- Secure the network with Cisco AI Defense and Cisco U.
- Google's AI Mode may be the upgrade Search desperately needs - how to try it for free
- 8 ways I use Microsoft's Copilot Vision AI to save time on my phone and PC
- 6 ways AI can help you ace finals - for free (without plagiarizing)
- I struggled with recommending iPad models - but this one just made it so much easier
Large-Scale Phishing Campaigns Target Russia and Ukraine

A new large-scale phishing campaign using DarkWatchman and Sheriff malware has been uncovered, targeting companies across Russia and Ukraine.
The latest wave of attacks, observed by Russian cybersecurity company F6 on April 29 2025, marks a continued escalation in cyber activity attributed to the financially motivated threat group Hive0117.
Hive0117 Deploys DarkWatchman Across Russia
More than 550 email addresses were targeted across multiple Russian sectors, including media, tourism, finance, retail, manufacturing, energy, telecom, transport and biotechnology.
Emails included password-protected RAR archives. Once opened, these archives deployed an updated version of the DarkWatchman remote access Trojan.
DarkWatchman, first reported in December 2021, is a JavaScript-based fileless malware that performs keylogging and data collection, and executes secondary payloads.
The current variant appears to have enhanced evasion techniques, allowing it to bypass traditional detection systems more effectively.
Hive0117, active since at least February 2022, has previously conducted phishing campaigns targeting Russia, Belarus, Lithuania, Estonia and Kazakhstan.
Its infrastructure often masquerades as legitimate organizations and repeatedly reuses domain registration data for command-and-control (C2) servers. Domains such as alliance-s[.]ru, voenkomat-mil[.]ru and absolut-ooo[.]ru have all been used to distribute malicious archives.
According to Russian cybersecurity firm F6, this campaign is consistent with Hive0117’s past behavior. Earlier waves of phishing in 2023 used similar themes, including courier delivery notifications and mobilization orders, to bait recipients into executing malware-laden files.
Sheriff Backdoor Targets Ukraine
Meanwhile, in Ukraine, a separate cyber-threat has emerged. IBM X-Force recently disclosed the use of a new Windows backdoor named Sheriff, which was hosted on the popular Ukrainian news portal ukr.net.
The malware targets the defense sector and allows attackers to execute commands, take screenshots and exfiltrate data using Dropbox as the C2 channel.
Sheriff also features a “suicide” function that can erase all traces of the malware and its communications.
Analysts have noted similarities between Sheriff and other known malware strains, including Turla’s Kazuar, Operation Groundbait’s Prikormka and Bad Magic’s CloudWizard.
Both campaigns reflect the rising complexity of cyber operations in the region, where financial gain and geopolitical objectives continue to converge.