
APT28 Targets Security and Defence Sector with AI-Powered Software
CERT-UA, the National Computer Emergency Response Team of Ukraine, functioning under the State Service of Special Communications and Information Protection (SSSCIP), has identified new cyberattacks targeting the security and defence sector.
According to available information, emails containing an attachment named "Додаток.pdf.zip" ("Attachment.pdf.zip") were disseminated among executive bodies, purportedly sent from a representative of a relevant ministry.
The aforementioned ZIP archive contained a similarly named file with a ".pif" extension. This file, converted using the Python-based PyInstaller tool, has been classified by CERT-UA as the (malicious) software LAMEHUG.
LAMEHUG is software developed using the Python programming language. A distinctive feature of this program is its utilization of an LLM (Large Language Model – a type of artificial intelligence) to generate commands based on their textual descriptions. Upon infiltration, the program is designed to gather basic system information (hardware, processes, services, network connections). It also conducts a recursive search for Microsoft Office documents (including TXT, PDF) within the "Documents," "Downloads," and "Desktop" directories and then exfiltrates them.
CERT-UA specialists observe that a compromised email account was used to disseminate emails containing the malicious software. Furthermore, the command and control infrastructure is hosted on legitimate but compromised resources.
CERT-UA assesses with moderate confidence that this activity is linked to the UAC-0001 (APT28) hacking group, which is controlled by Russian special services.