LAMEHUG: An LLM-Driven Malware for Dynamic Reconnaissance and Data Exfiltration

A novel AI-driven threat leverages LLMs on Hugging Face to execute adaptive reconnaissance and data exfiltration in real time.

Rather than relying on static scripts or prewritten payloads, LAMEHUG dynamically queries a Qwen 2.5-Coder-32B-Instruct model via the Hugging Face API to generate Windows command-shell instructions tailored to its current environment.

This capability enables on-the-fly reconnaissance, targeted data collection, and adaptive evasion, complicating detection and response efforts for security operations centers (SOCs) and blue teams.

Last July, CERT-UA publicly disclosed an emerging and unusually sophisticated malware family dubbed LAMEHUG, marking a dramatic shift in attacker tradecraft by embedding large language models (LLMs) into malware workflows.

CERT-UA reports that LAMEHUG is delivered through spear-phishing emails carrying malicious executables disguised as AI image-generation tools.

Common filenames include AI_generator_uncensored_Canvas_PRO_v0.9.exe and AI_image_generator_v0.95.exe.

When executed, these loaders display an innocuous prompt interface for user-supplied image requests while immediately ...