CyberSecurity news
FlagThis
Pierluigi Paganini@securityaffairs.com
//
The Hive0117 group, linked to DarkWatchman, is reportedly targeting Russian critical infrastructure in a broad cyber campaign. According to F6 Threat Intelligence, the group is conducting a large-scale phishing campaign aimed at Russian companies across various industries, including media, tourism, finance, insurance, manufacturing, retail, energy, telecommunications, transport, and biotechnology. The attacks, which have been ongoing since February 2022, involve mass mailings disguised as legitimate organizations, using registered infrastructure for managing domains and often reusing domains.
The malicious emails contain password-protected archives which, when opened, trigger a chain reaction leading to system infection by a modified version of the DarkWatchman VPO. This variant is designed to operate stealthily and evade detection by traditional security tools. Analysis reveals that the domains used in these attacks share registration data with domains previously used by the group in 2023, indicating a persistent and evolving threat. The DarkWatchman malware itself is a JavaScript-based remote access trojan capable of keylogging, collecting system information, and deploying secondary payloads.
The financially motivated Hive0117 group has previously targeted users in Lithuania, Estonia, and Russia in sectors like telecom, electronics, and industry. Past campaigns have also used courier delivery-themed lures to target Russian banks, retailers, telecom operators, agro-industrial enterprises, fuel and energy companies, logistics businesses, and IT firms. The DarkWatchman malware's fileless nature, use of JavaScript and a C#-based keylogger, and ability to remove traces of its existence highlight its sophisticated capabilities, posing a significant risk to targeted organizations.
ImgSrc: securityaffairs
References :
The malicious emails contain password-protected archives which, when opened, trigger a chain reaction leading to system infection by a modified version of the DarkWatchman VPO. This variant is designed to operate stealthily and evade detection by traditional security tools. Analysis reveals that the domains used in these attacks share registration data with domains previously used by the group in 2023, indicating a persistent and evolving threat. The DarkWatchman malware itself is a JavaScript-based remote access trojan capable of keylogging, collecting system information, and deploying secondary payloads.
The financially motivated Hive0117 group has previously targeted users in Lithuania, Estonia, and Russia in sectors like telecom, electronics, and industry. Past campaigns have also used courier delivery-themed lures to target Russian banks, retailers, telecom operators, agro-industrial enterprises, fuel and energy companies, logistics businesses, and IT firms. The DarkWatchman malware's fileless nature, use of JavaScript and a C#-based keylogger, and ability to remove traces of its existence highlight its sophisticated capabilities, posing a significant risk to targeted organizations.
ImgSrc: securityaffairs
Share:
References :
- industrialcyber.co: DarkWatchman-linked group Hive0117 targets Russian critical infrastructure sector in broad cyber campaign
- securityaffairs.com: Hive0117 group targets Russian firms with new variant of DarkWatchman malware
- Industrial Cyber: DarkWatchman-linked group Hive0117 targets Russian critical infrastructure sector in broad cyber campaign
- bsky.app: DarkWatchman-linked group Hive0117 targets Russian critical infrastructure sector in broad cyber campaign
- Cyber Security News: DarkWatchman-linked group Hive0117 targets Russian critical infrastructure sector in broad cyber campaign
Classification:
- HashTags: #cyberattack #russia #malware
- Company: F6 Threat Intelligence
- Target: Russian Firms
- Attacker: Hive0117
- Product: DarkWatchman
- Feature: Phishing attacks
- Malware: DarkWatchman
- Type: Malware
- Severity: Major