Hive0117, a cybercrime group, targeted Russian companies in various sectors with a new phishing campaign. The group used a modified version of DarkWatchman malware, which is known for evading antivirus software. These phishing emails were disguised as corporate messages, making them difficult for recipients to identify as threats. The emails contained password-protected archives labeled “Documents from 04/29/2025.rar,” which triggered the malware once opened.
The phishing attack was a mass email campaign detected on April 29, 2025, by Russian cybersecurity firm F6.
The attackers targeted organizations across multiple industries, including media, tourism, finance, and telecommunications. The malware specifically targeted industries in Russia, Belarus, the Baltics, and Kazakhstan. Researchers noted that the timing of the attack coincided with a long weekend, which might reduce the likelihood of a swift response.
F6 Managed XDR blocked over 550 of these phishing emails, protecting organizations from infection. Despite this, the attackers’ efforts were significant, as they leveraged social engineering tactics to increase the success rate of the phishing attempt. The modified DarkWatchman malware allowed attackers to gain access to compromised systems without being detected by standard antivirus solutions.
The DarkWatchman malware has been a staple of Hive0117’s attacks since the group’s emergence in February 2022. This new campaign represents a continuation of their ongoing targeting of Russian firms across various sectors. With these tactics, the group shows a sophisticated understanding of both malware and social engineering, making them a serious threat to organizations in the region.
Reference:
