Hive0117 group targets Russian firms with new variant of DarkWatchman malware

Hive0117 targets Russian firms in multiple sectors with phishing attacks using a modified version of the DarkWatchman malware.

A cybercrime group named Hive0117 is behind a fresh phishing campaign that targeted Russian organizations with a new version of the DarkWatchman malware, according to Russian cybersecurity firm F6.

The financially-motivated group targeted organizations in the media, tourism, finance, insurance, manufacturing, energy, telecommunications, biotechnology and retail sectors.

Hive0117 group has been active since February 2022, it is known for using DarkWatchman malware in phishing attacks across Russia, Belarus, Baltics and Kazakhstan.

“The specific campaign, detected by F6 Threat Intelligence on April 29, was a mass email campaign. F6 Managed XDR detected and blocked over 550 such messages.” reported the Russian website Gazeta.Ru.  “The emails had the subject “Documents from 04/29/2025” and were sent from an address disguised as corporate correspondence.”

The phishing emails employed in the campaign spotted by F6 experts has the subject “Documents from 04/29/2025” and were sent from addresses mimicking corporate senders. The messages contained password-protected archives named similarly to “Documents from 04/29/2025.rar.” Once opened, the archive triggered an infection chain that installed a modified version of DarkWatchman malware on the recipient’s system.

The DarkWatchman malware can evade detection by standard antivirus software. The researchers pointed out that attackers launched the phishing campaign on the eve of a long weekend to “take advantage of a possible decrease in vigilance and response time during the holiday period.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)