Russian-backed malware uses AI to automate real-time data theft on Windows

A newly discovered malware family, dubbed LameHug, is using artificial intelligence to dynamically generate system commands for exfiltrating data from infected Windows systems — a novel tactic that may reshape the future of cyber operations.

Ukraine’s national computer emergency response team (CERT-UA) uncovered the malware earlier this month during an investigation into phishing emails targeting senior government officials. The messages, sent from compromised email accounts impersonating official ministries, contained ZIP attachments with malicious loaders disguised as benign files, including executables and Python scripts.

Written in Python, LameHug connects to an open-source large language model (LLM) hosted by a major cloud provider. Using natural language prompts, it generates commands on the fly — enabling activities such as collecting system metadata, scanning user directories (including Documents, Desktop and Downloads), and exfiltrating files via secure file transfer protocol or HTTP requests.

Researchers attribute the campaign to APT28, a Russian state-sponsored group also known as Fancy Bear or Forest Blizzard, with medium confidence.

This represents the first publicly documented case of malware leveraging LLMs for real-time attack execution. By avoiding static, hardcoded command strings, the malware may evade traditional antivirus detection while allowing mid-operation adjustments without redeploying payloads — increasing the complexity of incident response.

Ukrainian authorities continue to monitor the threat and have urged heightened vigilance against suspicious messages, particularly amid ongoing geopolitical tensions and persistent attempts at cyber-enabled espionage.