Overview:
Generative AI is reshaping the cyberthreat landscape as advanced persistent threats (APTs) and cybercriminals continue to integrate AI into their operations. While AI offers transformative benefits for cybersecurity defense, it also creates new risks when exploited by malicious actors. Initially, adversarial use of AI primarily enhanced existing methods by making traditional cyberattacks more efficient and scalable. Recent developments, however, point to a shift toward AI-driven malware that enables entirely new capabilities, marking a significant evolution in the threat environment.
Recent Assessments of Adversary use of AI
By late 2024 and early 2025, leading AI firms began publishing detailed accounts of adversarial AI misuse. In October 2024, OpenAI confirmed that threat actors had leveraged GPT models during the intermediate stages of cyberattacks. These models were not employed to develop novel malware, but rather to refine phishing lures, generate scripts and conduct reconnaissance. Similarly, in January 2025, Google Threat Intelligence reported that its Gemini platform was used by APT groups to support reconnaissance, resource development and evasion activities.
Both cases demonstrated how adversaries relied on generative AI to accelerate cyber operations. These efforts improved efficiency, lowered the barrier to conducting certain attack phases and increased scalability. Importantly, however, the misuse of commercial AI models during this period did not produce fundamentally new techniques. The threat landscape seemed to be shaped by incremental gains rather than by the introduction of entirely novel capabilities.
Nation State Activity:
The adoption of AI by nation-state actors largely followed established patterns of activity consistent with their geopolitical and strategic objectives. Iranian-linked groups accounted for the majority of observed AI-enabled intrusions, frequently using generative AI to enhance reconnaissance against defense organizations and to craft convincing spearphishing and influence operations. Chinese-backed actors integrated AI into privilege escalation, lateral movement and data exfiltration efforts, applying AI tools to increase stealth and effectiveness once access was obtained. North Korean actors used AI for fraudulent purposes, such as developing fake job applications to infiltrate organizations and acquiring infrastructure to support further intrusions.
By contrast, Russian actors had shown relatively limited engagement with AI up until mid-2025. This perception shifted dramatically with the discovery of a new AI-powered malware family attributed to APT28, signaling that Russian-linked groups are now willing to experiment with AI not just as a supporting tool but as the foundation of offensive operations.
LAMEHUG Malware:
In mid-2025, the Computer Emergency Response Team of Ukraine (CERT-UA) identified LAMEHUG, the first publicly confirmed AI-powered malware, and attributed its use to the Russian-backed APT28 group. LAMEHUG was distributed through phishing campaigns launched from compromised official accounts and targeted Ukrainian executive and defense authorities.
The malware is written in Python and is unique in that it integrates directly with Hugging Face’s Qwen 2.5-Coder-32B-Instruct model. Instead of relying on pre-coded commands, LAMEHUG uses the large language model to generate commands in real time based on plain-text prompts. CERT-UA observed the malware producing commands for reconnaissance, execution and data exfiltration, making it the first example of an AI system serving as the operational core of a malware framework. This marks a significant departure from earlier cases where AI was used to enhance supporting tasks such as phishing or scripting but not to drive attack execution itself.
Significance to the Space Industry:
The emergence of LAMEHUG represents a turning point in the cyberthreat landscape with direct implications for the space industry. For years, space organizations have faced persistent targeting by APT28 and other state-backed actors due to their close alignment with government, defense and critical infrastructure interests. By deploying AI-powered malware, adversaries can now adapt dynamically to highly specialized environments that are common across the space sector, including satellite ground stations, aerospace manufacturing facilities and operations networks that integrate both IT and OT components.
Traditional malware often struggles against bespoke systems or hardened environments because its commands must be prewritten and static. LAMEHUG changes this by introducing adaptability, enabling malware to generate commands on the fly in response to its environment. In a space industry context, this could allow adversaries to issue reconnaissance commands tailored to unique mission control systems, modify payload execution to bypass specialized defenses or exfiltrate sensitive technical data in ways optimized by AI-generated logic. This adaptability raises the likelihood that malware could penetrate supply chains, compromise engineering environments or persist within critical mission operations.
The broader convergence of nation-state experimentation with AI, exemplified by LAMEHUG, and the parallel rise of criminal AI tools such as GhostGPT underscores a widening spectrum of AI-enabled threats. Space organizations may soon face both highly adaptive espionage malware deployed by state adversaries and mass-produced AI-driven tools circulating in criminal ecosystems. For defenders, the lesson is clear: AI is no longer simply accelerating adversarial operations but is beginning to transform how attacks are executed. For the space industry, which sits at the intersection of government, defense and critical infrastructure, this evolution poses a direct and urgent risk.
