- These are the Memorial Day headphones deals I recommend most to family and friends
- 4 gadgets I'm bringing to the beach this summer - and why they make such a big difference
- I'm a laptop expert and these are the Memorial Day laptop deals I'd scoop up ASAP
- These are my 13 favorite Memorial Day lawn and outdoor deals right now
- The most comfortable noise-canceling earbuds I've tested are on sale (and they're only $150)
Large-Scale Phishing Campaigns Target Russia and Ukraine
A new large-scale phishing campaign using DarkWatchman and Sheriff malware has been uncovered, targeting companies across Russia and Ukraine.
The latest wave of attacks, observed by Russian cybersecurity company F6 on April 29 2025, marks a continued escalation in cyber activity attributed to the financially motivated threat group Hive0117.
Hive0117 Deploys DarkWatchman Across Russia
More than 550 email addresses were targeted across multiple Russian sectors, including media, tourism, finance, retail, manufacturing, energy, telecom, transport and biotechnology.
Emails included password-protected RAR archives. Once opened, these archives deployed an updated version of the DarkWatchman remote access Trojan.
DarkWatchman, first reported in December 2021, is a JavaScript-based fileless malware that performs keylogging and data collection, and executes secondary payloads.
The current variant appears to have enhanced evasion techniques, allowing it to bypass traditional detection systems more effectively.
Hive0117, active since at least February 2022, has previously conducted phishing campaigns targeting Russia, Belarus, Lithuania, Estonia and Kazakhstan.
Its infrastructure often masquerades as legitimate organizations and repeatedly reuses domain registration data for command-and-control (C2) servers. Domains such as alliance-s[.]ru, voenkomat-mil[.]ru and absolut-ooo[.]ru have all been used to distribute malicious archives.
According to Russian cybersecurity firm F6, this campaign is consistent with Hive0117’s past behavior. Earlier waves of phishing in 2023 used similar themes, including courier delivery notifications and mobilization orders, to bait recipients into executing malware-laden files.
Sheriff Backdoor Targets Ukraine
Meanwhile, in Ukraine, a separate cyber-threat has emerged. IBM X-Force recently disclosed the use of a new Windows backdoor named Sheriff, which was hosted on the popular Ukrainian news portal ukr.net.
The malware targets the defense sector and allows attackers to execute commands, take screenshots and exfiltrate data using Dropbox as the C2 channel.
Sheriff also features a “suicide” function that can erase all traces of the malware and its communications.
Analysts have noted similarities between Sheriff and other known malware strains, including Turla’s Kazuar, Operation Groundbait’s Prikormka and Bad Magic’s CloudWizard.
Both campaigns reflect the rising complexity of cyber operations in the region, where financial gain and geopolitical objectives continue to converge.
