The National Cyber Incident Response Team CERT-UA has detected new cyber threats affecting the defense sector.

Within government bodies, emails were observed that appeared to originate from a representative of the relevant ministry, containing an attachment titled «Attachment.pdf.zip».

This ZIP archive included a file with the extension «.pif», created using the PyInstaller tool developed in Python, classified by CERT-UA as the malicious software LAMEHUG.

A notable feature of LAMEHUG is its use of LLM (large language model) to generate commands based on descriptions. Upon entering a computer, the program gathers basic information about it, conducts a recursive search for documents, and copies them.

With moderate confidence, this activity is associated with the group UAC-0001 (APT28), which is controlled by Russian intelligence agencies.