{
	"id": "ae197aea-3f27-4c65-95d1-3d03966e4c46",
	"created_at": "2026-04-06T01:32:06.093888Z",
	"updated_at": "2026-04-10T13:12:23.397164Z",
	"deleted_at": null,
	"sha1_hash": "e1286b6b06a5085e327712c7b433fc7bcb3e880a",
	"title": "New Hive0117 phishing campaign imitates conscription summons deliver DarkWatchman malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3066020,
	"plain_text": "New Hive0117 phishing campaign imitates conscription summons\r\ndeliver DarkWatchman malware\r\nBy Claire Zaboeva, Melissa Frydrych, Golo Mühr\r\nPublished: 2023-09-07 · Archived: 2026-04-06 01:23:02 UTC\r\nAuthor\r\nClaire Zaboeva\r\nSenior Strategic Cyber Threat Analyst\r\nIBM\r\nIBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware\r\nDarkWatchman, directed at individuals associated with major energy, finance, transport, and software security\r\nindustries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging,\r\ncollecting system information, and deploying secondary payloads.\r\nImitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117\r\ncampaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of\r\nurgency as the emails reference then-recent amendments regarding conscription. Under the new ordinance, the\r\nstate will bar individuals who fail to report for service from applying for loans, conducting real estate transactions,\r\nengaging in international travel, and suspend their driver’s license.\r\nIt is highly likely Hive0117 pose a threat to in-region entities and enterprises, given the use of emergent policies\r\nassociated with the ongoing conflict in Ukraine to conduct operations, combined with the diverse functionality\r\nand fileless nature of DarkWatchman malware.\r\nHive0117 leverages new digital policies associated with Russian mobilization targeting Russian speakers.\r\nPhishing emails imitate electronic conscription notices from a non-existent military commissariat to deliver\r\nfileless DarkWatchman malware.\r\nUse of the ongoing regional conflict likely signals Hive0117 operations leverage current events to conduct\r\nillicit activity.\r\nThe DarkWatchman RAT uses fileless behavior to maintain a footprint on infected systems and may be\r\nused to deploy secondary payloads.\r\nThe fileless nature of the DarkWatchman malware, its use of JavaScript and a keylogger written in C#, as\r\nwell as the ability to remove traces of its existence on compromised systems, are evidence of somewhat\r\nsophisticated capabilities.\r\nThe latest tech news, backed by expert insights\r\nhttps://securityintelligence.com/x-force/new-hive0117-phishing-campaign-imitates-conscription-summons-deliver-darkwatchman-malware/\r\nPage 1 of 9\n\nStay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with\r\nthe Think Newsletter, delivered twice weekly. See the IBM Privacy Statement.\r\nFollowing President Vladimir Putin’s announcement of ‘partial mobilization,’ an estimated 900,000 Russian\r\ncitizens fled the Russian Federation to avoid conscription into the Russian Armed Forces. In response, the Russian\r\ngovernment introduced a bill in 2023 that aimed to address the issue of citizens avoiding service and receipt of\r\na physical summons by allowing for the delivery of digital summons via the Gosuslugi — an electronic state\r\nservices portal.\r\nThe emails are directed at work email addresses of individuals associated with several industries based in Russia,\r\nKazakhstan, Latvia, and Estonia, and leveraging an electronic summons for conscription into the Russian Armed\r\nForces as the phishing lure. Hive0117 actors sent Russian-language emails with subject lines appearing to be\r\nOrders for Mobilization as of 10 May 2023 (Мобилизационное предписание №291-76005-23 от 10.05.2023).\r\nFor authenticity, the emails include multiple images along with logos of the official coat of arms of the Russian\r\nMinistry of Defense. Machine translation of the email shows references to the then-recent legislation regarding\r\nguidance surrounding mobilization to the Russian Armed Forces.\r\nFigure 1: Image of Hive0117 phish imitating electronic conscription notice\r\nEach phishing email contains an archive attachment with a title echoing the email’s subject line, combined with an\r\napparent serial number, and the date (Мобилизационное предписание №291-76005-23 от 10.05.2023.zip). The\r\nemail sender is a fictional organization of the Main Directorate of the Military Commissariat of the Ministry of\r\nDefense of the Russian Federation (Главное Управление Военного Комиссариата МО РФ). Likewise, the same\r\nhttps://securityintelligence.com/x-force/new-hive0117-phishing-campaign-imitates-conscription-summons-deliver-darkwatchman-malware/\r\nPage 2 of 9\n\ncommissariat language (voenkomat) is also included in the visible actor-controlled return path (mail@voenkomat-mil[.]ru).\r\nAdditionally, X-Force uncovered reports from Russian publications indicating exact copies of the phishing emails\r\nwere received by residents and government institutions across Russia, from Nizhny Tagil and Voronezh,\r\nto the Amur region, Ulyanosk, Samara, Krasnodar, and Moscow. Reader comments within the articles suggest\r\nrecipients included the Editorial Office of the Academy of Sciences, the Moscow Post Office, and personnel\r\ndepartments in Moscow.\r\nFigure 2: Image of local Russian newspaper reporting on the residents receiving fake mobilization orders\r\nGiven the contents of the email and their widespread distribution, it is highly likely Hive0117 directed this activity\r\ntoward both in-country Russian citizens and those residing in Russia’s pronounced near abroad.\r\nhttps://securityintelligence.com/x-force/new-hive0117-phishing-campaign-imitates-conscription-summons-deliver-darkwatchman-malware/\r\nPage 3 of 9\n\nThe email archive file attachments contain an executable, ultimately installing DarkWatchman malware that\r\nfunctions similarly to the Hive0117 malware reported in April 2022. A full DarkWatchman malware analysis\r\nreport can be found on IBM X-Force Exchange.\r\nInfection chain\r\nFigure 3: DarkWatchman Malware infection chain\r\nThe downloader files, which contact various domains, download files to the %TEMP% location, where a self-extracting archive (SFX) installer drops two files: a JS file and a file containing a blob of hexadecimal\r\ncharacters. The SFX file executes the JS with the SFX file’s path as the argument. The JS file contains obfuscated\r\ncode that functions as the backdoor, and the blob contains encrypted data that when decrypted, contains a block of\r\nbase64 encoded PowerShell that implements a keylogger. The configuration contains a comment in Russian text,\r\nhttps://securityintelligence.com/x-force/new-hive0117-phishing-campaign-imitates-conscription-summons-deliver-darkwatchman-malware/\r\nPage 4 of 9\n\nwhich translates to “The comment below contains SFX script commands” (;Расположенный ниже комментарий\r\nсодержит команды SFX-сценария), indicating that the author of the malware is a Russian-language speaker,\r\nlikely based in, or originating from, a Russian-speaking territory.\r\nThe SFX archives also drop and register the dynwrapx.dll library, which can be used to call WinAPI functions\r\nexported from system DLLs, directly from malicious scripts such as JS or VBS. This allows threat actors to\r\ndeploy advanced payloads as scripts, without having to rely on executables that would be dropped to disk for\r\nexecution.\r\nThe JavaScript backdoor is executed using the Windows Script Host (WSH) environment, wscript.exe, and\r\nutilizes the Windows Registry as a storage mechanism for configuration and other data to avoid writing to disk\r\nand avoid detection by anti-virus software. In particular, the keylogger is stored in the Registry in an encoded\r\nform until executed.\r\nHive0117 generates a UID string each time it starts that is used as an identifier for various purposes. The UID is\r\ncalculated based on the C: volume serial number, which is queried and then converted to lowercase characters and\r\npadded with zeros (before the serial number) as needed to make the UID string 8 characters long.\r\nSeveral registry entries are used to store data, such that\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\DWM\\ is used as the base for this storage area. Each\r\nRegistry value is identified using the UID and an alpha-numeric character representing a configuration key \u003cuid\u003e\r\n\u003cconfig_key\u003e and contains various configuration and other data (e.g., key log, etc.) previously used by Hive0117.\r\nExecuting the backdoor with the name of the SFX file as a parameter will cause an installation routine to be\r\nexecuted. As part of the installation routine, the backdoor will delete the SFX file to remove evidence of the file’s\r\nexistence. The backdoor will rename itself based on UID generated at start up, and subsequently, the file is moved\r\nto %LOCALAPPDATA%\u003cuid\u003e0.js (e.g., 29e0d2550.js).\r\nThe backdoor creates a scheduled task to run with elevated permissions, as if initially executed by an admin user,\r\nand is used to maintain persistence on the system, and is named using the UID.\r\nThe backdoor looks for the file containing the keylogger, reads the contents, and decodes them using XOR\r\noperations. Decoded data is converted back into a hex string and stored in the Registry until ready to be executed.\r\nThe data written to the Registry is a base64 encoded PowerShell command. The keylogger file is removed upon\r\ninstallation and the scheduled task is started to initiate immediate execution instead of waiting for a user to log on.\r\nThe final installation task is to remove any volume shadow copies if the backdoor was running as admin to further\r\nclean up its tracks.\r\nUpon startup, and after the initial installation routine has been run, the backdoor will perform some preliminary\r\nsteps before entering a loop where it will contact its C2 server and process any commands retrieved from the C2\r\nserver. The backdoor will look for any data contained in the configuration key v, which is used to store additional\r\nJavaScript code intended to be executed at startup.\r\nThe autostart JavaScript is not stored in v at installation and must be set later based on a C2 command. Next, the\r\nbackdoor will attempt to start the keylogger stored as a base64 encoded PowerShell command retrieved and\r\nexecuted using a command via WMI. A keylogger component written in C# .Net is loaded by the JavaScript\r\nhttps://securityintelligence.com/x-force/new-hive0117-phishing-campaign-imitates-conscription-summons-deliver-darkwatchman-malware/\r\nPage 5 of 9\n\nbackdoor and runs concurrently with the backdoor. The source code for the keylogger is compiled and loaded into\r\nmemory using a base64 encoded PowerShell command and creates a mutex to prevent multiple copies of the\r\nkeylogger from running. The keylogger shares two of the configuration keys used by the backdoor to enable the\r\ntwo components to communicate and uses a configuration key to log captured keystrokes, which the backdoor\r\nsends to a C2; the keylogger does not have any network functionality.\r\nThe DarkWatchman malware uses a domain generation algorithm (DGA) to generate a list of C2 domains that the\r\nmalware attempts to communicate with different domains, potentially daily. The C2 URLs are created by\r\ncombining the DGA domain list with the protocol, URL path, and a list of top-level domains (TLDs) that are hard\r\ncoded in the backdoor. Previous TLDs included .top, .fun, .online, .site, whereas new TLDs include .shop,\r\n.icu, and .cyou. The backdoor creates and tests URLs starting with the original list, in which the DGA domains are\r\nadded to, resulting in network connection attempts based on a static list of domains, then proceeding to the DGA\r\ndomains.\r\nSystem information is collected and generates a beacon:\r\nOS version/locale\r\nDomain role\r\nComputer name\r\nUsername\r\nCurrent time zone\r\nInstalled anti-virus\r\nSmartcard reader driver\r\nQuerying for the presence of a smartcard reader may indicate that Hive0117 conducts operations targeting\r\nmilitary, government, or other organizations with higher security requirements.\r\nT1027.010 Obfuscated Files or Information: Command Obfuscation\r\nT1056.007 Command and Scripting Interpreter: JavaScript\r\nT1053.005 Scheduled Task/Job: Scheduled Task\r\nT1112 Modify Registry\r\nA comparison of previously reported activity delivering DarkWatchman malware with the current activity, reveals\r\na potential opportunist approach to operations featuring well-timed and manufactured campaigns. The fileless\r\nnature of the DarkWatchman malware, and its use of JavaScript and a keylogger written in C#, as well as the\r\nability to remove traces of its existence on compromised systems when instructed, are evidence of somewhat\r\nsophisticated capabilities.\r\nThe ability of the malware to query for the presence of a smartcard reader may signal Hive0117’s operational\r\nobjectives including the compromise of military, government, or other organizations with elevated security\r\nrequirements. X-Force recommends entities in-region remain at a heightened state of defensive security.\r\nEnsure anti-virus software and associated files are up to date.\r\nhttps://securityintelligence.com/x-force/new-hive0117-phishing-campaign-imitates-conscription-summons-deliver-darkwatchman-malware/\r\nPage 6 of 9\n\nSearch for existing signs of the indicated IoCs in your environment:\r\nJS files in %LOCALAPPDATA% (e.g. 29e0d2550.js)\r\nSupicious schedued taks (e.g., task name “29e0d255-29e0-d255-29e0-29e0d25529e0″)\r\nVolume shadow copy deletion. Command: “vssadmin.exe Delete Shadows /All /Quiet”\r\nPowershell commands launched from WMI. Command: “powershell.exe -NoP -NonI -W Hidden -\r\nExec Bypass –enc \u003cpayload\u003e”\r\nRegistry keys under“HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\DWM\\\r\n\u003cc_volume_serial\u003e\\\r\nRegistering dynwrapx.dll. Command: “regsvr32.exe /i /s %LOCALAPPDATA%\\dynwrapx.dll”\r\nConsider blocking and/or setting up detection for all URLs matching the DGA format: [a-f0-9]{8}.\r\n[shop|icu|cyou|top|fun|online|site]/index.php\r\nKeep applications and operating systems running at the current released patch level.\r\nExercise caution with attachments and links in emails.\r\nTo learn how IBM Security X-Force can help with anything regarding cybersecurity including incident response,\r\nthreat intelligence or offensive security services, schedule a meeting here: IBM Security X-Force Scheduler.\r\nIf you are experiencing cybersecurity issues or an incident, contact IBM Security X-Force for help: US hotline 1-\r\n888-241-9812 | Global hotline (+001) 312-212-8034.\r\nIndicator\r\nIndicator\r\nType\r\nContext\r\n03735369a2e4a40528076f8e2f1e1501056fbc7bb70a2d30e\r\n364c3e17e670917\r\nEmail ZIP\r\nAttachment\r\nМобилизационное\r\nпредписание №291-76005-\r\n23 от 10.05.2023.zip\r\ne35f82f85a608553483482ce7297d49de205f609961d8bf35\r\n11cb1a00bcad956\r\nEmail ZIP\r\nAttachment\r\nМобилизационное\r\nпредписание №5010421409-\r\nВВК от 10.05.2023.zip\r\n3aa2a15dabbf0f5a18232b7f849c9d340bf27e4048a65c80c4\r\n519f97f44e6e87\r\nZIP File\r\nМобилизационное\r\nпредписание №314-39008-\r\n3Н от 10.05.2023.zip\r\n183c4d8170e7ca73992f05d336f7b1e3cfc4d6b4f28be585ee\r\n37d7d2085305a9\r\nZIP File\r\nМобилизационное\r\nпредписание №4212317-\r\n009МК от 10.05.2023.zip\r\n540b6af8474a9725dd44fb493263a91b43409af34899eb773\r\n49120503135fc73\r\nZIP File\r\nМобилизационное\r\nпредписание №186-31005-\r\n23 от 10.05.2023.zip\r\nde8c0e985eb2426668c4b72c925cdd4d28b9d30181779\r\n49c4d69557b718c0fea\r\nJavascript c784477d0.js\r\nhttps://securityintelligence.com/x-force/new-hive0117-phishing-campaign-imitates-conscription-summons-deliver-darkwatchman-malware/\r\nPage 7 of 9\n\n0b7da98101170c42365b0cf2ae2b1b86c5ea035731e46a95\r\n1fd729fb7bb7a019\r\nJavascript c784477d0.js\r\nf103d0043f1246818615c34c863f985b89fceb4baa1d7ad72\r\n4ec505bf7dcc165\r\nJavascript c153ea2b0.js\r\nc03a9409f79d8766bf70719ef6c97db5de72527d9daf634e\r\n8e65d912d42da20d\r\nJavascript 36d1130a0.js\r\n99cdd88c12687b383af72aa6401808c447994489f2d2b45\r\n521dc673b03f24a21\r\nJavascript d46026150.js\r\n7860768264fdf663ff3b78e0efffd427cfe56be82ce32214f5\r\n50d6103205c922\r\nEXE Заявка_05062023.exe\r\n4413d38812f17ed73bfb67854415038fd9e2e246ccbdaf64f\r\n178abf2aee06e27\r\nEXE Заявка_05062023.exe\r\n483fcdd6983631f27ca31a55cfd5cc41c0800a3ac4d4ce5e1\r\n0f8a1664bb15c11\r\nEXE dogovor.exe\r\n69fa6b29f2b7954675949cdca29eda7d00f36e8f6bfde2a4\r\n3efa422ab7d545d5\r\nEXE  \r\nc19e0be9400279b5aee97862435802934419e0ff116a78b2\r\n92565bd5edc5d446\r\nEXE Заявка_05062023.exe\r\nd439a3ce7353ef96cf3556abba1e5da77eac21fdba09d6a4\r\naad42d1fc88c1e3c\r\nEXE  \r\ndcf8c16ea3b02a94e22709b4449a174a59545bf31a64627\r\nfee144b67733888dc\r\nEXE Заявка_05062023.exe\r\nmail[@]voenkomat-mil[.]ru\r\nEmail\r\nAddress\r\nReturn Path\r\n025ad916.cyou Domain C2\r\n025ad916.icu Domain C2\r\n025ad916.shop Domain C2\r\nec311447.cyo Domain C2\r\nec311447.shop Domain C2\r\nec311447.icu Domain C2\r\n9da3ecce.cyou Domain C2\r\nhttps://securityintelligence.com/x-force/new-hive0117-phishing-campaign-imitates-conscription-summons-deliver-darkwatchman-malware/\r\nPage 8 of 9\n\n9da3ecce.icu Domain C2\r\n9da3ecce.shop Domain C2\r\n1ee79f0e.cyou Domain C2\r\n1ee79f0e.shop Domain C2\r\n1ee79f0e.icu Domain C2\r\n0f580158.cyou Domain C2\r\n0f580158.shop Domain C2\r\n0f580158.icu Domain C2\r\nSource: https://securityintelligence.com/x-force/new-hive0117-phishing-campaign-imitates-conscription-summons-deliver-darkwatchman-mal\r\nware/\r\nhttps://securityintelligence.com/x-force/new-hive0117-phishing-campaign-imitates-conscription-summons-deliver-darkwatchman-malware/\r\nPage 9 of 9\n\nhttps://securityintelligence.com/x-force/new-hive0117-phishing-campaign-imitates-conscription-summons-deliver-darkwatchman-malware/  \n9da3ecce.icu Domain C2\n9da3ecce.shop Domain C2\n1ee79f0e.cyou Domain C2\n1ee79f0e.shop Domain C2\n1ee79f0e.icu Domain C2\n0f580158.cyou Domain C2\n0f580158.shop Domain C2\n0f580158.icu Domain C2\nSource: https://securityintelligence.com/x-force/new-hive0117-phishing-campaign-imitates-conscription-summons-deliver-darkwatchman-mal  \nware/  \n Page 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securityintelligence.com/x-force/new-hive0117-phishing-campaign-imitates-conscription-summons-deliver-darkwatchman-malware/"
	],
	"report_names": [
		"new-hive0117-phishing-campaign-imitates-conscription-summons-deliver-darkwatchman-malware"
	],
	"threat_actors": [
		{
			"id": "d38d3292-8164-433a-879a-a6f4b63932f5",
			"created_at": "2025-05-29T02:00:03.23291Z",
			"updated_at": "2026-04-10T02:00:03.882124Z",
			"deleted_at": null,
			"main_name": "Hive0117",
			"aliases": [],
			"source_name": "MISPGALAXY:Hive0117",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439126,
	"ts_updated_at": 1775826743,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e1286b6b06a5085e327712c7b433fc7bcb3e880a.pdf",
		"text": "https://archive.orkl.eu/e1286b6b06a5085e327712c7b433fc7bcb3e880a.txt",
		"img": "https://archive.orkl.eu/e1286b6b06a5085e327712c7b433fc7bcb3e880a.jpg"
	}
}