Hive0117

Hive0117 is a financially motivated threat group active since at least late 2021. It primarily targets corporate finance and accounting departments in order to gain access to corporate remote banking systems and steal money. Reported victim organizations were primarily in Russia, with additional victims or prior targeting noted in Belarus, Kazakhstan, Uzbekistan, Lithuania, and Estonia. F6 reported roughly 400 successful attacks against Russian organizations since the start of the year in one 2026 reporting period. Hive0117 is associated with phishing campaigns that use accounting- and business-themed lures, including invoices, reconciliation statements, waybills, payment debt notices, shipping paperwork, and in one 2023 campaign, fake military conscription notices impersonating Russian government communications. The group sends password-protected RAR archives, with the password included in the email body, containing malicious files disguised as financial documents. These infections deploy the fileless malware DarkWatchman, which has been linked to Hive0117 since at least 2021. DarkWatchman is used to establish covert access, and in observed campaigns it downloaded a keylogger module that intercepted keystrokes, monitored clipboard contents, and tracked connection of cryptographic tokens used for corporate banking access. When banking-related access is available, Hive0117 proceeds with follow-on tooling including remote access tools such as LiteManager, BitRAT, and malware with hVNC functionality, allowing hidden control of victim systems through a virtual desktop. The group then accesses corporate online banking portals directly from compromised accountant workstations so activity appears legitimate. In the 2026 campaign, researchers reported a shift from direct transfers to fraudulent payroll-register payments: payment orders were made to look like salary disbursements to employees while actually routing funds to attacker-controlled drop accounts. Reported losses increased from an average of 3 million rubles to 10 million rubles, and the largest confirmed theft in the campaign exceeded 14 million rubles. No additional aliases or sub-groups were provided in the source content, and the group's origin remains unknown. F6 assessed its operations as financially motivated rather than connected to the broader Russia-Ukraine cyber conflict.