What defenders need to know about advanced malware campaigns

MALWARE ANALYSIS: LAMEHUG LLM-POWERED MALWARE WITH LINKS TO APT28 ℹ️ Researchers analyzed LAMEHUG, a new malware family that leverages LLMs to generate system commands dynamically during intrusions. Instead of relying on static payloads, the malware “asks” an LLM what commands to run, making its behavior more adaptable and harder to detect. 📍 DELIVERY & EXECUTION ■ The campaign spreads through spear-phishing, disguised as AI tools or image/document generators. Once launched, the malware runs background threads that query an LLM to produce one-line Windows commands for reconnaissance and data harvesting. 📍 DATA COLLECTION & EXFILTRATION ■ LAMEHUG collects hardware, process, network, and Active Directory information, then stages documents from user folders into C:\ProgramData\info\. Finally, the data is exfiltrated via SSH to attacker-controlled servers. 📍 DETECTION & DEFENSE ■ Defenders should monitor unusual copy commands (xcopy, robocopy), reconnaissance tools (wmic), and connections to LLM service domains like router[.]huggingface[.]co. 📍 WHY IT MATTERS ■ This is one of the first clear examples of malware weaponizing LLMs to guide its operations. It signals a shift toward AI-assisted intrusion techniques that challenge traditional defenses and demand new detection strategies. Reference: ◽ UAC-0001 cyberattacks on the security and defense sector using the LAMEHUG software tool, which uses LLM (CERT-UA) 🔗 https://lnkd.in/dPik2qxn ◽ From Prompt to Payload: LAMEHUG’s LLM-Driven Cyber Intrusion 🔗 https://lnkd.in/d2zUi89A ◽ Analyzing LAMEHUG – First Known LLM-Powered Malware with Links to APT28 🔗 https://lnkd.in/drFFMa3K #llm #aigenerative #malwareanalysis #threathunting #threatdetection #threatanalysis #threatintelligence #cyberthreatintelligence #cyberintelligence #cybersecurity #cyberprotection #cyberdefense

AI-powered malware isn’t science fiction—it’s here, and it’s changing cybersecurity. This new breed of malware can learn and adapt to bypass traditional security measures, making it harder than ever to detect and neutralize. Here’s the reality: AI-powered malware can: 👉 Outsmart conventional antivirus software 👉 Evade detection by constantly evolving 👉 Exploit vulnerabilities before your team even knows they exist But there’s hope. 🛡️ Here’s what you need to know to combat this evolving threat: 1️⃣ Shift from Reactive to Proactive Defense → Relying solely on traditional tools? It’s time to upgrade. AI-powered malware demands AI-powered security solutions that can learn and adapt just as fast. 2️⃣ Focus on Behavioral Analysis → This malware changes its signature constantly. Instead of relying on patterns, use tools that detect abnormal behaviors to spot threats in real time. 3️⃣ Embrace Zero Trust Architecture → Assume no one is trustworthy by default. Implement strict access controls and continuous verification to minimize the chances of an attack succeeding. 4️⃣ Invest in Threat Intelligence → Keep up with the latest in cyber threats. Real-time threat intelligence will keep you ahead of evolving tactics, making it easier to respond to new threats. 5️⃣ Prepare for the Unexpected → Even with the best defenses, breaches can happen. Have a strong incident response plan in place to minimize damage and recover quickly. AI-powered malware is evolving. But with the right strategies and tools, so can your defenses. 👉 Ready to stay ahead of AI-driven threats? Let’s talk about how to future-proof your cybersecurity approach.

We’ve spent years warning people about malicious files. Now the threat has quietly shifted to something far more subtle: automation. According to a recent VirusTotal report, attackers are weaponizing AI agent “skills” inside OpenClaw (formerly Clawdbot) to distribute malware like Atomic Stealer and many users never see it coming. OpenClaw is a popular self-hosted AI agent ecosystem. Its strength is extensibility: you can add “skills” to automate tasks, pull data, or enhance workflows. That same flexibility has now become a supply-chain attack surface. Here’s the twist: In many cases, the skill itself isn’t the malware. Instead, the “setup instructions” do the damage. VirusTotal found that malicious skills often look harmless on first inspection. The ZIP files contain little or no obvious malware. Instead, users are socially engineered into running obfuscated scripts or downloading external binaries during installation. By the time anything malicious happens, traditional AV tools have already been bypassed. A few highlights from the report: • The workflow is the payload: social engineering replaces exploits, and “helpful automation” becomes the delivery mechanism. • This isn’t fringe activity: VirusTotal analyzed 3,016 OpenClaw skills and identified hundreds with malicious traits. One publisher alone uploaded 314 weaponized skills, disguised as tools like “Yahoo Finance” or “Crypto Analytics.” • macOS and Windows are both targeted: from Atomic Stealer harvesting passwords and crypto wallets on macOS, to packed trojans hitting Windows environments. • AI fighting AI: VirusTotal now natively analyzes OpenClaw skills in Code Insight, using Gemini 3 Flash to summarize real behavior (network calls, sensitive data access, execution paths) rather than relying on labels or descriptions. So what does this mean for defenders and builders? A few practical takeaways: 1- Treat AI skills like third-party code If a skill asks you to paste commands into a shell or run external binaries, assume risk first—not convenience. 2- Sandbox by default AI agents should never have direct access to credentials, wallets, or sensitive data. Isolation matters more than ever. 3- Scan before you trust Community-contributed skills deserve the same scrutiny as any open-source dependency. And if you’re running an AI marketplace: Publish-time scanning is no longer optional. Flag remote execution, obfuscated scripts, and suspicious setup flows before they ever reach users. The takeaway is simple but uncomfortable: As AI ecosystems mature, attackers aren’t breaking in, they’re checking in. Source: https://lnkd.in/gDHNyqXP #AI #AISecurity #OpenClaw

🚨 IF THIS MALWARE FAILS TO STEAL YOUR SECRETS, IT DELETES YOUR DATA. Supply chain attacks are usually about espionage. This new campaign ("Shai-Hulud 2.0") is different, it’s about destruction. Great research by the team at Wiz highlights that this isn't just another malicious package. It’s a self-propagating worm that has evolved a nasty "Scorched Earth" protocol tarzgeting availability. As a CISO in a code-heavy environment, I usually lose sleep over data leaving the building. But this specific malware introduces a unique operational nightmare: 𝐓𝐡𝐞 𝐥𝐨𝐠𝐢𝐜 𝐢𝐬 𝐬𝐢𝐦𝐩𝐥𝐞 𝐚𝐧𝐝 𝐯𝐢𝐜𝐢𝐨𝐮𝐬: If the malware cannot exfiltrate your secrets (because your egress filtering blocked it), it attempts to 𝐰𝐢𝐩𝐞 𝐭𝐡𝐞 𝐝𝐞𝐯𝐞𝐥𝐨𝐩𝐞𝐫'𝐬 𝐞𝐧𝐭𝐢𝐫𝐞 𝐇𝐎𝐌𝐄 𝐝𝐢𝐫𝐞𝐜𝐭𝐨𝐫𝐲 as a fail-safe. It essentially punishes you for having good network security by destroying your local data instead. 𝐖𝐡𝐚𝐭 𝐲𝐨𝐮 𝐧𝐞𝐞𝐝 𝐭𝐨 𝐤𝐧𝐨𝐰: 1. 𝐈𝐭’𝐬 𝐚 𝐖𝐨𝐫𝐦: It doesn't just infect- it uses stolen GitHub/NPM tokens to auto-publish infected packages under your developers' names. It turns your organization into a malware distributor. 2. 𝐈𝐭 𝐡𝐢𝐭𝐬 𝐞𝐚𝐫𝐥𝐲: It exploits the preinstall phase. The infection happens before the package is even fully installed. 3. 𝐓𝐡𝐞 𝐈𝐦𝐩𝐚𝐜𝐭: In a Digital Bank or FinTech, if this moves laterally, we aren't just looking at a breach-we are looking at crippled dev teams and massive operational downtime. 𝐈𝐦𝐦𝐞𝐝𝐢𝐚𝐭𝐞 𝐚𝐜𝐭𝐢𝐨𝐧𝐬 𝐟𝐨𝐫 𝐦𝐲 𝐧𝐞𝐭𝐰𝐨𝐫𝐤: 1. 𝐇𝐮𝐧𝐭: Look for artifacts like bun_environment.js or truffleSecrets.json in developer endpoints. 2. 𝐁𝐥𝐨𝐜𝐤: Blacklist outbound traffic to webhook.site and oast.pro (the primary exfiltration channels). 3. 𝐏𝐨𝐥𝐢𝐜𝐲: If you are still allowing npm scripts to run automatically in CI/CD, turn it off (--ignore-scripts). The attacks are getting smarter. Our controls need to be smarter, not just tighter. #CISO #SupplyChainSecurity #DevSecOps #RiskManagement #ShaiHulud #NPM

🚨 APT28 introduces LLM-powered malware: LAMEHUG CERT-UA has just published details of a new campaign targeting Ukraine’s defence and security sector. The malware, dubbed LAMEHUG, is particularly noteworthy: it integrates a large language model (Qwen-2.5-Coder-32B-Instruct via Hugging Face API) directly into its operations. Instead of relying solely on hard-coded commands, the malware sends natural-language prompts to the LLM, which then generates system commands on the fly – enabling reconnaissance, file discovery, and data staging for exfiltration. Stolen data is then pushed out via SFTP or HTTP POST to attacker-controlled servers. This represents an interesting – and concerning – evolution in tradecraft: ♦️Adversaries are co-opting legitimate AI services to increase flexibility and evade static detections. ♦️Outbound traffic to trusted platforms (like Hugging Face) can mask malicious activity. ♦️ The use of LLMs in malware may reduce development time and increase adaptability mid-campaign. 📌 Takeaways for defenders: 🔍 Monitor for unusual API calls to LLM providers from endpoints 🔍 Treat external AI integrations as you would any third-party service – apply the same scrutiny and controls. 🔍 Phishing remains the initial vector: user awareness and attachment filtering still matter. This is likely just the beginning of adversaries experimenting with AI in offensive operations. https://lnkd.in/eugZtYar #aisecurity #dfir #cti

We are observing widespread and sophisticated fileless malware campaigns targeting companies in the African finance and telecommunications sectors. The campaign typically begins with a phishing email sent to departments such as Sales and Procurement, often disguised as a Request for Quotation (RFQ). The email includes an attachment, commonly a PowerShell (.ps1) dropper file crafted to appear legitimate. In one notable case, the dropper, once executed, downloaded what appeared to be a random image file onto the user’s system. At first glance, the image seemed harmless, but its huge file size raised suspicion. Further analysis revealed the file contained a malicious DLL hidden using steganography. The attackers concealed binary malware within the image file. The dropper extracted this hidden payload and executed it in memory. It also created a scheduled task via Windows Task Scheduler, ensuring persistence even after reboot. The DLL was executed using in-memory .NET assemblies and PowerShell one-liners, avoiding detection by traditional antivirus solutions. Once active, the payload could accept commands from a remote C2 server, launch processes, and exfiltrate sensitive system information. The malware was observed collecting public and private IP addresses, geolocation data, a list of scheduled tasks, and basic system metadata (useful for lateral movement or persistence). These behaviours are consistent with advanced fileless malware operations, where attackers minimise their on-disk footprint and rely on living-off-the-land techniques (LOLBins) to evade detection. Indicators of compromise (IoCs) revealed that the email sender, domain, and IPs have previously been reported in malicious activity, including spoofing, credential harvesting, spam, and phishing. This suggests the threat actors are leveraging an established, actively maintained infrastructure. Recommendations for Security Teams - Train employees to recognise phishing tactics such as urgency-driven language, unexpected RFQs, and suspicious attachments. Encourage reporting to IT/security teams. - Configure filtering policies to block or sandbox compressed file types (e.g., .zip, .rar, .tgz) and scripts (.ps1, .js, .vbs) from untrusted senders. - Enable DMARC, SPF, and DKIM enforcement for email to avoid spoofing and spam. - Deploy advanced EDR solutions with behavioural detection to catch in-memory execution, PowerShell abuse, and steganographic payloads. - Monitor for suspicious persistence mechanisms (e.g., unexpected scheduled tasks). - Regularly apply security patches to operating systems, browsers, and office applications. - Restrict execution of unsigned PowerShell scripts via Constrained Language Mode or AppLocker/Defender Application Control. - Monitor outbound connections to detect C2 traffic patterns. - Hunt for anomalous large image files or unusual PowerShell activity in logs. #SOC #ThreatIntelligence #DigitalForensics #Malware #FilelessMalware #Threat

The Lat61 Threat Intelligence team at Point Wild (Formerly Pango Group) has released new original research uncovering a highly evasive malware campaign that goes beyond traditional infostealers — including live attacker–victim chat, in-memory execution, and persistent remote control. Key findings from the analysis show how this threat operates: * Begins with a hidden batch file and PowerShell loader designed to minimize disk artifacts and evade traditional security tools * Uses Donut-generated shellcode to inject a heavily obfuscated .NET payload directly into trusted Windows processes * Combines Pulsar RAT remote-access capabilities with a large-scale infostealer targeting browsers, VPNs, developer tools, messaging apps, crypto wallets, and more * Employs advanced anti-VM and anti-debugging techniques, watchdog-based process migration, and stealthy data exfiltration via Discord webhooks and Telegram bots * Enables live interaction, with attackers observed chatting with victims while silently deploying additional payloads in the background This research shows how modern malware campaigns are no longer static infections, but dynamic, operator-driven attacks built to persist, adapt, and evade detection. Read the full report here: https://lnkd.in/gJmZnAFN #CyberSecurity #ThreatIntelligence #Lat61ThreatIntel #Lat61 #PointWild #MalwareAnalysis #Infostealer #RAT #InMemoryExecution #DonutLoader

The resurgence of the SystemBC botnet underscores a hard truth for defenders: infrastructure abuse is vastly outpacing disruption. Despite law enforcement action during Operation Endgame in 2024, SystemBC has rebounded to control more than 10,000 IP addresses worldwide. Active since 2019, the malware turns compromised systems into SOCKS5 proxies, quietly enabling credential theft, ransomware intrusions, and follow-on malware deployment. Researchers have observed the botnet operating at scale and with persistence, averaging nearly 3,000 active IPs per day and lingering on infected systems for weeks or even months. Its footprint is concentrated in hosting providers and commercial VPS environments highlighting how unsecured servers, weak registrar controls, and permissive hosting practices create fertile ground for abuse. Recent activity tied to WordPress exploitation and a stealthy new Linux-focused variant further demonstrates the malware’s ongoing evolution. As Paul Mockapetris famously states: ''Over 95% of Cyberattacks, Malware, and Bots rely upon DNS'' - everything good and bad relies upon DNS. Control over poorly secured IP space, DNS, and hosting infrastructure allows, and invites threat actors to rapidly rebuild, forcing defenders into an endless game of Digital Whack-a-Mole. The path forward is clear: security must shift from inactive and reactive postures toward proactive, infrastructure-level defense. In today’s threat landscape, that shift is not optional—it is the difference between Thriving and Surviving.

𝗧𝗿𝗮𝗻𝘀𝗽𝗮𝗿𝗲𝗻𝘁 𝗧𝗿𝗶𝗯𝗲’𝘀 𝗡𝗲𝘄 𝗥𝗔𝗧 𝗖𝗮𝗺𝗽𝗮𝗶𝗴𝗻: 𝗔 𝗥𝗲𝗻𝗲𝘄𝗲𝗱 𝗖𝘆𝗯𝗲𝗿-𝗘𝘀𝗽𝗶𝗼𝗻𝗮𝗴𝗲 𝗧𝗵𝗿𝗲𝗮𝘁 𝘁𝗼 𝗜𝗻𝗱𝗶𝗮 India’s cyber front is under constant pressure silent, persistent, and continuously evolving. The latest reminder comes from a renewed cyber espionage campaign linked to Transparent Tribe (APT36), a well known threat actor with a long history of targeting Indian interests. According to CYFIRMA, the campaign targets Indian government bodies, academic institutions, and strategic organisations, underscoring ongoing, long-term intelligence gathering efforts against the country. What Makes This Campaign Dangerous? This operation is not noisy ransomware or defacement it’s covert cyber espionage. The attack chain begins with phishing emails carrying ZIP attachments. Inside these archives are malicious Windows shortcut (LNK) files, cleverly disguised as PDF documents. Once a victim opens the file: - A Remote Access Trojan (RAT) is deployed silently in the background - A decoy PDF is displayed to reduce suspicion - The attacker gains persistent access to the system This combination of social engineering and stealthy execution allows the malware to remain undetected for extended periods. Adaptive Malware Built for Persistence One of the most concerning aspects of this campaign is the malware’s adaptive behavior. Researchers observed that the RAT dynamically adjusts its persistence mechanisms based on the antivirus or endpoint protection installed on the victim’s machine. Once fully deployed, the payload allows attackers to: - Steal sensitive data - Control and manipulate files - Capture screenshots - Monitor clipboard activity - Execute commands remotely These capabilities make it a powerful surveillance tool rather than a short-term attack. A Familiar Pattern, A Long Term Strategy Active since at least 2013, Transparent Tribe has steadily evolved its tools and techniques. Previous campaigns have used malware such as CapraRAT, Crimson RAT, ElizaRAT, and DeskRAT each improving stealth and control. CYFIRMA warns that the group remains strategically driven, focused on long-term intelligence collection rather than short-term disruption. Parallel Threat Activity: Patchwork (Maha Grass) Security researchers have also flagged related activity by Patchwork, another advanced threat group targeting defence and strategic sectors. This group has been linked to new spyware frameworks that rely on: - Advanced obfuscation - Long term persistence - Low visibility execution Together, these campaigns highlight a broader and ongoing threat to India’s strategic digital ecosystem. Why This Matters for India ? These attacks highlight a critical reality: modern cyber warfare is rarely loud. It is quiet, long term surveillance aimed at stealing intelligence, research, and strategic insights. Awareness is the first step. Preparedness is the next.

🚨 𝗠𝗮𝘀𝘁𝗮𝗦𝘁𝗲𝗮𝗹𝗲𝗿 𝗔𝗹𝗲𝗿𝘁 A newly identified malware campaign is exploiting 𝗪𝗶𝗻𝗱𝗼𝘄𝘀 𝗟𝗡𝗞 𝘀𝗵𝗼𝗿𝘁𝗰𝘂𝘁 𝗳𝗶𝗹𝗲𝘀 for initial access. Once triggered, it executes 𝗣𝗼𝘄𝗲𝗿𝗦𝗵𝗲𝗹𝗹 𝗰𝗼𝗺𝗺𝗮𝗻𝗱𝘀 to disable security protections and establish a C2 beacon. 📥 Delivered via 𝘀𝗽𝗲𝗮𝗿‑𝗽𝗵𝗶𝘀𝗵𝗶𝗻𝗴 𝗲𝗺𝗮𝗶𝗹𝘀 with malicious ZIP archives, the attack unfolds in 𝗺𝘂𝗹𝘁𝗶‑𝘀𝘁𝗮𝗴𝗲, 𝘀𝘁𝗲𝗮𝗹𝘁𝗵𝘆 𝗼𝗽𝗲𝗿𝗮𝘁𝗶𝗼𝗻𝘀—leveraging legitimate tools like 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝗘𝗱𝗴𝗲 to blend in, maintain persistence, and evade defenses. 🔎 Using ANY.RUN 𝗜𝗻𝘁𝗲𝗹𝗹𝗶𝗴𝗲𝗻𝗰𝗲, I uncovered 995 𝗖2 𝗱𝗼𝗺𝗮𝗶𝗻𝘀 tied to this campaign. I’ve extracted the domain IOCs and built a 𝗢𝗻𝗲‑𝗖𝗹𝗶𝗰𝗸 𝗗𝗲𝗳𝗲𝗻𝗱𝗲𝗿 𝗫𝗗𝗥 𝗦𝗰𝗮𝗻, enabling defenders to quickly assess their 𝗠𝗗𝗘 𝗳𝗹𝗲𝗲𝘁 for potential exposure. 🫡 #Cybersecurity #MastaStealer #DefenderXDR #ThreatHunting