New wave of malicious emails associated with the Hive0117 group

F6 has reported a new wave of malicious emails associated with the Hive0117 group.

Hive0117 has been active since February 2022 and uses the DarkWatchman RAT Trojan . The group disguises its campaigns as messages from legitimate organizations, records email infrastructure and control domains, and sometimes repurposes them .

According to F6, DarkWatchman activity was detected on September 24, after several months of silence.

The attacks were carried out under the guise of the Federal Bailiff Service from the address mail@fssp[.]buzz. Similar mailings were observed in June and July. Analysis revealed the domains 4ad74aab[.]cfd and 4ad74aab[.]xyz.

The attacks targeted companies in Russia and Kazakhstan. The list of 51 targets included banks, telecommunications operators, marketplaces, logistics and manufacturing companies, car dealerships, construction companies, retailers, insurance and investment firms, fuel and energy companies, pharmaceutical companies, research institutes, a technology park, a municipal solid waste management operator, as well as services in the tourism, fitness, and IT sectors.

DarkWatchman was also distributed via mailings disguised as supposedly Department of Defense archives and fake subpoenas .

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Redazione

The Red Hot Cyber Editorial Team provides daily updates on bugs, data breaches, and global threats. Every piece of content is validated by our community of experts, including Pietro Melillo, Massimiliano Brolli, Sandro Sana, Olivia Terragni, and Stefano Gazzella. Through synergy with our industry-leading partners—such as Accenture, CrowdStrike, Trend Micro, and Fortinet—we transform technical complexity into collective awareness. We ensure information accuracy by analyzing primary sources and maintaining a rigorous technical peer-review process.