Cybercriminals have successfully stolen millions of rubles from Russian companies by targeting accountants' computers and masking fraudulent transfers as legitimate salary payments, according to a recent report. ### Hive0117's Multi-Million Ruble Heist Researchers at the Russian cybersecurity firm **F6** revealed that the financially motivated group **Hive0117** conducted a series of attacks from February to March 2026, specifically targeting corporate finance departments. More than 3,000 Russian organizations were targeted in this campaign. ### Phishing Emails and Malware Infection The attackers initiated their campaign by sending meticulously crafted phishing emails to infect accountants' computers with malware, granting them unauthorized access to corporate banking systems. The largest confirmed theft exceeded 14 million rubles (approximately $178,000). The phishing emails were designed to appear legitimate, often originating from compromised accounts, including one belonging to a Moscow-based web and mobile application developer. These emails contained password-protected archives disguised as routine business documents like invoices and shipping paperwork. ### DarkWatchman RAT Opening the archive and executing a hidden file led to the infection of the victim's computer with **DarkWatchman**, a remote access trojan (RAT). This RAT allowed the attackers to maintain covert control over the compromised systems. **DarkWatchman** enables remote command execution, the download of additional malicious tools, and lateral movement across the company's network. This malware has been linked to **Hive0117** since at least 2021 and is commonly distributed through phishing campaigns. ### Exploiting Payroll Mechanisms With control over an accountant's machine, the attackers could log into corporate online banking portals and initiate transactions directly from the compromised system, making the activity appear legitimate. The hackers exploited payroll mechanisms by creating payment orders tied to bank accounts that appeared to belong to employees but were actually controlled by the attackers. If these transfers bypassed bank anti-fraud controls, the criminals could withdraw substantial sums from company accounts. ### Hive0117's History and Scope **Hive0117** has been active since late 2021, primarily targeting financial departments across various industries. While recent attacks focused on Russian organizations, previous activity has also targeted users in Lithuania, Estonia, Belarus, and Kazakhstan, according to **F6**. Researchers have previously indicated that the group's operations do not seem connected to the broader cyber conflict between Russia and Ukraine, and the attackers' origin remains unknown. This campaign follows earlier activity reported by **F6** last year, where the group used a modified version of **DarkWatchman** to target Russian companies across multiple sectors. In 2023, Western researchers observed **Hive0117** impersonating Russian government communications in phishing emails disguised as military conscription notices, another campaign that deployed the same malware.