Código HTML do Conteúdo

Post: New wave of malicious emails associated with the Hive0117 group

<div> <div data-element_type="widget" data-id="914a4f5" data-widget_type="shortcode.default"> <div> <div> <p><span><b><a href="https://www.redhotcyber.com/post/author/redazione/" target="_blank">Redazione RHC</a>:27 September 2025 16:17</b></span></p> <p>F6 has reported a new wave of malicious emails associated with the <strong>Hive0117</strong> group.</p> <p>Hive0117 has been active since February 2022 and uses the <strong>DarkWatchman RAT Trojan</strong> . The group disguises its campaigns as <em>messages from legitimate organizations, records email infrastructure and control domains, and sometimes repurposes them</em> .</p> <p>According to F6, DarkWatchman activity was detected on September 24, after several months of silence.</p> <p>The attacks were carried out under the guise of the <em>Federal Bailiff Service from the address mail@fssp[.]buzz.</em> Similar mailings were observed in June and July. Analysis revealed the domains <em>4ad74aab[.]cfd and 4ad74aab[.]xyz.</em></p> <p>The attacks targeted companies in Russia and Kazakhstan. The list of 51 targets included <em>banks, telecommunications operators, marketplaces, logistics and manufacturing companies, car dealerships, construction companies, retailers, insurance and investment firms, fuel and energy companies, pharmaceutical companies, research institutes, a technology park, a municipal solid waste management operator, as well as services in the tourism, fitness, and IT sectors.</em></p> <p>DarkWatchman was also distributed via mailings disguised <a href="https://feedback.send.yandex.ru/l/L/VEdnQXdNTit2dk9GcUx3eUNyNnZQOE1ObUROQnRwdEJKVzdRTDBTYUh3SkVYeWIzOFQ5YkVXSEtxMENhNk9oTW5LaWUwanFxd2lETFROeFY4TTIzQlprT2RHRXpReFpZRllOZkx3cm5EU1lQS1ZDbDRGeklOeHpsbWZmc0tXNHZKMDd2U2JadTlYaE1vWXlobmt3K1hQY2pBU1ZSYkp4b3hUWjlNNDdubkd2dERKb3ZQdDdkdmcyQ2lqOG1WUm05NDQ2MExXZWxYaUdINjh2LzhpRWI5Tkd6QmI4emw1S0FRMzlBQ3ZHa0NQUT06MTQ1Mzox/https://t.me/f6_cybersecurity/2914" target="_blank">as supposedly Department of Defense archives</a> and <a href="https://feedback.send.yandex.ru/l/L/WWNGTFh3dkFtMEM0SXN5dWNXL1BlWmJzOVdPWEh0K0hteFMwK0hpTFhoTUhwblVVeHM1Ukh4RlFMYXppdzV2YllaVVY5SW51cnRacCtyb3JTYUVueUFjT2JJYTlWMXMrY0xINVNHVzFwbWVHZk1tVFVGMlM4UG5lajJSajd3VkM2YVgwTDFOZ0M3WUcwZCs2aTVnUmZhcTFwWnRVeEsvbHl2VjNEQThRVE1yRnpJK2VGc3VVNnZBYkEzRkJtVnh3Qy9lcDJubFlQbWFPSnNBb20xMy9IVTdWNDVJVzBESWl3N3dxTnBJNW1LTT06NDYzOjE=/https://t.me/f6_cybersecurity/2864" target="_blank">fake subpoenas</a> .</p> <div> <div> <div> <div> <p><b><span>Redazione</span></b><br /><span>The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.</span></p> <p><a href="https://www.redhotcyber.com/post/author/redazione/" target="_blank">Lista degli articoli</a></p> </div> </div> </div> </div> </div> </div> </div></div>