Monday, May 5, 2025
HomeCyber AttackHive0117 Group Attacking Employees of Energy, Finance, & Software Industries

Hive0117 Group Attacking Employees of Energy, Finance, & Software Industries

Published on

SIEM as a Service

Follow Us on Google News

Hive0117 group has launched a new phishing campaign, which targets individuals working for significant industries in the energy, banking, transportation, and software security sectors with headquarters in Russia, Kazakhstan, Latvia, and Estonia.

This group is known for disseminating the fileless malware known as DarkWatchman, which has keylogging, information-gathering, and secondary payload deployment capabilities.

IBM X-Force reports that with the use of emerging regulations connected with the ongoing crisis in Ukraine to conduct operations, together with the varied functionality and fileless nature of DarkWatchman malware, it is quite probable that Hive0117 represents a danger to in-region entities and businesses.

- Advertisement - Google News

New Hive0117 Phishing Campaign

The emails are sent to people’s work email accounts, and use an electronic summons for conscription in the Russian Armed Forces as their phishing lure.

Actors associated with Hive0117 sent emails in Russian with subject lines that seemed to be Orders for mobilization as of 10 May 2023.

“For authenticity, the emails include multiple images along with logos of the official coat of arms of the Russian Ministry of Defense,” according to the information shared with Cyber Security News.

“Machine translation of the email shows references to the then-recent legislation regarding guidance surrounding mobilization to the Russian Armed Forces.”

Hive0117 phish imitating electronic conscription notice

The email sender is a fictitious organization of the Russian Federation’s Ministry of Defense’s Main Directorate of the Military Commissariat.

This email archive file attachments include an executable that, when run, installs DarkWatchman malware, which works similarly to the Hive0117 malware described in April 2022.

DarkWatchman Malware infection chain

The downloader files download files to the%TEMP% folder, where a self-extracting archive (SFX) installer dumps two files: a JS file and a file containing a blob of hexadecimal characters.

With the SFX file’s path as an input, the JS is executed by the SFX file. The blob contains encrypted data that, when decoded, contains a block of base64-encoded PowerShell that implements a keylogger, and the JS file contains obfuscated code that serves as the backdoor. 

The setup has a note that reads, “The comment below contains SFX script commands” in Russian.

“The JavaScript backdoor is executed using the Windows Script Host (WSH) environment, wscript.exe, and utilizes the Windows Registry as a storage mechanism for configuration and other data to avoid writing to disk and avoid detection by anti-virus software,” researchers explain.

Every time Hive0117 begins, a UID string is generated and utilized for various functions. The backdoor produces a scheduled job that is named with the UID and has elevated rights to run as if an admin user first launched it.

The backdoor searches for the keylogger-containing file opens it, reads the data within, and uses XOR operations to decode it.

A bit more advanced capabilities may be seen in the fileless nature of the DarkWatchman malware. Therefore, the entities in the specific region should maintain a high level of defensive protection.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

NCSC Warns of Ransomware Attacks Targeting UK Organisations

National Cyber Security Centre (NCSC) has issued technical guidance following a series of cyber...

Claude AI Abused in Influence-as-a-Service Operations and Campaigns

Claude AI, developed by Anthropic, has been exploited by malicious actors in a range...

Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting...

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

NCSC Warns of Ransomware Attacks Targeting UK Organisations

National Cyber Security Centre (NCSC) has issued technical guidance following a series of cyber...

Claude AI Abused in Influence-as-a-Service Operations and Campaigns

Claude AI, developed by Anthropic, has been exploited by malicious actors in a range...

Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting...