Hive0145: Strela Stealer & Backdoor Campaign
Hive0145: Tracking teh Evolution of a Persistent Strela Stealer Campaign
Table of Contents
- Hive0145: Tracking teh Evolution of a Persistent Strela Stealer Campaign
- The Genesis of Hive0145: Early Phishing Campaigns (Late 2022 – Early 2023)
- Expanding Horizons: Geographic Expansion and improved Localization (Early – Mid 2023)
- The Rise of Email Hijacking: A Significant tactical Shift (Mid 2023 – Early 2024)
- Advanced Evasion Techniques: Polyglot Files, Code signing, and crypters (Late 2023 – Mid 2024)
- Increased Frequency and Reconnaissance: A Shift in Operational Tempo (Mid 2024 – Present
As of July 11, 2025, the threat landscape continues to be dominated by increasingly sophisticated phishing attacks. Among the persistent actors operating in this space, Hive0145 stands out for its consistent evolution and expanding targeting. Initially observed in late 2022, this group has demonstrated a remarkable ability to adapt its tactics, techniques, and procedures (TTPs) to evade detection and maximize impact. This article provides a thorough analysis of Hive0145’s activities, detailing its progression from basic phishing campaigns to the utilization of advanced techniques like email hijacking and polyglot files, and offering insights into its potential future trajectory.
The Genesis of Hive0145: Early Phishing Campaigns (Late 2022 – Early 2023)
Hive0145’s initial activity, detected in late 2022, centered around relatively unsophisticated phishing campaigns designed to distribute the Strela Stealer malware. These early operations primarily targeted Spanish-speaking users, focusing on the theft of credentials from popular email clients like Outlook and Thunderbird. the attack vectors were straightforward: malicious email attachments containing Strela Stealer, disguised as common file types.
The social engineering employed during this phase was also basic, relying heavily on generic invoice lures. These emails attempted to trick recipients into opening the attachments by presenting them as legitimate invoices from suppliers or service providers. While not particularly innovative, these initial campaigns proved effective in compromising a notable number of systems, establishing a foothold for the actor and providing valuable intelligence for future operations. The primary goal at this stage was clearly credential harvesting, enabling access to further accounts and systems.
Expanding Horizons: Geographic Expansion and improved Localization (Early – Mid 2023)
By early 2023, Hive0145 began to broaden its targeting scope, extending its reach to users in Germany and Italy.This expansion wasn’t simply a matter of sending the same phishing emails to new regions; the actor demonstrated a growing understanding of localization. Campaigns targeting German and Italian users featured translated lures and content more relevant to those regions, increasing their credibility and effectiveness.
The malware delivery mechanism remained consistent – attachment-based phishing – but the quality of the phishing emails improved.Hive0145 invested in crafting more convincing emails, mimicking legitimate communications and incorporating details that would resonate with recipients in the targeted countries. this indicated a shift towards a more deliberate and targeted approach, moving beyond mass-scale, indiscriminate phishing. The actor was actively learning from its previous campaigns and refining its techniques based on observed results.
The Rise of Email Hijacking: A Significant tactical Shift (Mid 2023 – Early 2024)
Around mid-2024, Hive0145 implemented a more sophisticated and dangerous technique: hijacking legitimate invoice emails. This involved compromising email accounts and intercepting genuine invoice emails. The actor would then manipulate these stolen emails, replacing the original attachments with weaponized ZIP files containing obfuscated JavaScript loaders.This tactic significantly increased the likelihood of prosperous compromise. Recipients were more likely to open attachments from known senders, even if those attachments were malicious. The use of legitimate email threads also bypassed many security filters that rely on identifying suspicious sender addresses or email content. This represented a substantial escalation in Hive0145’s capabilities and a clear indication of its commitment to evading detection. The ability to successfully hijack and manipulate legitimate email communications demonstrated a level of sophistication beyond that of many other phishing actors.
Advanced Evasion Techniques: Polyglot Files, Code signing, and crypters (Late 2023 – Mid 2024)
In late 2023 and early 2024, Hive0145 further enhanced its evasion capabilities by incorporating several advanced techniques. These included the use of polyglot files - files that are valid in multiple formats, allowing them to bypass certain security checks – and the leveraging of valid code-signing certificates to make the malware appear legitimate.
moreover, the actor began utilizing new crypters, such as Stellar Loader, to obfuscate the malicious code and hinder analysis by security researchers. These crypters make it more arduous to identify the underlying malware and understand its functionality. This period marked a significant investment in technical sophistication, demonstrating a clear intent to remain undetected and maintain operational resilience.
During this time, Hive0145 also expanded its geographic targeting to include systems with Catalan, Polish, and Basque locales, showcasing a broader regional intent. This expansion suggests the actor is actively seeking to maximize its reach and exploit vulnerabilities across a wider range of linguistic and cultural contexts.