Hive0117 Group Targets Russian Firms with New Variant of DarkWatchman Malware

A sophisticated cybercrime group known as Hive0117 has launched a fresh phishing campaign targeting prominent Russian organizations across multiple sectors, utilizing a modified version of the notorious DarkWatchman malware. According to Russian cybersecurity firm F6, the financially-motivated group has been active since February 2022 and has been using DarkWatchman malware in phishing attacks across Russia, Belarus, Baltics, and Kazakhstan.

The latest campaign, detected by F6 Threat Intelligence on April 29, was a mass email campaign that saw over 550 suspicious messages being sent to unsuspecting recipients. The emails were designed to appear as legitimate corporate correspondence, with subjects such as "Documents from 04/29/2025" and sender addresses mimicking those of reputable companies.

The phishing emails contained password-protected archives named similarly to the subject line, which triggered an infection chain upon opening. This led to the installation of a modified version of DarkWatchman malware on the recipient's system. Notably, the DarkWatchman malware is known for its ability to evade detection by standard antivirus software.

F6 experts have pointed out that the attackers launched the phishing campaign on the eve of a long weekend in an effort to "take advantage of a possible decrease in vigilance and response time during the holiday period." The group's tactics are reminiscent of previous campaigns, which have seen them target organizations across various sectors, including media, tourism, finance, insurance, manufacturing, energy, telecommunications, biotechnology, and retail.

According to F6 Managed XDR, the cybersecurity firm's threat detection and response platform, they were able to detect and block over 550 of these suspicious messages. The campaign highlights the ongoing threat posed by cybercrime groups like Hive0117 and the importance of staying vigilant against phishing attacks.

The impact of this campaign cannot be overstated, with potentially compromised organizations facing significant risks to their data security. As such, it is essential for individuals and organizations alike to remain aware of these types of threats and take necessary precautions to protect themselves.