Filter articles

Weekly Cyber Briefing 01.09.2025

Cyber Intelligence Briefing: 01 Sep 2025.

Attackers are now using AI to make malware smarter and harder to stop.

Author: Nick Harris, CISO in Residence, Assured

Cyber Intelligence Briefing: 01 September 2025

This week’s Cyber Threat Intelligence Briefing is a weekly round-up of the latest cybersecurity news, trends, and indicators, curated by intelligence specialists.

AI now writing and running malware on the go

APT28 has been using LameHug, a Python-based malware sent through spearphishing ZIP files against the Ukrainian government. Once opened, it connects to the Qwen 2.5-Coder-32B-Instruct model on Hugging Face to turn hidden prompts into live system commands, allowing attackers to steal data and move around without updating the payload [Cyber Security News].

ESET has also uncovered PromptLock, the first AI-powered ransomware. Written in Golang, it uses a locally hosted model through the Ollama API to generate Lua scripts that search, steal and encrypt files with SPECK-128. Researchers expect destructive features to follow [IT Pro].

Assured’s CISO reacts:

Attackers are now using AI to make malware smarter and harder to stop. The best defence is to get ahead: strengthen email security, control what scripts and apps can run, limit unnecessary outbound traffic, keep backups safe, and test your defences through regular threat hunting. Here’s some recommended technical controls:

1. LAMEHUG: Remote Code Execution via AI-enhanced prompts
Mitigation: M1040 – Network Denial of Service Prevention (targeting unauthorized API usage)
  • Implementation via Intune (Endpoint Firewall):
    1. Configure Windows Defender Firewall inbound rule: block outbound connections from suspicious load paths (e.g., the PyInstaller .pif executable) to known domains such as huggingface.co and the specific IP ranges for Hugging Face’s API endpoints.
    2. Apply hash-based blocking (file hash from LameHug sample) using AppLocker or Windows Defender Application Control (WDAC), targeting binaries that attempt to initiate external LLM calls.
2. LAMEHUG: Dynamic command generation wrecking static detection
Mitigation: M1041 – Behaviour Monitoring
  • Implementation via GPO (PowerShell logging & AMSI):
    1. Enable Module Logging (registry):
      Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -Name "EnableModuleLogging" -Value 1
      Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames" -Name "*" -Value "*"
    2. Enable Script Block Logging:
      Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1
3. PromptLock: AI-generated ransomware with obfuscated behaviour
Mitigation: M1042 – Application Hardening
  • Implementation via Intune (AppLocker or WDAC):
    1. Create WDAC policy to allow only approved signed binaries. Block execution of unsigned Go-based binaries or unknown Lua script runners (e.g., ollama.exe or the Go-generated PromptLock binary).
    2. Disallow local use of unauthorized LLM tools by denying execution of runtime like Ollama or untrusted LLM runtime executables via a WDAC file path rule.
4. PromptLock: File encryption via dynamically generated Lua scripts
Mitigation: M1036 – File Integrity Monitoring
  • Implementation via GPO (File System Auditing):
    1. Enable auditing on sensitive directories (e.g., user Documents, Desktop, Downloads):
      • Apply SACLs to log file changes, creations, deletions in %USERPROFILE%\Documents, %USERPROFILE%\Downloads, and company-shared folders.
    2. Use Windows Event Forwarding: collect security event IDs like 4663 (File accessed) and 4660 (File deleted), and monitor for anomalous spikes indicating automated encryption.
5. PromptLock: Local LLM model misuse as prompt injection
Mitigation: M1035 – Data Loss Prevention
  • Implementation via Intune (Device Restrictions & BitLocker):
    1. Set DLP rules to block output of scripts or bulky data files (e.g., Lua scripts or .zip containing sensitive files) to cloud or removable media by defining “Sensitive Files” patterns (.txt, .docx, .xlsx) and locking export pathways.

CRM breach again

Workday is reporting its CRM has been targeted and customer information accessed. They don’t name the CRM but there are similarities with the Salesforce breaches previously reported. Workday are reporting that there has been unauthorised access to customers’ names, email addresses and phone numbers, but no sign that the intruders had accessed data stored on its platform.

Assured’s CISO reacts:

The risk here is simple. Names, emails and phone numbers are enough to launch convincing phishing campaigns. Lock down CRM access, review who can log in, enable MFA everywhere, and brief staff to expect targeted scams.

For more practical steps, we covered this in our August review: Cyber Intelligence Briefing

Topics

Latest articles

Be an insider. Sign up now!