The CERT-UA team, responsible for responding to cyber incidents, has detected new threats within the security and defense sectors.

Emails were circulated among government agencies, allegedly from a representative of the relevant ministry, containing an attachment named «Attachment.pdf.zip».

This ZIP archive included a file with the extension «.pif», generated using the PyInstaller tool written in Python, classified by CERT-UA as the (malicious) software known as LAMEHUG.

A distinctive feature of LAMEHUG is its use of a large language model (LLM) to generate commands based on their descriptions. Once the program infiltrates a computer, it collects basic information about it, performs a recursive search for documents, and copies them.

With moderate confidence, this activity is linked to the UAC-0001 (APT28) group, which is controlled by Russian intelligence services.
 

6414 image for slide
zoom Created with Sketch Beta.