The National Cyber Incident Response Team CERT-UA has detected new cyberattacks targeting the security and defense sectors.

Reports indicate that emails were circulated among government agencies, seemingly from a representative of the relevant ministry, containing an attachment named «Appendix.pdf.zip».

This ZIP archive included a file with a «.pif» extension, created using the PyInstaller tool developed in Python, classified by CERT-UA as the malicious software LAMEHUG.

A distinctive feature of LAMEHUG is its use of large language models (LLM) to generate commands based on descriptions. Once it infiltrates a computer, the program gathers basic information about it, conducts a recursive search for documents, and copies them.

With moderate confidence, this activity is associated with the group UAC-0001 (APT28), which is controlled by Russian intelligence services.