F6 Threat Intelligence has disclosed that it tracked the activities of the Hive0117 group, which conducted a large-scale phishing campaign targeting Russian companies. The attack focused on various industries, including media, tourism, finance and insurance, manufacturing, retail, energy, telecommunications, transport, and biotechnology.
“Hive0117 is a financially motivated group that has been conducting attacks since February 2022 using VPO DarkWatchman,” F6 wrote in a post this week. “Mailings are mass. Attackers disguise themselves as real organizations, register the infrastructure for mailings and managing domains, often reuse domains. The goals were identified in Russia, Belarus, Lithuania, Estonia, Kazakhstan.”
F6 is a Russian Threat Intelligence service that helps organizations understand and respond to cyber threats, leveraging a vast database of threat data, including information on attackers, their tools, and infrastructure, collected from both open and closed sources. The F6 Threat Intelligence solution includes a graph analysis system to identify relationships between threats and a platform for integrating with existing security systems.
The F6 Managed XDR system recorded and blocked the mass mailing of letters with the subject ‘Documents from 29.04.2025,’ sent from manager@alliance-s[dot]ru to over 550 addresses. Inside, there was an attachment in the form of a password-protected archive distributed under various names.
The post noted that opening the archive triggered a malicious chain leading to the infection of the system with a modified version of the DarkWatchman VPO, capable of acting stealthily and avoiding detection by traditional security tools.
An additional analysis concluded that the alliance-s[dot]ru domain was registered on the same data as the voenkomat-mil[dot]ru and absolut-ooo[dot]ru domains used by the grouping in mailings in 2023. Then letters were sent from the voenkomat-mil[dot]ru domain with various attachments. The reuse of registration data and C2 domains indicates the group’s commitment to the use of familiar infrastructures and tools.
About two years back, IBM Security X-Force had identified a phishing email campaign by Hive0117, likely a financially motivated cybercriminal group, from February 2022, designed to deliver the fileless malware variant dubbed DarkWatchman. The campaign masquerades as official communications from the Russian Government’s Federal Bailiffs Service, the Russian-language emails are addressed to users in Lithuania, Estonia, and Russia in the telecommunications, electronic, and industrial sectors. The activity predates and is not believed to be associated with the Russian-led invasion of Ukraine.
