Cybercriminal Group Hive0117 Hijacks Accountant Workstations to Drain Russian Firm Bank Accounts
What Happened — A financially‑motivated threat group identified as Hive0117 sent spear‑phishing emails to accountants at more than 3,000 Russian organisations between February and March 2026. The emails contained password‑protected archives that, when opened, installed the DarkWatchman remote‑access trojan. With control of the accountant’s workstation, the attackers logged into corporate online‑banking portals and created fraudulent salary‑payment orders that transferred millions of rubles to accounts they owned.
Why It Matters for TPRM —
- Finance‑department credentials are a high‑value attack surface; compromise can lead directly to monetary loss.
- The use of a custom RAT (DarkWatchman) demonstrates a persistent, stealthy capability that can evade traditional endpoint detection.
- The campaign targeted a broad set of industries, showing that any third‑party with payroll or banking access is at risk.
Who Is Affected — Financial services, manufacturing, logistics, technology, and any other sectors with Russian‑based subsidiaries that process payroll or vendor payments.
Recommended Actions —
- Conduct a focused review of all third‑party vendors that handle payroll, accounts‑payable, or banking integrations.
- Enforce multi‑factor authentication (MFA) on all corporate banking portals and privileged finance accounts.
- Deploy advanced email‑security gateways with attachment sandboxing and enforce strict password policies for archive files.
- Verify that endpoint detection and response (EDR) solutions can detect and quarantine DarkWatchman‑style behaviours.
Technical Notes — Attack vector: spear‑phishing with password‑protected ZIP archives; Malware: DarkWatchman RAT (remote access, command execution, lateral movement); Exploited process: legitimate online‑banking portals accessed from compromised workstations; No public CVE cited. Source: The Record