MalwareUsed by 3 actors

Lamehug

PROMPTSTEAL, also referred to as LAMEHUG, is a Windows-focused AI-assisted infostealer publicly linked in the provided content to APT28/UAC-0001 (Fancy Bear, Russia’s GRU-linked activity) and used against Ukrainian government, security, defense, and other Ukrainian entities in 2025. It has been described as the first observed APT28 malware and one of the first live malware families to delegate operational logic to a large language model during execution.

The malware was delivered via spearphishing, including emails impersonating Ukrainian government officials and attachments masquerading as AI image or canvas generator applications or legitimate documents. Observed lure filenames included AI_generator_uncensored_Canvas_PRO_v0.9.exe and AI_image_generator_v0.95.exe. Some variants displayed decoy content, including a dropped PDF in C:\ProgramData, while a malicious thread executed the actual payload.

Its defining behavior is querying a live LLM through the Hugging Face Inference API, specifically Qwen 2.5-Coder-32B-Instruct, to generate one-line Windows commands on demand rather than relying on fully hard-coded logic. The generated commands were used for reconnaissance and data theft. Reported commands and behaviors include collecting host information with systeminfo, wmic, whoami, and dsquery; enumerating services with net start; identifying and copying documents from targeted directories with xcopy.exe; and saving collected output to C:\ProgramData\info\info.txt while staging files in C:\ProgramData\info\ for exfiltration.

Exfiltration was performed to adversary-controlled C2 infrastructure either via SSH-based transfer or HTTPS POST requests. A specifically reported HTTPS endpoint was stayathomeclasses[.]com/slpw/up[.]php. The malware also generated DNS activity to router.huggingface.co when interacting with the Hugging Face service.

High-confidence indicators and artifacts mentioned in the content include the malware names LAMEHUG and PROMPTSTEAL; use of Hugging Face / HuggingFace[.]co and router.huggingface.co; the Qwen 2.5-Coder-32B-Instruct model; local staging paths C:\ProgramData\info\ and C:\ProgramData\info\info.txt; decoy PDF placement in C:\ProgramData; and the exfiltration endpoint stayathomeclasses[.]com/slpw/up[.]php. The content consistently characterizes the malware as an experimental but operational AI-enabled stealer used for system reconnaissance, document collection, and exfiltration.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

APT28

APT28 LAMEHUG has sent spearphishing emails impersonating Ukrainian government officials.

via mitre attack websiteattack.mitre.org

APT29

Known for blending cutting-edge tools such as the large language model (LLM) ‘LAMEHUG’ with proven, longstanding techniques, Forest Blizzard consistently evolves its tactics to stay ahead of defenders.

via arstechnica securityarstechnica.com

(nicht näher benannt) russisch staatlich verbundene Cyberakteure

„PROMPTSTEAL ist demnach die erste in freier Wildbahn beobachtete Malware, die LLMs abfragt… Um Befehle zu generieren, verwende dieser Data Miner die Hugging Face API…“

via cso onlinecsoonline.com

MITRE ATT&CK

Techniques & procedures

25 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1587.001MalwareEvidence1

Early criminal use focused on leveraging AI tools like ChatGPT to assist in coding malware...

Initial Access

2 techniques

T1566PhishingEvidence2

APT28 LAMEHUG has sent spearphishing emails impersonating Ukrainian government officials.

T1566.001Spearphishing AttachmentEvidence3

According to CERT-UA, this malware was distributed as a phishing attachment disguised as an AI canvas or image generator application.

Execution

4 techniques

T1059Command and Scripting InterpreterEvidence5

LAMEHUG has used the Hugging Face API to query the Qwen2.5-Coder-32B-Instruct LLM to generate one-line Windows commands for the collection of system information and documents in specific folders on compromised hosts. LAMEHUG subsequently executed the returned commands.

T1059.003Windows Command ShellEvidence5

HeadLace : multi-component backdoor (CMD/VBS/BAT).

T1204User ExecutionEvidence1

"Once opened, a decoy PDF appears while the hidden binary executes in the background"

T1574Hijack Execution FlowEvidence1

First observation of “just-in-time” AI malware, like APT28’s PROMPTSTEAL, using LLMs in live operations.

Stealth

3 techniques

T1027Obfuscated Files or InformationEvidence2

Both malware strains can "dynamically generate malicious scripts, obfuscate their own code to evade detection and leverage AI models to create malicious functions on demand," according to the report.

T1036MasqueradingEvidence1

"ZIP archives entitled “Додаток.pdf.zip.” Once opened, a decoy PDF appears while the hidden binary executes in the background"

T1574Hijack Execution FlowEvidence1

First observation of “just-in-time” AI malware, like APT28’s PROMPTSTEAL, using LLMs in live operations.

Discovery

4 techniques

T1007System Service DiscoveryEvidence1

The following analytic detects the enumeration of Windows services using the net start command, which is a built-in utility that lists all running services on a system.

T1069.002Domain GroupsEvidence1

"data stolen: system inventories, network layouts, Active Directory hierarchies"

T1082System Information DiscoveryEvidence4

Ember Bear gathers victim system information such as enumerating the volume of a given device; Frankenstein used Empire to gather various local system information; many malware entries state they collect system information from compromised hosts.

T1083File and Directory DiscoveryEvidence1

The dynamically generated commands enable the malware to gather system information and identify sensitive files before transmitting them across the network to an adversary-controlled server.

Collection

4 techniques

T1005Data from Local SystemEvidence4

Among the malware families in the intro table, LameHug/PROMPTSTEAL is the cleanest example of this route in the wild: it calls HuggingFace’s Inference API for Qwen 2.5-Coder-32B-Instruct to drive reconnaissance and data theft...

T1074Data StagedEvidence2

The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.

T1119Automated CollectionEvidence1

Recursively copy documents from various targeted directories into C:\ProgramData\info, consolidating sensitive files for potential exfiltration.

T1560Archive Collected DataEvidence1

"recursively harvested Office, PDF, and text documents are staged in %PROGRAMDATA%\info"

Command and Control

4 techniques

T1071Application Layer ProtocolEvidence1

The dynamically generated commands enable the malware to gather system information and identify sensitive files before transmitting them across the network to an adversary-controlled server.

T1071.001Web ProtocolsEvidence2

The content repeatedly describes threat actors, malware, and campaigns using HTTP, HTTPS, HTTP GET/POST, cookies in headers, WebSockets/WSS, and web APIs for command and control or related communications.

T1071.002File Transfer ProtocolsEvidence1

Output is collected from Documents, Desktop and Downloads, then exfiltrated over SFTP or HTTP.

T1105Ingress Tool TransferEvidence2

该组织从稳定的恶意软件框架转向部署短效、单一用途的工具,一旦暴露立即弃用。

Exfiltration

4 techniques

T1041Exfiltration Over C2 ChannelEvidence5

All of the data and information collected by LAMEHUG malware is exfiltrated to its command-and-control (C2) server.

T1048Exfiltration Over Alternative ProtocolEvidence1

It uses the Paramiko SSH module for Python to upload the stolen files using hardcoded IP (144[.]126[.]202[.]227) credentials.

T1048.003Exfiltration Over Unencrypted Non-C2 ProtocolEvidence1

"exfiltration via either an SFTP tunnel to 144.126.202.227"

T1567Exfiltration Over Web ServiceEvidence1

"or an HTTP POST to the compromised domain stayathomeclasses.com/slpw/up.php"

INDICATORS OF COMPROMISE

IOCs tracked for this family

19 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

2 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

17 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

ip.v4●●●●●●●●●●●●View more in app3 months ago

hash.sha256●●●●●●●●●●●●View more in app9 months ago

ACTIVITY FEED

Recent activity

70 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

70 SOURCESView more in app

cyber security newsNews

Jun 12, 2026

Fancy Bear Hackers Abuse EdgeRouters and Cloud Services to Launch Stealthy Cyberattacks

An AI-driven infostealer that queries a live AI model to generate attack commands dynamically.

freebufNews

Jun 12, 2026

黑客组织Fancy Bear滥用边缘路由器与云服务发起隐秘网络攻击 - FreeBuf网络安全行业门户

AI驱动的信息窃取程序，通过查询实时AI模型动态生成攻击指令。

sekoia blogNews

Jun 11, 2026

APT28, an evolution of tradecraft - Sekoia.io Blog

An LLM-assisted infostealer delivered via spear-phishing that queries a legitimate AI model for command generation, then collects and exfiltrates documents.

intezer blogNews

Jun 3, 2026

How attackers are gaining access to LLM inference - Intezer

AI-enabled malware that uses HuggingFace’s Inference API and Qwen 2.5-Coder-32B-Instruct to support reconnaissance, Windows command generation, and data theft.

+65 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching19

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping25

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.