Hive0145 Cybercriminal Group Targets Europe with Sophisticated Strela Stealer Malware

In a new advisory, IBM X-Force researchers have uncovered ongoing campaigns by the cybercriminal group Hive0145, deploying the advanced Strela Stealer malware to steal sensitive email credentials across Europe.

According to the report, the attacks primarily target Spain, Germany, and Ukraine. They use authentic invoices in phishing emails to deceive recipients and boost the credibility of the malicious payload. Once opened, the Strela Stealer malware is designed to siphon email login credentials, financial information, and other sensitive data from infected systems. This malware is designed to extract data stored in Microsoft Outlook and Mozilla Thunderbird, a goldmine for them.

“Hive0145 has demonstrated a high level of technical sophistication with their use of the Strela Stealer malware,” said lead cybersecurity researcher at IBM X-Force. “This threat group can conduct large-scale, targeted attacks that can significantly impact businesses and individuals across the region.”

The Strela Stealer malware is a powerful information-stealing tool that can capture screenshots, log keystrokes, and extract data from web browsers, email clients, and other applications. It is often sold on underground cybercrime forums, providing criminals with a turnkey solution to harvest sensitive information. In July 2024, they switched their tactics again, using “attachment hijacking.” Instead of simple phishing messages, they started using stolen, legitimate emails with real invoice attachments.

IBM X-Force researchers have been tracking Hive0145’s activities and have observed the group leveraging a range of tactics, techniques, and procedures (TTPs) to evade detection and maximize the effectiveness of their attacks. This includes using legitimate-looking invoices, complex obfuscation techniques, and exploiting vulnerabilities in widely used software.

To stay under the radar, they’ve been using uncommon file extensions like .com and .pif for their malicious executables and incorporating heavily obfuscated scripts to evade security tools. Strela Stealer remains their go-to tool, specifically designed to target email credentials. It’s configured to run on devices with specific keyboard languages, primarily targeting Spanish, German, and now Ukrainian-speaking users. 

He added, “Businesses and individuals in the affected regions should be highly alert and take proactive steps to protect themselves. This includes implementing robust email security measures, keeping software up-to-date, and educating employees on the dangers of phishing attacks.”

IBM X-Force has shared its findings with relevant authorities and is working closely with partners to disrupt Hive0145’s activities and mitigate the impact of the Strela Stealer malware.

Please visit the IBM X-Force website for more information on the Hive0145 threat and the Strela Stealer malware.

About IBM X-Force:

IBM X-Force is a team of world-class security researchers, analysts, and engineers dedicated to providing organizations with the latest threat intelligence and security solutions. With decades of experience in cybersecurity, IBM X-Force is at the forefront of identifying and addressing emerging threats, helping businesses and individuals stay safe in an ever-evolving digital landscape.