are primary concerns for industrial asset owners.
