{
	"id": "297ab81c-b42f-49dc-a6a8-c2418d13f788",
	"created_at": "2026-04-06T00:21:05.044576Z",
	"updated_at": "2026-04-10T03:33:29.083567Z",
	"deleted_at": null,
	"sha1_hash": "fd96bd703c8c4134536abdd02b1908a08cca2abb",
	"title": "Hive00117 fileless malware delivery Eastern Europe",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 763504,
	"plain_text": "Hive00117 fileless malware delivery Eastern Europe\r\nBy Melissa Frydrych, Claire Zaboeva, David Bryant\r\nPublished: 2022-04-26 · Archived: 2026-04-05 15:47:24 UTC\r\nClaire Zaboeva\r\nSenior Strategic Cyber Threat Analyst\r\nIBM\r\nThrough continued research into the ongoing cyber activity throughout Eastern Europe, IBM Security X-Force\r\nidentified a phishing email campaign by Hive0117, likely a financially motivated cybercriminal group, from\r\nFebruary 2022, designed to deliver the fileless malware variant dubbed DarkWatchman. The campaign\r\nmasquerades as official communications from the Russian Government’s Federal Bailiffs Service, the Russian-language emails are addressed to users in Lithuania, Estonia, and Russia in the Telecommunications, Electronic\r\nand Industrial sectors. The activity predates and is not believed to be associated with the Russian-led invasion of\r\nUkraine.\r\nX-Force assesses that it is possible the targeting of telecommunication providers and their industry adjacent\r\nsuppliers may be intended as ultimately serving to enable illegal access to numerous distributed clients and end-users.\r\nDarkWatchman is a malicious Remote Access Trojan (RAT) based on JavaScript, using command and control\r\n(C2) mechanisms for fileless persistence, as well as other capabilities.\r\nThe phishing activity discovered by X-Force (tracked internally as Hive0117) aligns with research published in\r\nDecember 2021, detailing a similar phishing campaign designed to deliver a DarkWatchman payload by imitating\r\na Russia-based freight and logistics company.\r\nGiven the elevated levels of threat activity associated with the ongoing regional crisis, the evidence may suggest\r\nthat threat actors will leverage the current climate to conduct and obfuscate further activity.\r\nThe contents of the emails feature identical Russian-language text detailing several articles related to enforcement\r\nprocedures associated with the Kuntsevsky District Court of Moscow, upheld by the “Bailiff of the Interdistrict\r\nDepartment of Bailiffs for the Execution of Decisions of the Tax Authorities.” The only variation observed by X-Force within the emails is in the name and “case number” associated with the individual email and accompanying\r\nmalicious ZIP archive file attachment.\r\nHive0117 activity assessment\r\nX-Force assesses Hive0117 phishing campaigns are likely criminally motivated in nature given the target selection\r\nand focuses of current and previous activities. Additionally, while the target list of the phishing campaign\r\nattributed to Hive0117 has regional associations with the Russian invasion of Ukraine, the activity predates the\r\nhttps://securityintelligence.com/posts/hive00117-fileless-malware-delivery-eastern-europe/\r\nPage 1 of 5\n\ninvasion, indicating the separate from any politically charged associations that have spurred recent waves of\r\ncriminal activity, such as the attack on a German subsidiary of a Russian state-affiliated energy company.\r\nNevertheless, given the evolving nature of criminal activity prompted by the conflict, language capability, target\r\nfocus, and relative sophistication of the actor, it is likely Hive0117-related activity possesses an elevated threat to\r\nentities and enterprises based in-region.\r\nThe latest tech news, backed by expert insights\r\nStay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with\r\nthe Think Newsletter, delivered twice weekly. See the IBM Privacy Statement.\r\nHive0117 phishing activity\r\nX-Force discovered multiple emails that were sent in mid-February 2022 to individual users, including a state-owned communication company based in Lithuania, a prominent Industrial Enterprise in Estonia, and several\r\nelectronic and telecommunication businesses located in Russia. In some cases, the emails were targeting company\r\nowners, as well as individuals in leadership positions associated with Dispatch Services and Sales. Targeted\r\norganizations could be of high value to criminal actors given the targets’ potential trusted access to wide, and\r\ndistributed client base.\r\nThe emails are crafted to appear to originate from the official address of the Federal Bailiffs Service in Russia, a\r\nfederal law enforcement agency under the Russian Ministry of Justice; however, header examination revealed that\r\nsome of the emails were received from shtampuy[.]ru (free.ds [185.64.76.158]). The majority of emails feature the\r\nreturn path address mail@r77[.]fssprus[.]ru, meant to imitate the organization’s authentic address\r\nhttps://r77.fssp.gov[.]ru. However, for unknown reasons, a single instance imitates a sender which seeks to pose as\r\nthe head of a purported Russian investment company. The subjects of Hive0117 emails, including official notices,\r\nare eye-catching and are likely intended to compel the target to open the email and access the attachment.\r\nImage 1: Sample of email return path and subject line\r\nThe contents of the emails feature identical Russian-language text detailing several articles related to enforcement\r\nprocedures associated with the Kuntsevsky District Court of Moscow, upheld by the “Bailiff of the Interdistrict\r\nDepartment of Bailiffs for the Execution of Decisions of the Tax Authorities.” The only variation observed by X-Force within the emails is in the name and “case number” associated with the individual email and accompanying\r\nmalicious ZIP archive file attachment.\r\nhttps://securityintelligence.com/posts/hive00117-fileless-malware-delivery-eastern-europe/\r\nPage 2 of 5\n\nImage 2: Sample email body\r\nX-Force assesses that it is possible the targeting of telecommunication providers and their industry adjacent\r\nsuppliers may be intended as ultimately serving to enable illegal access to numerous distributed clients and end-users.\r\nMalware payload\r\nThe emails X-Force uncovered contain archive files either named “Исполнительный лист XXXXXXX-22.zip”,\r\nwhere the “X” indicates a numeric value, or “Счет 63711-21 от 30.12.2021.zip”, translated respectively to\r\n“Performance List”, “Writ of Execution”, and “Invoice”. Each archive file contains an executable of the same\r\nname, designed to deliver the DarkWatchman JavaScript backdoor and encrypted source code for a keylogger\r\nsimilarly to the report from December 2021.\r\nhttps://securityintelligence.com/posts/hive00117-fileless-malware-delivery-eastern-europe/\r\nPage 3 of 5\n\nIn addition, X-Force discovered downloader files designed to deliver the DarkWatchman malware, by contacting\r\ndomtut[.]site|fun|online and downloading files to %TEMP%. Un execution a self-extracting archive (SFX)\r\ninstaller drops two files: a Javascript (JS) file and a file containing a series of hexadecimal characters. The JS file\r\ncontains obfuscated code that functions as the backdoor and the hexadecimal data contains encrypted data that\r\nwhen decrypted, contains a block of base64 encoded PowerShell that executes a keylogger. The configuration\r\ncontains a comment in Russian text, which translates to “The comment below contains SFX script commands”\r\n(;Расположенный ниже комментарий содержит команды SFX-сценария), indicating that the author of the\r\nmalware is a Russian-language speaker, possibly based in, or originating from, a Russian-speaking territory.\r\nGiven the fileless nature of the malware, coupled with a JavaScript and a keylogger written in C#, and the abilities\r\nto remove traces of its existence on the compromised system when instructed, X-Force assesses that malicious\r\nactor(s) behind Hive0117 activity are of moderate sophistication.\r\nMalware infrastructure\r\nThe majority of the new malware samples discovered by X-Force, appear to be based on a C2 IP address\r\n(103.153.157[.]33) previously associated with Hive0117 activity. One of the samples was submitted to Virus Total\r\nin February 2022 and is configured to use several C2 domains including d303790c[.]top, which overlaps with\r\npreviously uncovered malicious executable Накладная №12-6317-3621.exe.\r\nThe DarkWatchman malware analyzed by X-Force uses a domain generation algorithm (DGA) to generate a list of\r\nC2 domains, in which the malware attempts to communicate with. The DGA requires a salt as input stored in the\r\nconfiguration key b, or the default salt d46ebd15 is used if the key is not set. A list of hard-coded domain strings is\r\ncontained in an array, with the analyzed samples containing the following list:\r\n3a60dc39, 4d67ecaf, d303790c, a404499a, 3d0d1820, 4a0a28b6, dab53527, adb205b1, 44e645b3, 500ed27c,\r\nc8690767, 17c45148, 13e1ced9, e123fe80, 136e9446, 5937c7c6, 7c7cb9a4, 9eaa332e, 97815a39, 6a090054\r\nIOCs\r\nFiles\r\nFile Name Hash\r\nИсполнительный лист 1840120-22.exe d68180819bb8eb8207dc6ab74c1a4642\r\nИсполнительный лист 1909102-22.exe 2bd8ee514c13a06687b5775e0a9eaf71\r\nИсполнительный лист 16301123-22.exe b25b24998800da7b5cf17879f2eb83ed\r\nИсполнительный лист 1711390-22.exe 79b824bb99b4cc4f5da880371de52977\r\nИсполнительный лист 154211671.scr a4f19fba9a5ec97d3560cd43c4bd5507\r\nИсполнительный лист 154211671.scr a34809f26a22e0127e99597fed9169bf\r\nСчет 63711-21 от 30.12.2021.exe 75a3b83d2b4131132d76d92190f045ec\r\nhttps://securityintelligence.com/posts/hive00117-fileless-malware-delivery-eastern-europe/\r\nPage 4 of 5\n\nDomains\r\n3a60dc39[.]\\(top|fun|online|site)\r\n4d67ecaf[.]\\(top|fun|online|site)\r\nd303790c[.]\\(top|fun|online|site)\r\na404499a[.]\\(top|fun|online|site)\r\n3d0d1820[.]\\(top|fun|online|site)\r\n4a0a28b6[.]\\(top|fun|online|site)\r\ndab53527[.]\\(top|fun|online|site)\r\nadb205b1[.]\\(top|fun|online|site)\r\n44e645b3[.]\\(top|fun|online|site)\r\n500ed27c[.]\\(top|fun|online|site)\r\nc8690767[.]\\(top|fun|online|site)\r\n17c45148[.]\\(top|fun|online|site)\r\n13e1ced9[.]\\(top|fun|online|site)\r\ne123fe80[.]\\(top|fun|online|site)\r\n136e9446[.]\\(top|fun|online|site)\r\n5937c7c6[.]\\(top|fun|online|site)\r\n7c7cb9a4[.]\\(top|fun|online|site)\r\n9eaa332e[.]\\(top|fun|online|site)\r\n97815a39[.]\\(top|fun|online|site)\r\n6a090054[.]\\(top|fun|online|site)\r\nURLs\r\nhttp[:]//domtut[.]\\(fun|online|site)\r\nIP addresses\r\nSource: https://securityintelligence.com/posts/hive00117-fileless-malware-delivery-eastern-europe/\r\nhttps://securityintelligence.com/posts/hive00117-fileless-malware-delivery-eastern-europe/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://securityintelligence.com/posts/hive00117-fileless-malware-delivery-eastern-europe/"
	],
	"report_names": [
		"hive00117-fileless-malware-delivery-eastern-europe"
	],
	"threat_actors": [
		{
			"id": "d38d3292-8164-433a-879a-a6f4b63932f5",
			"created_at": "2025-05-29T02:00:03.23291Z",
			"updated_at": "2026-04-10T02:00:03.882124Z",
			"deleted_at": null,
			"main_name": "Hive0117",
			"aliases": [],
			"source_name": "MISPGALAXY:Hive0117",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434865,
	"ts_updated_at": 1775792009,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fd96bd703c8c4134536abdd02b1908a08cca2abb.pdf",
		"text": "https://archive.orkl.eu/fd96bd703c8c4134536abdd02b1908a08cca2abb.txt",
		"img": "https://archive.orkl.eu/fd96bd703c8c4134536abdd02b1908a08cca2abb.jpg"
	}
}