Want smarter insights in your inbox? Sign up for our weekly newsletters to get only what matters to enterprise AI, data, and security leaders. Subscribe Now
Russia’s APT28 is actively deploying LLM-powered malware against Ukraine, while underground platforms are selling the same capabilities to anyone for $250 per month.
Last month, Ukraine’s CERT-UA documented LAMEHUG, the first confirmed deployment of LLM-powered malware in the wild. The malware, attributed to APT28, utilizes stolen Hugging Face API tokens to query AI models, enabling real-time attacks while displaying distracting content to victims.
Cato Networks’ researcher, Vitaly Simonovich, told VentureBeat in a recent interview that these aren’t isolated occurrences, and that Russia’s APT28 is using this attack tradecraft to probe Ukrainian cyber defenses. Simonovich is quick to draw parallels between the threats Ukraine faces daily and what every enterprise is experiencing today, and will likely see more of in the future.
Most startling was how Simonovich demonstrated to VentureBeat how any enterprise AI tool can be transformed into a malware development platform in under six hours. His proof-of-concept successfully converted OpenAI, Microsoft, DeepSeek-V3 and DeepSeek-R1 LLMs into functional password stealers using a technique that bypasses all current safety controls.
AI Scaling Hits Its Limits
Power caps, rising token costs, and inference delays are reshaping enterprise AI. Join our exclusive salon to discover how top teams are:
Turning energy into a strategic advantage
Architecting efficient inference for real throughput gains
Unlocking competitive ROI with sustainable AI systems
Secure your spot to stay ahead: https://bit.ly/4mwGngO
The rapid convergence of nation-state actors deploying AI-powered malware, while researchers continue to prove the vulnerability of enterprise AI tools, arrives as the 2025 Cato CTRL Threat Report reveals explosive AI adoption across over 3,000 enterprises. Cato’s researchers observe in the report, “most notably, Copilot, ChatGPT, Gemini (Google), Perplexity and Claude (Anthropic) all increased in adoption by organizations from Q1, 2024 to Q4 2024 at 34%, 36%, 58%, 115% and 111%, respectively.”
APT28’s LAMEHUG is the new anatomy of AI warfare
Researchers at Cato Networks and others tell VentureBeat that LAMEHUG operates with exceptional efficiency. The most common delivery mechanism for the malware is via phishing emails impersonating Ukrainian ministry officials, containing ZIP archives with PyInstaller-compiled executables. Once the malware is executed, it connects to Hugging Face’s API using approximately 270 stolen tokens to query the Qwen2.5-Coder-32B-Instruct model.
The legitimate-looking Ukrainian government document (Додаток.pdf) that victims see while LAMEHUG executes in the background. This official-looking PDF about cybersecurity measures from the Security Service of Ukraine serves as a …