Record summary
A quick snapshot of what this page covers.
Attack context
How this AI attack works in practice.
- ATLAS ID
- AML.T0011
- ATT&CK external ID
- T1204
- Priority score
- 70
Mitigations
Defenses that may help against this attack.
AML.M0023 - AI Bill of Materials
An AI BOM can help users identify untrustworthy binaries.
AML.M0011 - Restrict Library Loading
Restricting binaries from loading external libraries can limit their ability to execute malicious code.
AML.M0018 - User Training
Training users to be able to identify attempts at manipulation will make them less susceptible to performing techniques that cause the execution of malicious code.
AML.M0014 - Verify AI Artifacts
Introduce proper checking of signatures to ensure that unsafe AI artifacts will not be executed in the system.
AML.M0016 - Vulnerability Scanning
Vulnerability scanning can help identify malicious binaries and prevent user execution.
Case studies
Examples from public reports and exercises.
LAMEHUG: Malware Leveraging Dynamic AI-Generated Commands
In July 2025, Ukrainian authorities reported the emergence of LAMEHUG, a new AI-powered malware attributed to the Russian state-backed threat actor APT28 (also tracked as Forest Blizzard or UAC-0001). LAMEHUG uses a large language model (LLM) to dynamically generate commands on the infected hosts.
The campaign began with a phishing attack leveraging a compromised government email account to deliver a malicious ZIP archive disguised as Appendix.pdf.zip. The archive contained the LAMEHUG malware, a Python-based executable, packed with PyInstaller. When executed, the malware, makes calls to an LLM endpoint to generate malicious from natural language prompts. Dynamically generated commands may make the malware harder to detect. LAMEHUG was configured to collect files from the local system and exfiltrate them.
Arbitrary Code Execution with Google Colab
Google Colab is a Jupyter Notebook service that executes on virtual machines. Jupyter Notebooks are often used for ML and data science research and experimentation, containing executable snippets of Python code and common Unix command-line functionality. In addition to data manipulation and visualization, this code execution functionality can allow users to download arbitrary files from the internet, manipulate files on the virtual machine, and so on.
Users can also share Jupyter Notebooks with other users via links. In the case of notebooks with malicious code, users may unknowingly execute the offending code, which may be obfuscated or hidden in a downloaded script, for example.
When a user opens a shared Jupyter Notebook in Colab, they are asked whether they'd like to allow the notebook to access their Google Drive. While there can be legitimate reasons for allowing Google Drive access, such as to allow a user to substitute their own files, there can also be malicious effects such as data exfiltration or opening a server to the victim's Google Drive.
This exercise raises awareness of the effects of arbitrary code execution and Colab's Google Drive integration. Practice secure evaluations of shared Colab notebook links and examine code prior to execution.
Source
Where this page information comes from.
Original source
Original source links
Open the public records and source datasets used for this page.