- I tested Amazon's new Kindle Paperwhite and it finally nails the feature I've been waiting for
- The best M.2 SSDs of 2024: Expert tested and reviewed
- OpenAI is working on a AI agent that can do tasks for you, like booking flights
- The 10 most popular passwords of 2024 are also the worst: 5 easy ways to do better
- Cisco amps up Splunk observability platform
Hive0145 Targets Europe with Advanced Strela Stealer Campaigns
Ongoing campaigns by cybercriminal group Hive0145 have launched a series of attacks across Europe, deploying the sophisticated Strela Stealer malware to steal sensitive email credentials.
IBM X-Force researchers reported in a new advisory today that this wave primarily targets Spain, Germany and Ukraine, and employs stolen, authentic invoices in phishing emails to deceive recipients and boost infection success.
The Evolution of Hive0145
Hive0145 has likely operated as a financially motivated initial access broker (IAB) since late 2022, focusing on credential theft through its Strela Stealer malware, which extracts data stored in Microsoft Outlook and Mozilla Thunderbird.
Notably, Hive0145’s campaign volume and technical complexity have significantly increased since mid-2023, evolving from generic phishing emails to more complex attacks using stolen emails from various industries, including finance, technology and e-commerce, among others.
Tactic Shift in 2024: Attachment Hijacking
In July 2024, Hive0145 shifted tactics, replacing simple phishing messages with stolen, legitimate emails that included real invoice attachments.
By using hijacked attachments, the group delivers Strela Stealer while leaving the original email content unchanged – boosting the appearance of authenticity. This tactic, previously used by groups like Emotet, is known as “attachment hijacking.”
Recent campaigns have been designed to bypass detection through various methods, such as using uncommon file extensions (.com, .pif) for malicious executables and incorporating heavily obfuscated scripts to evade security tools.
IBM X-Force analysis also indicated that Hive0145 may be automating parts of its process, allowing for increased frequency and scale in its phishing operations.
Strela Stealer: A Focus on Email Credentials
Strela Stealer remains Hive0145’s primary tool, focused on email credentials and configured to run on devices with specific keyboard languages, predominantly targeting Spanish, German and now Ukrainian-speaking users. The group’s shift to more sophisticated techniques positions it among Europe’s most notable malware distributors.
As Hive0145 campaigns persist, organizations across Europe, especially in sectors frequently impersonated in phishing emails, are advised to stay vigilant.
IBM X-Force recommended enhanced security awareness and proactive defense measures to mitigate potential impacts from this advancing cyber-threat.
