Hive0106

Threat Actor updated 7 months ago (2024-05-04T18:14:57.677Z)

Download STIX

Preview STIX

Hive0106, also known as TA551, is a notable threat actor recognized for its association with ITG23, another prominent entity in the cybercrime landscape. This partnership has been observed since mid-2021 by X-Force, a cybersecurity firm. Hive0106's primary role is as a distribution affiliate, delivering malware through various methods such as email lures and hosting payloads on newly created malicious domains. The group's tactics include impersonating legitimate business emails to trick recipients into falling for their scams, a method reminiscent of Business Email Compromise (BEC) schemes. In late February 2022, X-Force discovered that Hive0106 used at least one ITG23 crypter repeatedly in conjunction with the Qakbot banking trojan, and at least once with the Gozi banking trojan. Both instances were likely executed by the ITG23 distribution affiliate Hive0106. Moreover, leaked chats have revealed that Hive0106, represented by the gtags 'zev', 'zem', and 'zvs', has provided crypted malware samples to other affiliates and partners, including Bentley, Cherry, Netwalker, and Zeus. Throughout September and October, Hive0106 resumed distributing the Trickbot malware using the 'zem' and 'zvs' gtags. However, researchers remain uncertain whether ITG23 directly controls the delivery of these malicious emails via dedicated personnel or if they are independently distributed by other affiliates like Hive0106 and Hive0107. Despite this uncertainty, Hive0106's activities demonstrate a sophisticated and organized approach to cybercrime, underscoring the need for robust cybersecurity measures.

Description last updated: 2023-12-20T16:42:25.534Z

What's your take? (Question 1 of 4)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
TA551 is a possible alias for Hive0106. TA551, also known as Hive0106, Shathak, and UNC2420, is a financially motivated threat group that has been active in the cybercrime landscape. This threat actor has been linked to various malware distribution activities, including those involving QakBot, IcedID, Emotet, Bumblebee, Gozi, and other ma	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The TrickBot Malware is associated with Hive0106. TrickBot is a notorious malware developed by cybercriminals to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software can steal personal information, disrupt operations, or even hold data hostage for ransom. Vladimir Dunaev,	Unspecified	2
The QakBot Malware is associated with Hive0106. Qakbot is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, or hold data for ransom. Built by d	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The ITG23 Threat Actor is associated with Hive0106. ITG23, also known as the Trickbot/Conti syndicate, is a significant threat actor that has been active since 2016 in the East European cybercrime arena. This group is renowned for its use of Reflective DLL Injection code in many of its crypters, with the presence of these crypters on a file sample be	Unspecified	2

Source Document References

Information about the Hive0106 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Preview	Source Link	CreatedAt	Title
	MITRE	a year ago	Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds
	SecurityIntelligence.com	a year ago	ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups