Ongoing campaigns by cybercriminal group Hive0145 have launched a series of attacks across Europe, deploying the sophisticated Strela Stealer malware to steal sensitive email credentials.
IBM X-Force researchers reported in a new advisory today that this wave primarily targets Spain, Germany and Ukraine, and employs stolen, authentic invoices in phishing emails to deceive recipients and boost infection success.
The Evolution of Hive0145
Hive0145 has likely operated as a financially motivated initial access broker (IAB) since late 2022, focusing on credential theft through its Strela Stealer malware, which extracts data stored in Microsoft Outlook and Mozilla Thunderbird.
Notably, Hive0145’s campaign volume and technical complexity have significantly increased since mid-2023, evolving from generic phishing emails to more complex attacks using stolen emails from various industries, including finance, technology and e-commerce, among others.
Tactic Shift in 2024: Attachment Hijacking
In July 2024, Hive0145 shifted tactics, replacing simple phishing messages with stolen, legitimate emails that included real invoice attachments.
By using hijacked attachments, the group delivers Strela Stealer while leaving the original email content unchanged – boosting the appearance of authenticity. This tactic, previously used by groups like Emotet, is known as “attachment hijacking.”
Read more on phishing tactics used by cybercriminal groups: 82% of Phishing Sites Now Target Mobile Devices
Recent campaigns have been designed to bypass detection through various methods, such as using uncommon file extensions (.com, .pif) for malicious executables and incorporating heavily obfuscated scripts to evade security tools.
IBM X-Force analysis also indicated that Hive0145 may be automating parts of its process, allowing for increased frequency and scale in its phishing operations.
Strela Stealer: A Focus on Email Credentials
Strela Stealer remains Hive0145’s primary tool, focused on email credentials and configured to run on devices with specific keyboard languages, predominantly targeting Spanish, German and now Ukrainian-speaking users. The group’s shift to more sophisticated techniques positions it among Europe’s most notable malware distributors.
As Hive0145 campaigns persist, organizations across Europe, especially in sectors frequently impersonated in phishing emails, are advised to stay vigilant.
IBM X-Force recommended enhanced security awareness and proactive defense measures to mitigate potential impacts from this advancing cyber-threat.