Introduction
A significant phishing campaign orchestrated by the financially motivated threat group Hive0117 has been uncovered. This group, active since at least February 2022 [2], has targeted critical sectors across Russia and neighboring countries, utilizing sophisticated malware to exploit vulnerabilities in digital systems.
Description
A large-scale phishing campaign has been identified [2], attributed to the financially motivated threat group Hive0117 [2] [9], which has been active since at least February 2022 [2]. Detected by Russian cybersecurity firm F6 on April 29, 2025 [2] [8], this operation targeted over 550 email addresses across critical sectors, including media [1] [2] [4] [5] [9], tourism [1] [2] [3] [4] [5] [6] [9], finance [1] [2] [3] [4] [5] [6] [9], insurance [1] [5], retail [1] [2] [5] [9], manufacturing [1] [2] [9], energy [1] [2] [3] [4] [5] [9], telecommunications [3] [4] [5] [6], transport [1] [2], and biotechnology [1] [2] [5] [9], primarily within Russia and extending to Belarus, Lithuania [2] [4] [5], Estonia [1] [2] [4] [5] [9], and Kazakhstan [2] [4] [5] [6] [8]. The phishing emails [1] [2] [3] [4] [5] [6] [9], disguised as legitimate communications from real organizations [5], featured the subject line “Documents dated 04/29/2025” and contained password-protected ZIP archives labeled “Documents from 04/29/2025.zip.” When opened, these archives initiated an infection chain that released an enhanced variant of the DarkWatchman malware, a JavaScript-based remote access trojan (RAT) first reported in December 2021, known for its sophisticated evasion techniques that allow it to bypass standard antivirus detection.
DarkWatchman is capable of keylogging [1] [7], gathering system information [9], and executing secondary payloads [1] [2] [4], while also employing features that enable it to erase traces of its presence on compromised systems [1]. This fileless malware utilizes low-footprint persistence to infiltrate systems undetected and exfiltrate sensitive information. The current variant utilized in this campaign reflects Hive0117’s historical tactics, as previous phishing waves in 2023 employed similar bait themes [2], such as courier delivery notifications and mobilization orders [2], to entice recipients into executing malware-laden files [2]. The timing of this attack was strategic, coinciding with a long weekend [5] [6], potentially hindering a rapid response from targeted organizations.
Hive0117 often disguises its infrastructure as legitimate organizations and reuses domain registration data for command-and-control servers [2], with domains such as alliances[.]ru, voenkomat-mil[. [2]]ru, and absolut-ooo[. [2]]ru being used to distribute malicious archives. The group has also employed social engineering tactics, such as impersonating government departments [4], to enhance the effectiveness of these phishing attempts [6]. By November 2023 [1], the campaign had expanded to target Russian banks, retailers [1], telecom operators [1], agro-industrial enterprises [1], fuel and energy companies [1], logistics firms [1], and IT companies [1]. This focus on targeting Russian entities rather than foreign firms raises concerns within the country’s cybersecurity community [4], highlighting vulnerabilities exacerbated by economic downturns and a lack of trust in digital systems. The actions of Hive0117 reflect a troubling trend of internal exploitation, where opportunistic actors prey on their own country’s critical infrastructure and citizens through sophisticated malware and manipulation techniques.
Conclusion
The Hive0117 phishing campaign underscores the persistent threat posed by cybercriminals exploiting digital vulnerabilities. The strategic timing and sophisticated methods employed highlight the need for enhanced cybersecurity measures and rapid response strategies. As these threats evolve, organizations must prioritize robust security protocols and foster trust in digital systems to mitigate future risks. The focus on internal targets suggests a growing trend of domestic exploitation, necessitating vigilance and collaboration within the cybersecurity community to safeguard critical infrastructure and sensitive information.
References
[1] https://snappy-tech-news.atsit.in/nl/posts/1019813686/
[2] https://www.infosecurity-magazine.com/news/phishing-campaigns-targets-russia/
[3] https://www.hendryadrian.com/darkwatchman-cybercrime-malware-returns-on-russian-networks/
[4] https://therealistjuggernaut.com/2025/05/01/darkwatchman-resurfaces-russias-own-malware-ghost-haunts-its-networks-again/
[5] https://socialbites.ca/tech-scifi/814447.html
[6] https://cybermaterial.com/hive0117-targets-russian-firms-with-phishing/
[7] https://www.cyware.com/resources/threat-briefings/daily-threat-briefing/cyware-daily-threat-intelligence-may-01-2025
[8] https://securityaffairs.com/177268/cyber-crime/hive0117-targets-russian-firms-with-darkwatchman-malware.html
[9] https://www.hispion.com/en/news/russia-and-ukraine-under-siege-by-stealthy-darkwatchman-malware/
