Russian companies have been targeted as part of a large-scale phishing campaign that’s designed to deliver a known malware called DarkWatchman.
Targets of the attacks include entities in the media, tourism, finance and insurance, manufacturing, retail, energy, telecom, transport, and biotechnology sectors, Russian cybersecurity company F6 said.
The activity is assessed to be the work of a financially motivated group called Hive0117, which has been attributed by IBM X-Force to attacks aimed at users in Lithuania, Estonia, and Russia spanning telecom, electronic, and industrial sectors.
Then in September 2023, the DarkWatchman malware was once again used in a phishing campaign targeting energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia.
Russian banks, retailers and marketplaces, telecom operators, agro-industrial enterprises, fuel and energy companies, logistics businesses, and IT firms were singled out again in November 2023 with DarkWatchman using courier delivery-themed lures.
A JavaScript-based remote access trojan, DarkWatchman is capable of keylogging, collecting system information, and deploying secondary payloads. It was first documented in December 2021.
“The fileless nature of the DarkWatchman malware, and its use of JavaScript and a keylogger written in C#, as well as the ability to remove traces of its existence on compromised systems when instructed, are evidence of somewhat sophisticated capabilities,” IBM noted in 2023.
The latest set of attacks involves sending phishing emails containing password-protected malicious archives that, once opened, deliver a variant of DarkWatchman with improved capabilities to evade detection.
Ukraine Targeted by New Sheriff Backdoor
The disclosure comes as IBM X-Force said an unspecified entity within Ukraine’s defense sector was targeted in the first half of 2024 with a previously undocumented Windows backdoor called Sheriff.
“The threat actor used a popular news portal in Ukraine, ukr.net, to host the Sheriff backdoor,” security researcher Golo Mühr said in a report published in late March 2025. “The modular backdoor can execute actor-directed commands, collect screenshots, and covertly exfiltrate victim data using the Dropbox cloud storage API.”
“The malware focuses on exfiltrating data and taking screenshots while maintaining a low profile designed for prolonged compromises.”
It’s suspected that the website may have been breached to stage the malware in early March 2024. Sheriff is equipped to download and manage multiple components, including a screenshot module, with commands and configuration values received as ZIP file comments.
“A threat actor’s access to Ukraine’s largest news portal would position them to conduct a range of high-impact attacks and operate with enhanced obfuscation,” Mühr said. “In this specific incident, the threat actor may have abused the trusted domain to stage malware without raising suspicion.”
The backdoor also comes fitted with a “suicide” function that, when invoked remotely by the operator, ceases all activity and deletes the directory containing the malware and the folder on Dropbox used for command-and-control (C2) communications.
IBM pointed out that certain aspects of the malware overlap with that of Turla’s Kazuar and Crutch, as well as Operation Groundbait’s Prikormka and Bad Magic’s CloudWizard.
“Both CloudWizard and Sheriff contain a function ‘GetSettings”https://thehackernews.com/”get_Settings’ to retrieve each module’s configuration,” the company said. “CloudWizard, Prikormka, and Sheriff share the same screenshot taking intervals of 15 minutes. CloudWizard and Prikormka’s file listing modules are called ‘tree,’ which is the name Sheriff uses for exfiltration of a list of files.”
The discovery of the backdoor follows a report from Ukraine’s State Service for Special Communications and Information Protection (SSSCIP), warning of a 48% increase in the number of incidents in the second half of 2024 (2,576), compared to the previous six-month period (1,739).
In total, 4,315 cyber incidents were registered in 2024, up from 1,350 in 2021, 2,194 in 2022, and 2,543 in 2023. The number of critical and high-severity incidents, on the other hand, dropped significantly to 59, a decline from 1,048 in 2022 and 367 in 2023.
“Russian hackers are actively implementing automation, employing supply chain attacks for infiltration through software vendors, and combining espionage and sabotage techniques,” SSSCIP said. “The primary focus of attacks is the collection of intelligence that could influence the operational situation at the front. In particular, the adversary is targeting situational awareness systems and specialized defense enterprises.”
