Russia’s APT28 is deploying LLM-powered malware against Ukraine and selling these capabilities for $250 per month on underground platforms. Recently, Ukraine’s CERT-UA reported LAMEHUG, the first verified use of LLM-powered malware, exploiting stolen Hugging Face API tokens for real-time attacks. Cato Networks’ Vitaly Simonovich highlighted how these tactics breach Ukrainian defenses and also threaten global enterprises. Simonovich demonstrated the conversion of consumer AI tools like OpenAI and Microsoft’s LLMs into malware platforms in under six hours, bypassing safety controls. This convergence of cyber threats and AI vulnerabilities is accelerating as the 2025 Cato CTRL Threat Report shows rising AI use in enterprises. APT28 uses phishing emails to distribute malware, which connects to Hugging Face’s API with stolen tokens. This method distracts targets with legitimate-looking PDFs while executing LAMEHUG commands. Simonovich’s Black Hat presentation showcased how easily AI tools can become malware factories, bypassing LLM safety using a storytelling approach. This threat is expanding with underground platforms like Xanthrox and Nytheon AI, which offer unrestricted AI access for building malware. Despite rapid enterprise AI adoption, security responses remain insufficient, exposing organizations to advanced threats that exploit commercial AI tools for cyber warfare.
