Hive0117
Intelligence Profile
Hive0117 is a financially motivated cybercriminal group that conducts phishing campaigns to deliver the fileless malware DarkWatchman, which is capable of keylogging and collecting system information. The group targets individuals in the energy, finance, transport, and software security sectors across Russia, Kazakhstan, Latvia, and Estonia, often imitating official Russian government communications to induce urgency. Their operations leverage emergent policies related to conscription and utilize a UID string for identification, with malware capable of querying for smartcard readers, indicating a focus on higher security targets. The malware's fileless nature and ability to erase traces of its presence suggest moderate sophistication in their TTPs.
Threat Analysis
Hive0117 is a high-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of financial.
Financially motivated threat actors like Hive0117 prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.
With high sophistication, Hive0117 is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.