Russian firms across various sectors, including finance, energy, and manufacturing, are being targeted by a phishing campaign delivering DarkWatchman malware. Attributed to the financially motivated group Hive0117, attack patterns involve using malicious emails containing password-protected files to unleash sophisticated capabilities of DarkWatchman. First documented in December 2021, this malware operates as a remote access trojan capable of keylogging and collecting system information. Recent phishing attempts have specifically targeted industries in Russia, Kazakhstan, Latvia, and Estonia, exhibiting advanced evasion techniques.
The fileless nature of the DarkWatchman malware, and its use of JavaScript and a keylogger written in C#, as well as the ability to remove traces of its existence on compromised systems when instructed, are evidence of somewhat sophisticated capabilities.
DarkWatchman has been employed in a phishing campaign targeting energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia.
Collection
[
|
...
]