Hive0106

Threat Actor updated 4 months ago (2024-05-04T18:14:57.677Z)

Download STIX

Preview STIX

Hive0106, also known as TA551, is a notable threat actor recognized for its association with ITG23, another prominent entity in the cybercrime landscape. This partnership has been observed since mid-2021 by X-Force, a cybersecurity firm. Hive0106's primary role is as a distribution affiliate, delivering malware through various methods such as email lures and hosting payloads on newly created malicious domains. The group's tactics include impersonating legitimate business emails to trick recipients into falling for their scams, a method reminiscent of Business Email Compromise (BEC) schemes. In late February 2022, X-Force discovered that Hive0106 used at least one ITG23 crypter repeatedly in conjunction with the Qakbot banking trojan, and at least once with the Gozi banking trojan. Both instances were likely executed by the ITG23 distribution affiliate Hive0106. Moreover, leaked chats have revealed that Hive0106, represented by the gtags 'zev', 'zem', and 'zvs', has provided crypted malware samples to other affiliates and partners, including Bentley, Cherry, Netwalker, and Zeus. Throughout September and October, Hive0106 resumed distributing the Trickbot malware using the 'zem' and 'zvs' gtags. However, researchers remain uncertain whether ITG23 directly controls the delivery of these malicious emails via dedicated personnel or if they are independently distributed by other affiliates like Hive0106 and Hive0107. Despite this uncertainty, Hive0106's activities demonstrate a sophisticated and organized approach to cybercrime, underscoring the need for robust cybersecurity measures.

Description last updated: 2023-12-20T16:42:25.534Z

What's your take? (Question 1 of 4)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
TA551	2	TA551, also known as Hive0106, Shathak, and UNC2420, is a financially motivated threat group that has been active in the cybercrime landscape. This threat actor has been linked to various malware distribution activities, including those involving QakBot, IcedID, Emotet, Bumblebee, Gozi, and other ma

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
TrickBot	Unspecified	2	TrickBot is a notorious malware that has been used extensively by cybercriminals to exploit and damage computer systems. It operates as a crimeware-as-a-service platform, infecting systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can stea
QakBot	Unspecified	2	Qakbot is a type of malware that has been linked to various cybercriminal activities, with its presence first observed as early as 2020. It gained notoriety for its role in the operations of the Black Basta ransomware group, which used Qakbot extensively in sophisticated phishing campaigns. The malw

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
ITG23	Unspecified	2	ITG23, also known as the Trickbot/Conti syndicate, is a significant threat actor that has been active since 2016 in the East European cybercrime arena. This group is renowned for its use of Reflective DLL Injection code in many of its crypters, with the presence of these crypters on a file sample be

Source Document References

Information about the Hive0106 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Preview	Source Link	CreatedAt	Title
	MITRE	9 months ago	Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds
	SecurityIntelligence.com	10 months ago	ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups