Hey there! Did you hear about the latest cyber threat involving Russia’s APT28? They are actively using LLM-powered malware against Ukraine. What’s even more concerning is that underground platforms are selling these capabilities for just $250 per month.
Last month, Ukraine’s CERT-UA confirmed the deployment of LAMEHUG, a malware powered by LLM, in the wild. This malicious software, attributed to APT28, uses stolen Hugging Face API tokens to launch real-time attacks while distracting victims with content.
In a recent interview with VentureBeat, researcher Vitaly Simonovich from Cato Networks highlighted how this attack tradecraft is not limited to Ukraine. APT28 is leveraging AI-powered malware to test Ukrainian cyber defenses, drawing parallels to threats faced by enterprises worldwide.
Simonovich showcased how any enterprise AI tool can be turned into a malware development platform in under six hours. By converting popular AI models like ChatGPT-4o and Microsoft Copilot, he demonstrated how easy it is to create functional malware that bypasses current safety controls.
The rise of AI-powered attacks coincides with the explosive adoption of AI in the enterprise, as highlighted in the 2025 Cato CTRL Threat Report. Major AI platforms have seen significant adoption, signaling a shift from pilot to production environments.
Understanding APT28’s LAMEHUG Malware
Researchers describe LAMEHUG as a highly efficient malware. It is typically delivered through phishing emails impersonating Ukrainian officials, containing executables in ZIP archives. Once executed, the malware connects to Hugging Face’s API using stolen tokens to query specific AI models.
APT28’s approach involves using dual-purpose designs to deceive victims. While victims view legitimate-looking PDFs, the malware runs AI-generated commands for reconnaissance and data harvesting. Another variant distracts victims with AI-generated images during data exfiltration.
Simonovich explains that Russia’s use of Ukraine as a testing ground for cyber weapons is a significant development in AI warfare.
The Path to Malware in Six Hours
Simonovich’s demonstration reveals the speed and ease with which malware can be created using AI tools. By employing a technique called “Immersive World,” he transformed consumer AI tools into malware factories within hours, showcasing the vulnerabilities of LLM safety controls.
The emergence of platforms like Xanthrox AI and Nytheon AI, offering unrestricted AI capabilities for a monthly fee, underscores the existing infrastructure for AI-powered attacks. These platforms provide tools for creating malware without the usual safety controls.
Impact on Enterprise AI Adoption
Cato Networks’ analysis shows a rapid increase in AI adoption across various industries, creating new attack surfaces for cyber threats. Security leaders need to be vigilant as AI tools become integral to business functions.
Despite the risks posed by AI-powered attacks, responses from major AI companies have been inconsistent. Organizations deploying AI tools must be aware of the security implications and work closely with AI companies to address vulnerabilities.
The New Reality of Nation-State Attacks
Simonovich’s research highlights the evolving landscape of cyber threats, where creativity and minimal resources can lead to sophisticated attacks. Enterprises must recognize the dual-use nature of AI tools and implement robust security measures to combat emerging threats.
Today, the line between productivity tools and weapons is blurred, with AI-powered attacks becoming increasingly accessible. It’s crucial for organizations to adapt to this new reality and prioritize cybersecurity in the age of AI.
