DarkWatchman cybercrime malware returns on Russian networks

A financially motivated hacker group has targeted Russian companies across several industries in a new phishing campaign using a modified version of the DarkWatchman malware, researchers have found.

The group, known as Hive0117, has attacked firms in sectors including media, tourism, biotechnology, finance, energy and telecommunications, according to Russian cybersecurity firm F6. 

In 2023, Western researchers spotted the group spoofing Russian government communications and sending phishing emails disguised as military conscription notices. DarkWatchman was part of that campaign. 

The recent activity detailed by F6 involved phishing emails containing password-protected malicious archives. Once opened, the malware infected systems, allowing the hackers to record keystrokes, collect data and deploy additional payloads.

It is unclear whether the latest attacks were successful or caused any financial damage. The group’s activity, which dates back to at least February 2022, does not appear to be linked to the ongoing cyber conflict between Russia and Ukraine, researchers previously said. Hive0117's origins remain unknown.

In previous operations, the hackers impersonated legitimate organizations and targeted entities in Russia, Belarus, Lithuania, Estonia and Kazakhstan.

Earlier this week, Russian media reported that scammers in Russia are increasingly using artificial intelligence and social engineering to defraud local users. Posing as potential partners on dating apps or social media, the fraudsters build trust before soliciting money for fake investments or business schemes, according to the reports.