TA577 (Hive0118): The Evolving Phishing Specialist Behind Modern Malware Campaigns

TA577 (Hive0118): The Evolving Phishing Specialist Behind Modern Malware Campaigns

Introduction

TA577, or Hive0118, is a Russian-speaking cybercrime access broker and distributor who’s adaptive and prolific within the continually evolving cyber threat landscape. They have been operational since mid-2020, and have been known for using an extensive volume of email campaigns across all sectors to distribute Qbot (QakBot), IcedID, Latrodectus, and Pikabot globally. By Early 2024, the previously known method of accessing NTLM hashes via phishing showed a clear shift in TA577’s strategy from just being an initial access broker to now potentially using post-exploitation methods. The adaptability and credential focus of TA577 have resulted in a higher threat profile and therefore require strong identities and email security systems to assist in mitigating risk.

TA577 Hive0118 APT group profile highlighting phishing activity, NTLM hash theft, and ransomware access operations
TA577 (Hive0118) APT Group Profile – Identity, motivation, and threat assessment.

Identity & Motivation

  • Attribution: TA577 is assessed to be Russian-speaking cybercriminals who support criminal enterprises financially. They are not currently known to be run by a state.
  • Active Since: All evidence suggests that TA577 has been operational since Mid 2020. Evidence of operational surges has been seen as early as 2021 up to 2025.
  • Aliases: The Microsoft Threat Intelligence team has named this group Hive0118, but they may have many other names and references within the community.
  • Motivation: Originally financially motivated, but now they also conduct credential theft to obtain further income from their criminal activity (i.e. sold access to cybercriminals).

The increased commercialization (profiting from mass phishing, etc.) of phishing and credential acquisition through email campaigns and through the corresponding authentication abuse of NTLM allows for maximum overall benefit from both themselves as well as the partners they use within their Raitz and Merck software ecosystem.

Tactics, Techniques, and Procedures (TTPs)

Initial Access: Large-scale phishing campaigns using thread hijacking and reply-chain injection techniques. Malicious Microsoft Office documents (macro-enabled), HTML Smuggling and ZIP containers were used initially, but in 2023 as Microsoft implemented macro restrictions, they switched to malware loaders (QakBot, Post Microsoft 2023) embedded within PDF or OneNote files to continue their access operations.

Execution & Delivery: Historically are the distributed sources of Qbot (QakBot) and IcedID. After the takedown of QakBot in 2023, these actors quickly pivoted to Pikabot and Latrodectus to maintain access. Living-off-the-land (LOLBin): Actors use LOLBins (e.g.: PowerShell, CMD, Rundll32) to execute malicious payloads from those malware loaders.

Command and Control (C2): Fast flux DNS and compromised WordPress sites were used to deliver the payload to the compromised victims. They are still using the same methods to provide resilience in their Command and Control (C2) channels (e.g.: using encrypted HTTPS calls as well as Domain Generation Algorithms(DGA)).

Persistence & Evasion: These actors used scheduled tasks and registry autorun to maintain their persistence on compromised systems. Through the use of obfuscated scripts as well as deploying sandbox evasion techniques (e.g.: timing delays, environment fingerprinting), these actors created an impressive barrier to the detection of their malicious activity.

Post-Exploitation: During the last few months, there has been a marked increase in the use of sophisticated phishing techniques to steal NTLM hashes. This would indicate an evolution beyond acting as a pure initial access broker (e.g.: HTML Smuggling with embedded UNC paths/remote images and/or resource references that coerce NTLM authentication above) since at the same time actors have also moved to obtain credentials through using Mimikatz, browser dumpers and/or credential caches and either sell or leverage those credentials for follow-on intrusion.

Get your security score with Threat.watch
Threat.watch encouraging users to check their security score

Notable Operations (2023–2025)

  • In August 2023, QakBot was taken down and TA577 reorganized its operations around two new pieces of malware: Pikabot and Latrodectus, However, it continued to operate on a large scale with its email infrastructure.
  • In February 2024, TA577 began to steal NTLM hashes. The phishing impersonation techniques that TA577 employed allowed them to obtain NTLM hashes much like a more advanced post-exploitation phase of their operations.
  • In October 2024, TA577 continued in the same vein with its multi-loader campaigns using Pikabot and Latrodectus, while continuing to leverage NTLM-targeted credential thefts against large enterprises globally.
  • In January 2025, TA577 expanded its campaign activities across many different industries internationally, with Black Basta intrusion incidents often referenced by the defenders of these campaigns.

Recent Developments (2025)

The continued activities of TA577 in 2025 exhibit the group’s ability to adjust to changing conditions, while maintaining a strong emphasis on the use of credentials. The heightened activity during early 2024 of obtaining NTLM hashes provided the group with an opportunity to improve upon their HTML smuggling and reply-chain phishing techniques, while at the same time using both Pikabot and Latrodectus as backup loaders. Incident responders have frequently observed the overlap between TA577 access and the operations of the Black Basta ransomware crew, which supports the assessment that TA577 has protentional access that can be monetized through access by high-impact eCrime crews.

TA577 has also continued to evolve the delivery of multiple payloads via redundant infection chains, thereby increasing their resilience against email filtering. Furthermore, by establishing partnerships with many of the access brokers within the ecosphere, TA577 has the ability to quickly replace their tools and infrastructure if they are disrupted.

Strategic Assessment

TA577 (Hive0118) is an example of how a threat actor can evolve from initial access broker to credential theft and post-exploitation enabler. The increase in NTLM hash capture and ongoing loader distribution in 2024 has made it easier for threat actors to be successful with lateral movement and domain compromise, which places users at greater risk for downstream impact. In addition, connection to Black Basta and other Ransomware operations increases potential for enterprise impact.

Key Indicators of Evolution:

1. The ability to use HTML smuggling and containerized payloads (ZIP/ISO/OneNote) instead of macros to deliver malicious code

2. Rapid adoption of new loaders after prior loader-DDoS takedowns, such as Qbot with the new loaders Pikabot and Latrodectus

3. Campaigns designed to collect NTLM hash information on targeted systems by utilizing coercive measures (such as credential harvesting)

4. Redundancy in their infrastructure from their use of rotating domains, fast-flux techniques, and compromised web properties (CMS).

Defensive Recommendations

  • Email security hardening: To boost email security, set up DMARC, DKIM and SPF records and filter external emails that contain HTML/HTM/OneNote/ISO/IMG/ZIP files. Remote content that is embedded in emails should be stripped out.
  • Credential/NTLM safeguards: Disable NTLM if it is feasible; SMB signing should be enabled, and Extended Protection for Authentication should be established. Restrict access to outbound SMB/LDAP. Monitor for potential relay and coercion patterns of NTLM-based interactions by others.
  • Detection & monitoring: Track for odd-ball DNS requests from fast flux typology and from other recently registered websites using HTTPS. Identify and document the use patterns of Latrodectus and Pikabot indicators in order to track changes in the behaviour of existing known bad actors (command-and-control servers). Monitor alerts on LOLBins (PowerShell/Rundll32) execution chains.
  • Identity hygiene: All remote access should require multi-factor authentication. Set up a conditional access policy using least privilege for all users. Change the passwords on any accounts that got phished; audit service accounts.
  • Awareness & testing: Run targeted phishing simulations against employees that replicate reply-chain or invoice/Human Resources-based techniques. Fire your internal red teams at NTLM coercion and HTML smuggling scenarios.

Conclusion

TA577 (Hive0118) is a foundational entity of the global cybercrime economy. They have perfected the distribution of phishing and have adapted malware to facilitate ransomware and credential theft in virtually any geographic region. Continued access broker sales will ensure that TA577 adapts to new developments and partners with new ransomware affiliates while leveraging user trust as its primary attack surface. The trajectory of TA577 illustrates a general reality of the cyber underground: the most significant risks are not always perpetrated by the actors directly involved with ransomware operations, but instead are being carried out by those that create opportunities for them.

You can download and review the sheet for all the details!

Two cybersecurity professionals reviewing threat intelligence on a laptop in a secure operations center
Brandefense provides trusted threat intelligence and digital risk protection for global security teams.
Share This:
  • Categories
  • Latest News
  • Follow Us on Social Media!