{ "id": "d327a0b6-be9a-4bef-986b-253b03808c9e", "created_at": "2026-04-06T00:10:14.706054Z", "updated_at": "2026-04-10T03:36:11.239548Z", "deleted_at": null, "sha1_hash": "be6c3ac43a7268c1e7e765a4fbed672cd126fe47", "title": "Hive0137 on AI journey", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3796074, "plain_text": "Hive0137 on AI journey\r\nBy Golo Mühr, Joe Fasulo\r\nPublished: 2024-07-26 · Archived: 2026-04-05 15:00:32 UTC\r\nIBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has\r\nbeen a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most\r\nComplex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-\r\nLoader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The\r\ncrypters used in the infection chains also suggest a close relationship with former members of ITG23\r\n(Conti/Trickbot group). Following law enforcement efforts known as Operation Endgame, Hive0137 was found\r\ndelivering a new backdoor known as WarmCookie.\r\nAfter continuously following Hive0137 phishing operations, X-Force believes it is likely that the emails used in\r\ncurrent Hive0137 campaigns are being created using Large Language Models (LLMs), which has greatly\r\nimproved their authenticity and resilience against signature-based detection. Interestingly, this capability was also\r\ndemonstrated in an Italian campaign delivering Dave-crypted X-Worm attributed to a different distributor, which\r\nfeatured similar techniques to Hive0137. In addition, potential Hive0137 tooling discovered by X-Force appears\r\nto have been created using Generative AI, signifying the group’s willingness to adopt new technologies for\r\nmalicious purposes.\r\nKey findings:\r\nHive0137 is a highly active email spammer distributing malware used for initial access in ransomware\r\nattacks\r\nCrypters used for Hive0137 payloads suggest a close relationship with former members of ITG23\r\n(Conti/Trickbot group)\r\nFollowing Operation Endgame, X-Force observed a new Hive0137 payload known as WarmCookie\r\nX-Force believes Hive0137 likely leverages LLMs to assist in script development, as well as create\r\nauthentic and unique phishing emails\r\nSuspected LLM-based phishing was also observed in Italian campaigns delivering Dave-crypted X-Worm\r\nThe latest tech news, backed by expert insights\r\nStay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with\r\nthe Think Newsletter, delivered twice weekly. See the IBM Privacy Statement.\r\nHive0137 background\r\nHive0137 is an email distributor tracked by X-Force since October 2023. The group is capable of executing\r\nunusually complex infection chains first reported by X-Force in February. Analysis revealed Hive0137 delivering\r\nemails containing malicious PDF attachments or URLs leading to DarkGate, NetSupport and a new loader dubbed\r\nhttps://securityintelligence.com/x-force/hive0137-on-ai-journey/\r\nPage 1 of 16\n\n“T34-Loader.” Hive0137 campaigns overlap with Proofpoint’s TA571 cluster, which also noted the complexity of\r\ntheir email campaigns. In a December 2023 campaign, Hive0137 made use of Snow crypter to inject the new T34-\r\nLoader. Of note, the Snow crypter was developed by former members of the Trickbot/Conti syndicate (aka\r\nITG23), suggesting a relationship between threat actors for developing or using T34-Loader and ITG23. X-Force\r\nfurther suspects payloads delivered by Hive0137 may be used for initial access leading to ransomware attacks.\r\nPrevious campaigns\r\nThroughout early 2024, X-Force recorded several Hive0137 campaigns using new payloads and crypters.\r\nHive0137 emails are composed primarily in English and use a variety of themes including reimbursement\r\nrequests, invoices, project budget reviews, report analyses and meeting presentations.\r\nBeginning in mid-February 2024, X-Force observed Hive0137 experimenting with new attachment types,\r\ndemonstrating at least a temporary shift away from previously preferred methods including PDFs delivering\r\nmalicious URLs. The campaigns leveraged Excel attachments containing a malicious URL in the form of a UNC\r\nfile path e.g. \\\\147.182.156[.]154\\share\\EXCEL_DOCUMENT_OPEN.XLSX.vbs, which when clicked,\r\ndownloads the next stage; typically a VBS or JavaScript file. Then, the file will download and execute a final\r\nDarkGate payload.\r\nOf particular interest, the change of techniques was observed in parallel Hive0118 (aka TA577) campaigns.\r\nHive0118 is an email distributor that frequently provides initial access for ransomware attacks conducted by threat\r\nactors with ties to the Trickbot/Conti syndicate (ITG23). This group uses thread hijacking/stolen emails and\r\ntargets entities globally in widespread campaigns. In the observed case the group distributed Dave-crypted\r\nPikaBot samples. In previous campaigns, Hive0118 delivered malware including DarkGate, Qakbot and IcedID\r\nusing various ITG23-related crypters such as Forest, Snow and Quicksand.\r\nIn late March 2024, Hive0137 also distributed Dave-crypted Pikabot payloads. These were delivered through\r\nmalicious HTML files leveraging the “search-ms” protocol to stage payloads from remote SMB shares. The\r\ndelivery of Pikabot reinforces X-Force’s assessment that Hive0137 campaigns are used for initial access leading to\r\nransomware attacks. The Pikabot loader, which has been active since early 2023, shares several similarities\r\nwith Qakbot and has been delivered frequently by Hive0118, particularly in late 2023 following Qakbot’s\r\ndisruption. Like Qakbot, Pikabot infections have typically led to BlackBasta ransomware.\r\nPost-endgame activity\r\nAt the end of May, Operation Endgame, a global law enforcement takedown operation took action against several\r\nmalware botnets including Pikabot. Following this, Hive0137 once again changed its payload to NetSupport,\r\nleveraging Microsoft Project (.mpp) files with embedded macros designed to download the final payload from a\r\nremote server. The NetSupport payload was delivered in the form of an MSIX file. Later NetSupport campaigns\r\nby Hive0137 used a new technique in HTML files to copy malicious PowerShell code into the user’s clipboard\r\nand prompt the user to unknowingly execute it.\r\nIn mid-June, a Hive0137 email campaign used the same HTML clipboard technique in combination with a double\r\nBase64 encoding for obfuscation. In this campaign, the payload was a new Forest-crypted backdoor called\r\nhttps://securityintelligence.com/x-force/hive0137-on-ai-journey/\r\nPage 2 of 16\n\nWarmCookie, first reported on by Elastic Security Labs in June 2024. Previous WarmCookie infection chains\r\nfrom late April 2024 relied on JavaScript and PowerShell stages to download and execute the backdoor.\r\nFig. 1: Hive0137 campaign distributing Forest-crypted WarmCookie.\r\nSimilar to other persistent malware botnets such as Qakbot or Pikabot, WarmCookie supports several C2\r\ncommands to enumerate the infected machine, take screenshots, download and upload files and run arbitrary\r\ncommands.\r\nOf note, X-Force observed a larger campaign at the beginning of July 2024 targeting exclusively Italian-speaking\r\nvictims. After analyzing the emails, we concluded that these were distributed by a different spammer than\r\nHive0137, but still employ similar techniques to generate unique subjects and email bodies.\r\nhttps://securityintelligence.com/x-force/hive0137-on-ai-journey/\r\nPage 3 of 16\n\nFig. 2: Paypal-themed campaign targeting Italian-speaking victims.\r\nThe emails delivered ZIP archives containing .URL files linked to payloads on remote SMB servers. The final\r\npayloads were identified as Dave-crypted X-Worm. Dave-crypter is among the ITG23 crypters used by both\r\nHive0118 and Hive0137. However, it is unusual to be paired with a commodity RAT such as X-Worm.\r\nX-Force’s observation of Hive0137 exploring new payloads using the same crypters may suggest an experimental\r\nphase following the fallout of Operation Endgame. It is possible the groups are working towards the goal of\r\nidentifying suitable successors to Pikabot and other previously used malware backdoors to facilitate their future\r\noperations.\r\nPhishing – An AI use case\r\nCat-and-mouse game\r\nhttps://securityintelligence.com/x-force/hive0137-on-ai-journey/\r\nPage 4 of 16\n\nFor initial access brokers (IAB) specializing in malware delivery through phishing, the threat landscape has seen\r\nseveral new interesting techniques appear over the years. One of the most effective techniques, made famous by\r\nEmotet and still used by Hive0118, is known as thread hijacking. The effectiveness of thread hijacking is largely\r\ndue to its authenticity. By hijacking a stolen email thread with a malicious email, victims can easily be fooled into\r\nbelieving it was part of the original stolen conversation. However, as email security solutions began to catch up,\r\nthreat actors were forced to continue to evolve in an ever-lasting cat-and-mouse game. Modern phishing detection\r\nuses threat intelligence not just to identify known malicious hashes, but also email subjects, attachment filenames\r\nand email bodies among others. As a result, threat actors have started to adapt, by introducing random scrambling\r\nof these properties, trying to ensure that every email in their campaign has a unique attachment hash, filename,\r\nsubject and body.\r\nFor example, both Hive0137 and Hive0118 use filename patterns to accomplish this. Hive0137 relies on an\r\nalphanumeric random string, whereas Hive0118 uses wordlist-based scrambling in the examples below.\r\nhttps://securityintelligence.com/x-force/hive0137-on-ai-journey/\r\nPage 5 of 16\n\nFig. 3: Hive0137 HTML campaign delivering NetSupport.\r\nFig. 4: Hive0118 PDF campaign leading to Adversary-in-the-Middle (AitM) phishing.\r\nSimilar techniques are used for email subjects. In the first few phases of thread-hijack campaigns, the stolen email\r\nsubjects would generally be preceded with “Re: ” or “FWD:” or similar strings. Hive0118 then started to remove\r\nthese, and in their latest campaigns have tried to scramble the original subject by removing and adding single\r\ncharacters within the subject attempting to evade signature detection.\r\nX-Force observed Hive0137 favoring a separate approach. Unlike most other distributors, instead of relying on\r\nscrambling techniques by adding random ID numbers to email subjects, the group is believed to be employing\r\nLLMs to generate or paraphrase phishing emails. With the widening availability of AI technology, it is logical an\r\nactor may use the capability to generate thousands of unique and natural-sounding phishing emails. Each recently\r\nobserved Hive0137 campaign usually had at least one specific phishing theme such as paycheck notifications,\r\nhttps://securityintelligence.com/x-force/hive0137-on-ai-journey/\r\nPage 6 of 16\n\npayment details or project updates. This may indicate that all emails within a campaign were likely generated by\r\nvery few parent phishing emails used as prompts to create paraphrased versions to distribute.\r\nX-Force observations indicate that Hive0137’s use of likely LLM-generated paraphrasing can be traced back until\r\nOctober 2023. In several campaigns, they used a mixture of both paraphrasing and random number scrambling\r\ntechniques. The following examples show different subjects used in Hive0137 campaigns.\r\n09 May 2024 (PDF and XLSX campaign): The early May 2024 campaign used previously known subject-scrambling techniques of adding random numbers.\r\nPURCHASE ORDER – \u003crandom_integers\u003e\r\n Separate Remittance Advice: payment reference number – \u003crandom_integers\u003e\r\n STATEMENTS \u003crandom_integers\u003e\r\n RE: TT INSTRUCTIONS AND INDEMNITY #\u003crandom_integers\u003e\r\n Re: RFQ for SMART | \u003crandom_integers\u003e\r\n Re: LATE PAYMENT \u003crandom_integers\u003e\r\n FW: VAT APRIL2024 – \u003crandom_integers\u003e\r\n14 May 2024 (HTML campaign): The mid-May 2024 campaign used traditional scrambling in addition to a\r\ntechnique where subjects are repeatedly paraphrased.\r\nItem #\u003crandom_integers\u003e \r\nPO copy against inquiry number: \u003crandom_alphanum\u003e \r\ncode : \u003crandom_integers\u003e \r\nvendor : \u003crandom_integers\u003e \r\nvendor code : \u003crandom_integers\u003e \r\nItem Code #\u003crandom_integers\u003e \r\nInquiry for Hiring of \u003crandom_integers\u003e tender .Reg\r\noutstanding of \u003crandom_float\u003e Cr: SCCL – PO Validity extension reqd\r\n \r\n Billing Submission for Corporate Reimbursement\r\n Invoice Submission for Corporate Reimbursement\r\n Office Furniture Invoice for Reimbursement\r\nBill for Office Furnishing\r\nInvoice for Client Entertainment Expenses\r\n Charges for Entertaining Clients\r\nBill for Client Hospitality Costs\r\nSpecial Project Materials Invoice\r\nMaterials Invoice for Special Task\r\n28 May 2024 (HTML campaign): This campaign used subjects from the 14 May campaign as well as the ones\r\nbelow.\r\nOutlays for Wellness and Safety Materials\r\nPayment for Independent Consultant\r\nhttps://securityintelligence.com/x-force/hive0137-on-ai-journey/\r\nPage 7 of 16\n\nCompensation for Independent Consultant\r\nMessenger Service Fees\r\nService Bills for Off-site Office\r\n Monthly Bills for Remote Depot\r\nBill for Project Supplies\r\nRefreshment Expenses for Learning Session\r\nBeverage Outlays for Corporate Meeting\r\nRefreshment Costs for Executive Meeting\r\n26 June 2024 (PDF campaign):\r\nModified Salary Details\r\nModified Salary Data\r\n Modified Compensation Details\r\nUpdated Compensation Information\r\nRefreshed Salary Details\r\nImportant Information About Your Wages\r\nBonus and Salary Information\r\nReward and Wage Data\r\nCritical Wage Alert\r\n Essential Salary Alert\r\nRevised Salary Details\r\nYour Payroll Report\r\nYour Payroll Details\r\nReward and Salary Information\r\nIncentive and Payment Details\r\nIncentive and Compensation Data\r\nIncentive and Wage Data\r\nHive0137 appears to have applied the same methodology to the body of their phishing emails. In most campaigns,\r\nthe message bodies follow a set topic and format which is then paraphrased. Below are two sets of three examples\r\nfrom the June 26 campaign, grouped by their parent prompt:\r\nParent prompt 1:\r\nGreetings.\r\n The attached file contains specifications about your usual\r\nthree-month payments.\r\n Please review it.\r\n If you want any explanation, we are here to help.\r\n Warm regards!\r\n Hello,\r\n The attached document contains specifications about your recurring\r\nquarterly payments.\r\n Please check it.\r\nhttps://securityintelligence.com/x-force/hive0137-on-ai-journey/\r\nPage 8 of 16\n\nIf you need any clarification, we are here to help.\r\nKind regards,\r\n Greetings,\r\n The attached record contains data about your recurring three-month\r\npayments.\r\n Please review it.\r\n If you need any further information, we are here to help.\r\n Kind regards!\r\nGood afternoon,\r\n An exclusive bonus is provided for this period.\r\n Please review the attached record for detailed information.\r\n Should you have any queries, please feel free to communicate with us.\r\n Warm regards.\r\n Greetings,\r\n You have received a bonus this month.\r\n Details are included in the attached record.\r\n Feel free to get in touch if you have any queries.\r\n Sincerely.\r\n \r\n Hello.\r\n You have been awarded an incentive this period.\r\n Data are included in the attached document.\r\n Please feel free to reach out if you have any concerns.\r\n Regards.\r\nAfter analyzing the email bodies and subjects, X-Force asserts a high likelihood of these being generated by a\r\nLLM, for the following reasons:\r\n1. The email structure is very consistent, indicating that these were generated in an automated process.\r\n2. The paraphrasing goes above simple single-word substitution with synonyms. There are multiple\r\noccurrences of restructured sentences, which would require a large database of phrases and specific logic to\r\npiece together without any errors.\r\n3. The content does not appear very creative, making it less likely to have been written by a human.\r\n4. The emails also display a lack of creativity when it comes to choosing synonyms for frequently used\r\nwords. Research indicates that LLMs may use certain words excessively. After analyzing thousands of\r\nemails, X-Force found a clear bias towards certain words regardless of paraphrasing, which is unlikely to\r\nresult from human-written text.\r\n5. X-Force reproduced similar emails by prompting an LLM to paraphrase an example email.\r\nMultilingual variants in July\r\nhttps://securityintelligence.com/x-force/hive0137-on-ai-journey/\r\nPage 9 of 16\n\nOn 30 June and 01 July 2024, X-Force observed a large phishing campaign targeting Italy with PayPal-themes\r\nleading to the delivery of Dave-crypted X-Worm. We believe that it was sent by a different email distributor, but it\r\nstill bears several similarities with previous Hive0137 campaigns. It is the first occasion X-Force has observed the\r\nuse of suspected LLM-generated emails in another language. For comparison, below are sample paraphrased\r\nexcerpts from the campaign:\r\nGentile Cliente,\r\nLa sua fattura è stata pagata con successo il 7/1/2024.\r\nGentile Cliente,\r\nLa informiamo che il pagamento è stato effettuato con successo.\r\nData e ora: 6/30/2024\r\n Gentile Cliente,\r\nLa presente è per confermare che la fattura è stata pagata con successo.\r\nData e ora: 7/1/2024\r\nGrazie per la vostra fiducia nel nostro servizio.\r\n Caro Cliente,\r\nSiamo lieti di informarti che il tuo pagamento è stato ricevuto con successo il 7/1/2024.\r\nOf note, the subjects remain in English:\r\nPayment Confirmation and Thank You\r\nPayment Confirmation and Order Recap\r\nPayment Acknowledgment\r\nPayment Success Notification\r\nOrder Payment Information\r\nThank You for Your Order and Payment\r\nPayment Completed – Order Recap\r\nAs a result, X-Force expects Hive0137 and other related email distributors to continue expanding their phishing\r\nemail generation techniques to more languages in the future.\r\nLLM-aided scripting\r\nPDF-based phishing emails used by Hive0137 often leverage Adclick (doubleclick), a popular online marketing\r\nplatform. URLs supplied in phishing emails redirect the victim to malicious downloads of various types. On 20\r\nJune 2024, X-Force re-analyzed a previously collected Adclick URL, and found that it now redirected to a\r\ndifferent host:\r\nhttps[:]//bien-fait[.]net/wp-content/uploads/gravity_forms/downmpp[.]php\r\nThe URL led to the download of payment_june_2024-\r\n7a613.mpp (86ea22f95841f79ff10391858c1f38f8a694adf625a5d7cc49e47903c55dc8a8), a Python file with\r\nhttps://securityintelligence.com/x-force/hive0137-on-ai-journey/\r\nPage 10 of 16\n\nmultiple Russian language comments. Files using the .mpp extension are typically associated with the Microsoft\r\nProject File format containing the project timeline, budget and other relevant data. X-Force recently\r\nobserved Hive0137 using MPP files to distribute NetSupport RAT and it is unusual for the downloaded .MPP file\r\ncontained Python code.\r\nThe downloaded Python script functions as a tool to inject malicious JavaScript into compromised WordPress\r\nsites. The site hosting the JavaScript can be retrieved from a text file hosted within a GitHub repository:\r\nhttps[:]//raw[.]githubusercontent[.]com/truba77/trubnik/main/to.txt\r\nThis text file contained the URL:\r\nhttps[:]//awards2tools[.]shop/xml\r\nUpon examination of the GitHub repository, multiple text files consisting of several URLs linking\r\nto awards2tools[.]shop were discovered and likely used by the actor for conducting operations.\r\nExtensive Russian comments inside the Python file and the coding style led X-Force to believe that it was likely\r\ncreated using a LLM, with a Russian prompt. To verify the capabilities of an LLM to generate a script similar to\r\nthe one discovered, researchers attempted to reproduce the script using a LLM The following prompt yielded AI-generated code with similar comment strings to payment_june_2024-7a613.mpp.\r\nPlease generate a Python script for me that edits a WordPress post\r\nusing the XML-RPC protocol. It should read an input file “input.txt”\r\nwith each line containing the server_url, the username, the password\r\nand the post_id. Each WordPress post should be set to a Javascript\r\nalert(1) HTML script\r\nhttps://securityintelligence.com/x-force/hive0137-on-ai-journey/\r\nPage 11 of 16\n\nFig. 6: the actor obtained a Python script.\r\nhttps://securityintelligence.com/x-force/hive0137-on-ai-journey/\r\nPage 12 of 16\n\nFig. 7: X-Force AI generated research script used for comparison.\r\nThe Python file contains Russian language strings throughout the code. The table below outlines a machine\r\ntranslation of the strings.\r\nLine Russian English Translation\r\n7 Создание объекта сервера XML-RPC Creating an XML-RPC Server Object\r\n10 Установка таймаута для текущего вызова метода Setting a timeout for the current method call\r\nhttps://securityintelligence.com/x-force/hive0137-on-ai-journey/\r\nPage 13 of 16\n\n13 Получение информации о посте Getting information about a post\r\n16\r\nУдаление вложений из объекта поста, если они\r\nесть\r\nRemoving attachments from the post object\r\nif there are any\r\n20\r\nРедактирование содержимого поста (в данном\r\nслучае добавляем к содержанию текст\r\nEditing post content (in this case, adding text\r\nto the content)\r\n23 Редактирование поста Editing a post\r\n27 успешно отредактирован successfully edited\r\n31 Ошибка при редактировании поста Error editing post\r\n45 таймаут при подключении к серверу timeout when connecting to the server\r\n56\r\nМаксимальное количество ошибок подряд, после\r\nкоторого программа перейдет к следующему\r\nдоступу\r\nThe maximum number of errors in a row\r\nafter which the program will move on to the\r\nnext access\r\n73\r\nДостигнуто максимальное количество ошибок\r\nподряд. Переходим к следующему доступу\r\nThe maximum number of consecutive errors\r\nhas been reached. Moving on to the next\r\naccess\r\n74 Переходим к следующему доступу Moving on to the next access\r\nThe similarities observed between the actor-obtained Python file and AI-generated research code show another\r\npossibility of how Hive0137 employs AI to assist in cyber operations. It is likely a momentary misconfiguration of\r\nthe actor’s infrastructure that led to the download of the Python file.\r\nConclusion\r\nBeing one of the most active malware distributors, Hive0137 demonstrates a willingness to explore new payloads\r\nand technologies such as GenAI. They have quickly moved onto the same level as other high-profile distributors\r\nhttps://securityintelligence.com/x-force/hive0137-on-ai-journey/\r\nPage 14 of 16\n\nsuch as TA577, and will likely be responsible for future phishing campaigns, facilitating initial access for\r\nransomware affiliates. Hive0137’s combination of intent, capabilities and relationships with other groups presents\r\na direct threat to organizations all over the world. As threat actors pick up the pace and increasingly adopt AI\r\ntechnologies for malicious purposes, it is important that organizations are aware of the most recent threats and\r\ntheir capabilities to maintain a strong security posture.\r\nRecommendations:\r\nWe encourage organizations to review the following security recommendations:\r\nRegularly update and patch applications\r\nEnsure anti-virus software and associated files are up to date\r\nTrain users to exercise extreme caution with email links and attachments and refrain from opening unusual\r\nfile types\r\nConsider blocking script execution such as PowerShell/VBS/HTA/JS/BAT or change the default\r\napplication to Notepad\r\nImplement multi-factor authentication and monitor for leaked enterprise credentials\r\nIndicator\r\nIndicator\r\nType\r\nContext\r\nhttps://narkology[.]top/3.jpeg URL\r\nForest-crypted WarmCookie\r\ndownload URL\r\nef74cef9deeb24b497689857768a23\r\n64ffdc1d47a16af4825aba1e2168e49ec1\r\nSHA256 Forest-crypted WarmCookie\r\n185.49.70[.]98 IP WarmCookie C2\r\n62.173.141[.]99 IP\r\nSMB Server hosting Dave-crypted\r\nX-Worm\r\n473c0737f6125ad0dff41521ab1e6331\r\ncd457c3253556b2bce4482ebf86e829b\r\nSHA256 Dave-crypted X-Worm\r\nnewsferinfo[.]com Domain X-Worm C2\r\nhttps://securityintelligence.com/x-force/hive0137-on-ai-journey/\r\nPage 15 of 16\n\ncontinentalgames[.]top Domain X-Worm C2\r\nhttps[:]//bien-fait[.]net/wp-content/uploads/gravity_forms/\r\ndownmpp[.]php\r\nURL Hive0137 download URL\r\nTo learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat\r\nintelligence, or offensive security services schedule a meeting here.\r\nIf you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 |\r\nGlobal hotline (+001) 312-212-8034.\r\nSource: https://securityintelligence.com/x-force/hive0137-on-ai-journey/\r\nhttps://securityintelligence.com/x-force/hive0137-on-ai-journey/\r\nPage 16 of 16\n\nof these properties, subject and body. trying to ensure that every email in their campaign has a unique attachment hash, filename,\nFor example, both Hive0137 and Hive0118 use filename patterns to accomplish this. Hive0137 relies on an\nalphanumeric random string, whereas Hive0118 uses wordlist-based scrambling in the examples below.\n Page 5 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://securityintelligence.com/x-force/hive0137-on-ai-journey/" ], "report_names": [ "hive0137-on-ai-journey" ], "threat_actors": [ { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "67ad7d52-d75e-43cb-9c57-8864949984e9", "created_at": "2024-08-20T02:00:04.546933Z", "updated_at": "2026-04-10T02:00:03.68954Z", "deleted_at": null, "main_name": "Hive0137", "aliases": [], "source_name": "MISPGALAXY:Hive0137", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b4f83fef-38ee-4228-9d27-dde8afece1cb", "created_at": "2023-02-15T02:01:49.569611Z", "updated_at": "2026-04-10T02:00:03.351659Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "Hive0118" ], "source_name": "MISPGALAXY:TA577", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7183913d-9a43-4362-96e1-9af522b6ab84", "created_at": "2024-06-19T02:00:04.377344Z", "updated_at": "2026-04-10T02:00:03.653777Z", "deleted_at": null, "main_name": "TA571", "aliases": [], "source_name": "MISPGALAXY:TA571", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "22d450bb-fc7a-42af-9430-08887f0abf9f", "created_at": "2024-11-01T02:00:52.560354Z", "updated_at": "2026-04-10T02:00:05.276856Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "TA577" ], "source_name": "MITRE:TA577", "tools": [ "Pikabot", "QakBot", "Latrodectus" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434214, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/be6c3ac43a7268c1e7e765a4fbed672cd126fe47.pdf", "text": "https://archive.orkl.eu/be6c3ac43a7268c1e7e765a4fbed672cd126fe47.txt", "img": "https://archive.orkl.eu/be6c3ac43a7268c1e7e765a4fbed672cd126fe47.jpg" } }