Russian companies were sent as part of a large -scale phishing Darkwatchman.
The targets include organizations in the media, tourism, financing and insurance, production, retail, energy, telecommunications, transport and biotechnology sectors, Russian cybersecurity company F6 – Note.
Activities are evaluated as a financially motivated group called Hive0117, which has been attributed to IBM X-Force for attacks Aimed at users of Lithuania, Estonia and Russia, which cover telecommunications, electronic and industrial sectors.
Then in September 2023, Darkwatchman’s malicious software was again used In the field of phishing campaign aimed at energy, finance, transport and safety software based in Russia, Kazakhstan, Latvia and Estonia.
Russian banks, retailers and markets, telecommunications operators, agro-industrial enterprises, fuel and energy companies, logistics enterprises and IT firms were isolated Again in November 2023 with Darkwatchman using the courier delivery bait.
Trojan, based on JavaScript based JavaScript, Darkwatchman capable of key, collect system information and deploy secondary useful loads. It was First documented In December 2021.
“Of course, the nature of Darkwatchman and its use JavaScript and Keylogger, written in C#, as well as the ability to delete traces of its existence in compromised systems, testify to some complex opportunities,” the IBM said in 2023.
The latest set of attacks involves sending phishing emails containing false archives protected by password, which after opening provides the Darkwatchman option with improving opportunities to evade detection.
Ukraine, focused on a new sheriff
The disclosure of information occurs when IBM X-Forth stated that an indefinite enterprise in defense of Ukraine was sent in the first half of 2024, when previously an unregistered back of Windows called Sheriff.
“The actor of the threat used the popular news portal in Ukraine, ukr.net, to hold the sheriff – the side,” – Researcher Gala Mur – Note In a report published in late March 2025. “The modular back can perform commands aimed at actors, collect screenshots and hidden extrophilti victim data using API Dropbox Cloud Storage.”
“The malicious software focuses on expressive data and screenshots, while maintaining a low profile designed for long compromises.”
It is suspected that the web -resort may have been broken for malware in early March 2024. The sheriff is equipped to download and control multiple components, including a screenshot module, with teams and configuration values received as a ZIP file comments.
“The actor’s access to the largest news portal of Ukraine will place them for a number of high effects attacks and acts with extended aggravation,” Mur said. “In this particular incident, the threat actor may have abused the trusted domains for malicious software without raising suspicion.”
The background also establishes the “suicide” function, which, when remotely causes the operator, stops all activity and removes the directory containing malicious software, and the Dropbox folder used for command and control (C2).
IBM noted that certain aspects of malicious programs intersect with the types of Turla Casino and Crutchas and as Prikormka Groundbait and CloudWizard Bad Magic Operation.
“Both CloudWizard and Sheriff contain the” getsettings “feature https://thehackernews.com/” Get_settings “to get each module’s configuration,” the company said. “Cloudwizard, Prikormka and Sheriff shares the same screenshot that takes up 15 minutes. Cloudwizard files and prickormka files are called” Tree “, which is the name of the sheriff used for the exports of the file list.”
The opening of the back stems from the report of the State Service of Ukraine on special communication and protection of information (SSSCIP), warning about increasing the number of incidents by 48% in the second half of 2024 (2.576) compared to the previous six -month period (1739).
A total of 4 315 cyber incidents were registered in 2024, compared to 1350 in 2021, 2194 in 2022 and 2543 in 2023.
“Russian hackers actively implement automation using supply chain attacks to penetrate through programs – Note. “The focus in the attack is the collection of intelligence that can affect the operational situation at the front. In particular, the opponent aims at the situation and specialized defense enterprises.”
