CERT-UA Discovers LAMEHUG Malware Linked to APT28, Using LLM for Phishing Campaign

The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of a phishing campaign that's designed to deliver a malware codenamedLAMEHUG. "An obvious feature of LAMEHUG is the use of LLM (large language model), used to generate commands based on their textual representation (description)," CERT-UAsaidin a Thursday advisory. The activity has been attributed with medium confidence to a Russian state- hacking group tracked asAPT28, which is also known as Fancy Bear, Forest Blizzard, Sednit, Sofacy, and UAC-0001. The cybersecurity agency said it found the malware after receiving reports on July 10, 2025, suspicious emails sent from compromised accounts and impersonating ministry officials. The emails targeted executive government authorities. Present within these emails was a ZIP archive that, in turn, contained the LAMEHUG payload in the form of three different variants named "Додаток.pif, "AI_generator_uncensored_Canvas_PRO_v0.9.exe," and "image.py." Developed using P...