Experts at the State Service of Special Communications and Information Protection of Ukraine (Derzhspetszviazok) uncovered another wave of activity by the hacker group UAC-0001, controlled by Russian intelligence services.
The group attempted to steal information from computers of security and defense sector agencies by spreading emails with suspicious attachments.
According to the Derzhspetszviazok press service, the file named "Додаток.pdf.zip" ("Attachment.pdf.zip") was sent to government bodies, allegedly from a representative of a relevant ministry. During the investigation, at least two additional file variants were found, including "image.py".
“The emails were sent using a compromised email account, and the command infrastructure is hosted on legitimate but compromised resources... The mentioned ZIP archive contains an executable file with the extension '.pif', converted from code written in the Python programming language. The National Cyber Incident Response Team classifies it as malicious software,” the statement says.
Derzhspetszviazok explained that this malware, called LAMEHUG, uses a type of artificial intelligence from conversational models.
Once inside a computer, the program collects basic system information, recursively searches for documents, and copies them. With moderate confidence, this activity is linked to the group UAC-0001 (APT28), controlled by Russian special services.
