How Attackers Are Actually Using AI: LAMEHUG, PROMPTFLUX, and the New Malware Reality

The debate about whether attackers would "really" use AI in operations is over. APT28 has deployed the first publicly documented malware that uses a large language model to translate natural language instructions into system commands [2]. A separate malware family called PROMPTFLUX uses the Gemini API to regenerate its own code, creating a form of metamorphic persistence that signature-based detection simply cannot track [3]. Meanwhile, eCrime breakout times have collapsed to an average of 29 minutes, with the fastest observed breakout occurring in only 27 seconds [5].

These are documented incidents from active campaigns. AI-enabled adversary activity increased 89% year-over-year [5], and the threat isn't coming from some distant future. It arrived months ago.

APT28's LAMEHUG: The First LLM-Powered Malware in the Wild

Russia-nexus APT28 (FANCY BEAR) deployed a malware family called LAMEHUG against Ukrainian security and defense sector targets [2][5]. LAMEHUG is notable for a specific reason: it uses the Qwen 2.5-Coder-32B-Instruct model through the Hugging Face API to convert natural language instructions into executable system commands [2].

The practical implication is significant. Traditional malware carries a fixed set of capabilities compiled into the binary. LAMEHUG's operator writes what they want in plain text, and the LLM generates the appropriate command. This gives the malware a flexible, adaptive capability set without requiring the developer to anticipate every scenario at build time.

LAMEHUG distribution follows social engineering patterns. Variants have been disguised as AI image generation software, with filenames like AI_generator_uncensored_Canvas_PRO_v0.9.exe and AI_image_generator_v0.95.exe [2]. A PyInstaller-compiled variant used the filename Appendix.pif, while a Python version circulated as image.py [2].

CrowdStrike's 2026 Global Threat Report confirmed that FANCY BEAR deployed LAMEHUG "to automate reconnaissance and document collection" [5]. The malware represents an operational shift: instead of hardcoding reconnaissance commands, the operator describes what they need, and the LLM figures out how to get it.

PROMPTFLUX and the PROMPT Malware Family

LAMEHUG isn't alone. A broader family of AI-enabled malware has emerged, tracked under the naming convention PROMPT [3].

PROMPTFLUX is a VBScript dropper that uses hard-coded Gemini API keys to request obfuscation techniques [3][4]. It regenerates its VBScript code to evade detection. Each regenerated variant performs the same function but with different code structure, variable names, and obfuscation layers. Traditional signature detection can't match what doesn't stay the same.

PROMPTFLUX logs its LLM-generated evasion code to %TEMP%\thinking_robot_log.txt [3], a useful artifact for forensic analysis.

PROMPTSTEAL is a Python-based data miner that also uses the Qwen2.5-Coder-32B-Instruct model for command generation [3]. It was deployed by APT28 against targets in Ukraine [3]. PROMPTSTEAL aggregates hardware details, process lists, network configurations, and Active Directory information into a file called info.txt within the C:\ProgramData\info directory [3].

PROMPTLOCK takes a different approach. This Go-language ransomware creates dynamic Lua scripts, adding another layer of runtime flexibility to its encryption operations [3].

The PROMPT family collectively demonstrates three distinct AI integration patterns: API-driven code regeneration (PROMPTFLUX), LLM-assisted command translation (PROMPTSTEAL), and dynamic script generation (PROMPTLOCK).

The Exploitation Speed Problem

AI's impact extends well beyond malware construction. The speed at which vulnerabilities get weaponized has fundamentally changed the math for defenders.

28.3% of CVEs were exploited within 24 hours of disclosure in 2025 [4]. More troubling: time-to-exploit has effectively gone negative, with exploits arriving before patches are available [4]. CrowdStrike's data is even more aggressive: 42% of vulnerabilities were exploited before public disclosure [5].

When compared to remediation timelines, the disparity becomes stark. The average time to remediate a high or critical CVE now sits at 74 days [1]. 45% of vulnerabilities in large organizations never get remediated at all [1].

Living Off the Land, Powered by AI: UAT-8837

China-nexus APT UAT-8837 has been targeting North American critical infrastructure since at least 2025 [1]. While not explicitly documented as AI-powered, the group's approach reflects the broader trend of using open-source, readily available tools for post-compromise operations.

UAT-8837 exploited CVE-2025-53690, a ViewState Deserialization zero-day in SiteCore [1]. Post-compromise, the group deployed a toolkit of open-source components: Earthworm for network tunneling, SharpHound for Active Directory enumeration, DWAgent for persistent remote access, and Certipy for AD Certificate Services exploitation [1]. A custom utility called GoTokenTheft was deployed as go.exe at C:\Users\<user>\Desktop\go.exe, with an associated file eee.ico used in token-stealing operations [1].

Talos noted that UAT-8837 "predominantly deploys open-source tools to harvest sensitive information such as credentials, security configurations, and domain and Active Directory information" [1]. The reliance on widely available tools makes attribution harder and lowers the barrier for other groups to replicate the approach.

IOC Table

MITRE ATT&CK Mapping

Detection and Hunting

API Call Monitoring: LAMEHUG and PROMPTSTEAL communicate with the Hugging Face API. PROMPTFLUX uses the Gemini API [2][3]. Network monitoring for outbound connections to api-inference.huggingface.co and generativelanguage.googleapis.com from endpoints that shouldn't be making those calls is a high-value detection.

File System Artifacts: Hunt for %TEMP%\thinking_robot_log.txt (PROMPTFLUX) and C:\ProgramData\info\info.txt (PROMPTSTEAL) [3]. The presence of Appendix.pif or executables matching LAMEHUG naming conventions (AI_generator_uncensored_Canvas_PRO_v0.9.exe, AI_image_generator_v0.95.exe) warrants immediate investigation [2].

VBScript Activity: PROMPTFLUX operates as a VBScript dropper [3]. Unusual VBScript execution, particularly scripts that make outbound API calls or rewrite themselves, should trigger alerts. Monitor wscript.exe and cscript.exe process creation with command lines referencing temp directories.

UAT-8837 Tool Detection: SharpHound generates distinctive LDAP query patterns during AD enumeration. Earthworm creates reverse tunnels that show up as unusual outbound connections from servers. DWAgent installations on systems where it isn't authorized indicate compromise [1]. Look for go.exe in user Desktop directories [1].

Breakout Time Implications: With average eCrime breakout at 29 minutes [5], detection and response within that window is critical. Focus EDR alerting on lateral movement indicators: remote service creation, PsExec-style execution, RDP from unusual sources, and credential access events.

Analysis

The AI threat to cybersecurity has crossed from theoretical to operational. Three distinct patterns have emerged.

First, LLM-as-interpreter: LAMEHUG and PROMPTSTEAL use language models to translate operator intent into system commands [2][3]. This decouples capability from code. The malware doesn't need to contain every possible function at compile time. It generates what it needs at runtime.

Second, LLM-as-obfuscator: PROMPTFLUX uses generative AI to rewrite its own code [3]. This makes signature-based detection a losing game. The code changes faster than signatures can be written.

Third, LLM-as-accelerator: the collapse in time-to-exploit (28.3% of CVEs weaponized within 24 hours [4], 42% before public disclosure [5]) correlates with rapidly improving AI coding capabilities. The 74-day average remediation time [1] creates a massive window of exposure.

The 89% year-over-year increase in AI-enabled adversary activity [5] represents adoption velocity, not just capability improvement. Tools and techniques are spreading across threat actor tiers, from state-sponsored APTs to eCrime groups.

References

1. UAT-8837 targets critical infrastructure sectors in North America - Cisco Talos
2. APT28's New Arsenal: LAMEHUG, the First AI-Powered Malware - Logpoint
3. Rise of the AI-Enabled Malware - PolySwarm
4. M-Trends 2026: Data, Insights, and Strategies From the Frontlines - Google Cloud / Mandiant
5. 2026 CrowdStrike Global Threat Report: AI Accelerated Adversaries - CrowdStrike

Entity Relationships

Diamond Model

Hunt Guide: Hunt Report: AI-Enabled Malware Operations (LAMEHUG/PROMPTFLUX)

Hypothesis: If APT28 or related threat actors are leveraging AI-enabled malware in our environment, we expect to observe outbound API calls to LLM services (Hugging Face, Google Gemini), unusual VBScript activity, and specific file artifacts in temporary directories.

Intelligence Summary: APT28 has deployed the first documented LLM-powered malware (LAMEHUG) that uses AI models to translate natural language instructions into system commands. A broader PROMPT malware family includes PROMPTFLUX (metamorphic VBScript using Gemini API), PROMPTSTEAL (data miner), and PROMPTLOCK (ransomware), representing a fundamental shift in malware capabilities.

Confidence: High | Priority: Critical

Scope

• Networks: All enterprise networks with focus on external-facing web servers, developer workstations, and high-value target systems
• Timeframe: Initial: 30 days retrospective, Ongoing: Real-time + daily sweep
• Priority Systems: External-facing SiteCore instances, systems with access to sensitive data, developer workstations with API keys, domain controllers

MITRE ATT&CK Techniques

T1071.001 — Application Layer Protocol: Web Protocols (Command and Control) [P1]

LAMEHUG and PROMPTSTEAL make API calls to Hugging Face (api-inference.huggingface.co), while PROMPTFLUX communicates with Google Gemini API (generativelanguage.googleapis.com) for LLM-powered command generation and code obfuscation

Splunk SPL:

index=* (dest="api-inference.huggingface.co" OR dest="generativelanguage.googleapis.com" OR url="*api-inference.huggingface.co*" OR url="*generativelanguage.googleapis.com*") | stats count by src_ip, dest, url, user | where count > 5

Elastic KQL:

destination.domain:("api-inference.huggingface.co" OR "generativelanguage.googleapis.com") OR url.full:(*api-inference.huggingface.co* OR *generativelanguage.googleapis.com*)

Sigma Rule:

title: AI API Communication for Malware C2
id: 8f3e4a92-3c71-4a89-b5d2-1a8c9f3e5d12
status: experimental
author: RedSheep Security/Stone
description: Detects outbound connections to AI/LLM APIs commonly abused by LAMEHUG and PROMPT malware families
references:
  - https://logpoint.com/en/blog/apt28s-new-arsenal-lamehug-the-first-ai-powered-malware
  - https://blog.polyswarm.io/rise-of-the-ai-enabled-malware
logsource:
  category: proxy
detection:
  selection:
    c-uri|contains:
      - 'api-inference.huggingface.co'
      - 'generativelanguage.googleapis.com'
  filter:
    cs-username|contains:
      - 'developer'
      - 'ml-team'
  condition: selection and not filter
falsepositives:
  - Legitimate developer API usage
  - ML/AI teams accessing these services
level: high
tags:
  - attack.command_and_control
  - attack.t1071.001

Filter out known developer workstations and ML team members. Alert on any API calls from servers or non-developer endpoints

T1059.005 — Command and Scripting Interpreter: Visual Basic (Execution) [P2]

PROMPTFLUX operates as a VBScript dropper that regenerates its own code using Gemini API responses, creating metamorphic persistence

Splunk SPL:

index=* sourcetype=WinEventLog:Security EventCode=4688 (New_Process_Name="*\\wscript.exe" OR New_Process_Name="*\\cscript.exe") | eval temp_exec=if(like(Process_Command_Line,"%temp%") OR like(Process_Command_Line,"%tmp%"),1,0) | where temp_exec=1 | table _time, ComputerName, Account_Name, New_Process_Name, Process_Command_Line

Elastic KQL:

event.code:4688 AND process.name:("wscript.exe" OR "cscript.exe") AND process.command_line:(*temp* OR *tmp*)

Sigma Rule:

title: PROMPTFLUX VBScript Execution Pattern
id: 7a4b3c89-2d91-4f56-8c73-5b9e1a2d3c47
status: stable
author: Florian Roth (rule), RedSheep Security/Stone (PROMPTFLUX adaptation)
description: Detects VBScript execution from temp directories consistent with PROMPTFLUX dropper behavior
references:
  - https://blog.polyswarm.io/rise-of-the-ai-enabled-malware
logsource:
  product: windows
  category: process_creation
detection:
  selection_process:
    Image|endswith:
      - '\wscript.exe'
      - '\cscript.exe'
  selection_temp:
    CommandLine|contains:
      - '\Temp\'
      - '\Tmp\'
      - '%TEMP%'
      - '%TMP%'
  condition: all of selection_*
falsepositives:
  - Legitimate scripts in temp directories
  - Software installers
level: medium
tags:
  - attack.execution
  - attack.t1059.005

Monitor for rapid successive VBScript executions indicating code regeneration. Check for thinking_robot_log.txt creation

T1027 — Obfuscated Files or Information (Defense Evasion) [P1]

PROMPTFLUX uses LLM-generated obfuscation techniques, logging results to %TEMP%\thinking_robot_log.txt

Splunk SPL:

index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=11 TargetFilename="*\\thinking_robot_log.txt" | stats values(Image) as creating_process by ComputerName, TargetFilename | eval alert="PROMPTFLUX artifact detected"

Elastic KQL:

event.code:11 AND file.path:*thinking_robot_log.txt

Sigma Rule:

title: PROMPTFLUX Log File Creation
id: 9c5d7a83-4b72-4e91-a3c8-7d9f2b3a5c69
status: experimental
author: RedSheep Security/Stone
description: Detects creation of thinking_robot_log.txt file used by PROMPTFLUX to log LLM-generated evasion code
references:
  - https://blog.polyswarm.io/rise-of-the-ai-enabled-malware
logsource:
  product: windows
  category: file_event
detection:
  selection:
    TargetFilename|endswith: '\thinking_robot_log.txt'
  condition: selection
falsepositives:
  - Unlikely to have false positives due to unique filename
level: critical
tags:
  - attack.defense_evasion
  - attack.t1027

This is a high-confidence indicator. Any detection warrants immediate investigation and containment

T1083 — File and Directory Discovery (Discovery) [P1]

PROMPTSTEAL performs system enumeration and saves aggregated data to C:\ProgramData\info\info.txt

Splunk SPL:

index=* (sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=11 TargetFilename="C:\\ProgramData\\info\\info.txt") OR (sourcetype=WinEventLog:Security EventCode=4663 Object_Name="C:\\ProgramData\\info\\info.txt") | table _time, ComputerName, Image, User, TargetFilename

Elastic KQL:

(event.code:11 AND file.path:"C:\\ProgramData\\info\\info.txt") OR (event.code:4663 AND file.path:"C:\\ProgramData\\info\\info.txt")

Sigma Rule:

title: PROMPTSTEAL Data Aggregation File
id: 8b7c4d91-3a85-4f72-9d81-6c7e5a9b4d82
status: experimental
author: RedSheep Security/Stone
description: Detects creation or access to info.txt file used by PROMPTSTEAL malware for data aggregation
references:
  - https://blog.polyswarm.io/rise-of-the-ai-enabled-malware
logsource:
  product: windows
  category: file_event
detection:
  selection:
    TargetFilename: 'C:\ProgramData\info\info.txt'
  condition: selection
falsepositives:
  - None expected
level: critical
tags:
  - attack.collection
  - attack.t1083

High-confidence IOC. Check for associated Python processes and network activity

T1190 — Exploit Public-Facing Application (Initial Access) [P1]

UAT-8837 exploited CVE-2025-53690 (SiteCore ViewState Deserialization) to gain initial access

Splunk SPL:

index=* sourcetype=iis (cs_uri_stem="*ViewState*" OR cs_uri_stem="*__VIEWSTATE*") cs_method=POST | eval viewstate_len=len(cs_uri_query) | where viewstate_len > 10000 | stats count by c_ip, cs_uri_stem, cs_host | where count > 10

Elastic KQL:

url.path:(*ViewState* OR *__VIEWSTATE*) AND http.request.method:POST

Sigma Rule:

title: SiteCore CVE-2025-53690 Exploitation Attempt
id: 7c9d8a92-5b83-4e71-8d92-9a7c6b5d4a91
status: stable
author: Emerging Threats (base rule), RedSheep Security/Stone (CVE-2025-53690 adaptation)
description: Detects potential exploitation of SiteCore ViewState Deserialization vulnerability
references:
  - https://blog.talosintelligence.com/uat-8837/
logsource:
  category: webserver
detection:
  selection:
    cs-method: 'POST'
    cs-uri-stem|contains:
      - 'ViewState'
      - '__VIEWSTATE'
  selection_suspicious:
    - sc-status: 500
    - cs-uri-query|len: '>10000'
  condition: selection and selection_suspicious
falsepositives:
  - Large legitimate ViewState operations
level: high
tags:
  - attack.initial_access
  - attack.t1190
  - cve.2025.53690

Patch CVE-2025-53690 immediately. Monitor for post-exploitation activity from source IPs

T1055 — Process Injection (Defense Evasion) [P2]

UAT-8837 deployed GoTokenTheft (go.exe) for token manipulation and privilege escalation operations

Splunk SPL:

index=* sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=10 TargetImage="*\\go.exe" GrantedAccess=0x1478 | join type=outer ComputerName [search index=* EventCode=1 Image="*\\go.exe" | fields ComputerName, CommandLine] | table _time, ComputerName, SourceImage, TargetImage, GrantedAccess, CommandLine

Elastic KQL:

event.code:10 AND process.name:"go.exe" AND winlog.event_data.GrantedAccess:"0x1478"

Sigma Rule:

title: GoTokenTheft Token Manipulation
id: 6a8c9d71-4b92-4a83-9c71-5d8f7a9b3c82
status: experimental
author: RedSheep Security/Stone
description: Detects potential token manipulation by GoTokenTheft malware
references:
  - https://blog.talosintelligence.com/uat-8837/
logsource:
  product: windows
  service: sysmon
detection:
  selection_access:
    EventID: 10
    TargetImage|endswith: '\go.exe'
    GrantedAccess:
      - '0x1478'
      - '0x1518'
  selection_creation:
    EventID: 1
    Image|endswith: '\go.exe'
    ParentImage|endswith: '\Desktop\'
  condition: 1 of selection_*
falsepositives:
  - Legitimate Go language binaries
level: high
tags:
  - attack.privilege_escalation
  - attack.t1055

Look for go.exe specifically in Desktop folders with associated eee.ico file

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=* (sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=11 TargetFilename="*\\Appendix.pif") OR (sourcetype=WinEventLog:Security EventCode=4663 Object_Name="*\\Appendix.pif")

index=* (Image="*\\AI_generator_uncensored_Canvas_PRO_v0.9.exe" OR TargetFilename="*\\AI_generator_uncensored_Canvas_PRO_v0.9.exe" OR CommandLine="*AI_generator_uncensored_Canvas_PRO_v0.9.exe*")

index=* (Image="*\\AI_image_generator_v0.95.exe" OR TargetFilename="*\\AI_image_generator_v0.95.exe" OR CommandLine="*AI_image_generator_v0.95.exe*")

index=* (TargetFilename="*\\image.py" OR CommandLine="*python*image.py*" OR CommandLine="*py*image.py*")

index=* TargetFilename="*\\thinking_robot_log.txt"

index=* (TargetFilename="C:\\ProgramData\\info\\info.txt" OR Object_Name="C:\\ProgramData\\info\\info.txt")

index=* (Image="*\\Desktop\\go.exe" OR TargetFilename="*\\Desktop\\go.exe")

index=* (TargetFilename="*\\eee.ico" OR CommandLine="*eee.ico*")

index=* (dest="api-inference.huggingface.co" OR query="api-inference.huggingface.co" OR url="*api-inference.huggingface.co*")

index=* (dest="generativelanguage.googleapis.com" OR query="generativelanguage.googleapis.com" OR url="*generativelanguage.googleapis.com*")

YARA Rules

LAMEHUG_APT28_AI_Malware — Detects LAMEHUG AI-powered malware variants used by APT28

rule LAMEHUG_APT28_AI_Malware {
    meta:
        description = "Detects LAMEHUG AI-powered malware variants deployed by APT28"
        author = "RedSheep Security/Stone"
        date = "2025-01-07"
        reference = "https://logpoint.com/en/blog/apt28s-new-arsenal-lamehug-the-first-ai-powered-malware"
        tlp = "WHITE"
    
    strings:
        $pif = "Appendix.pif" ascii wide
        $ai_gen1 = "AI_generator_uncensored_Canvas_PRO" ascii wide
        $ai_gen2 = "AI_image_generator_v0.95" ascii wide
        $py_variant = "image.py" ascii wide
        $huggingface = "api-inference.huggingface.co" ascii
        $qwen_model = "Qwen2.5-Coder-32B-Instruct" ascii
        $api_key_pattern = /Bearer\s+[a-zA-Z0-9_\-]{20,}/ ascii
        
    condition:
        uint16(0) == 0x5A4D and (
            any of ($pif, $ai_gen*, $py_variant) or
            ($huggingface and $qwen_model) or
            ($huggingface and $api_key_pattern)
        )
}

PROMPTFLUX_Metamorphic_VBS — Detects PROMPTFLUX VBScript dropper that uses Gemini API for metamorphic code generation

rule PROMPTFLUX_Metamorphic_VBS {
    meta:
        description = "Detects PROMPTFLUX metamorphic VBScript malware using Gemini API"
        author = "RedSheep Security/Stone"
        date = "2025-01-07"
        reference = "https://blog.polyswarm.io/rise-of-the-ai-enabled-malware"
        tlp = "WHITE"
    
    strings:
        $vbs_sig = "Wscript." ascii nocase
        $gemini_api = "generativelanguage.googleapis.com" ascii
        $log_file = "thinking_robot_log.txt" ascii wide
        $http_obj = "WinHttp.WinHttpRequest" ascii
        $api_key = /key=[a-zA-Z0-9_\-]{39}/ ascii
        $obfuscate_req = "obfuscate" ascii nocase
        $regenerate = "regenerate" ascii nocase
        
    condition:
        ($vbs_sig and $gemini_api) or
        ($log_file and ($http_obj or $api_key)) or
        ($gemini_api and any of ($obfuscate_req, $regenerate))
}

UAT8837_GoTokenTheft — Detects GoTokenTheft token manipulation tool used by UAT-8837

rule UAT8837_GoTokenTheft {
    meta:
        description = "Detects GoTokenTheft token manipulation utility deployed by UAT-8837"
        author = "RedSheep Security/Stone"
        date = "2025-01-07"
        reference = "https://blog.talosintelligence.com/uat-8837/"
        tlp = "WHITE"
    
    strings:
        $go_exe = "go.exe" ascii wide
        $eee_ico = "eee.ico" ascii wide
        $desktop_path = "Desktop\\go.exe" ascii wide
        $token_apis1 = "OpenProcessToken" ascii
        $token_apis2 = "DuplicateTokenEx" ascii
        $token_apis3 = "SetThreadToken" ascii
        $token_apis4 = "ImpersonateLoggedOnUser" ascii
        
    condition:
        (uint16(0) == 0x5A4D or uint32(0) == 0x464c457f) and (
            ($go_exe and $eee_ico) or
            ($desktop_path) or
            ($go_exe and 2 of ($token_apis*))
        )
}

Suricata Rules

SID 2051001 — LAMEHUG/PROMPTSTEAL Hugging Face API Communication

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LAMEHUG/PROMPTSTEAL Hugging Face API Communication"; flow:established,to_server; content:"POST"; http_method; content:"api-inference.huggingface.co"; http_host; content:"Bearer "; http_header; content:"model"; http_client_body; reference:url,logpoint.com/en/blog/apt28s-new-arsenal-lamehug-the-first-ai-powered-malware; classtype:trojan-activity; sid:2051001; rev:1;)

SID 2051002 — PROMPTFLUX Gemini API Code Generation Request

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PROMPTFLUX Gemini API Code Generation Request"; flow:established,to_server; content:"POST"; http_method; content:"generativelanguage.googleapis.com"; http_host; content:"/v1beta/models/"; http_uri; content:"generateContent"; http_uri; content:"obfuscat"; http_client_body; nocase; reference:url,blog.polyswarm.io/rise-of-the-ai-enabled-malware; classtype:trojan-activity; sid:2051002; rev:1;)

SID 2051003 — Potential SiteCore CVE-2025-53690 Exploitation

alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Potential SiteCore CVE-2025-53690 ViewState Deserialization"; flow:established,to_server; content:"POST"; http_method; content:"__VIEWSTATE"; http_client_body; content:"ViewStateUserKey"; http_client_body; pcre:"/Content-Length:\s*[0-9]{5,}/Hi"; threshold:type limit,track by_src,count 5,seconds 60; reference:cve,2025-53690; classtype:attempted-admin; sid:2051003; rev:1;)

Data Source Requirements

Sources

• UAT-8837 targets critical infrastructure sectors in North America
• APT28's New Arsenal: LAMEHUG, the First AI-Powered Malware
• Rise of the AI-Enabled Malware
• M-Trends 2026: Data, Insights, and Strategies From the Frontlines
• 2026 CrowdStrike Global Threat Report: AI Accelerated Adversaries