For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware.

As of October 2023, IBM X-Force has also observed a significant increase in Hive0051’s activity featuring the new multi-channel approach of rapidly rotating C2 infrastructure facilitating at least 1,027 active infections featuring more than 327 unique malicious domains observed in a single 24-hour period. While Hive0051 has leveraged DNS fluxing to avoid detection since at least as early as December 2022, the automated synchronized fluxing of dynamic DNS records across Telegram channels and Telegraph sites at scale points to a potential elevation in actor resources and capability devoted to ongoing operations. In addition, by deploying multiple consecutive stages of Hive0051’s exclusive Gamma variant malware, the actor is able to remap victims to separate sets of actor-controlled C2 fluxing clusters.

Based on X-Force observations, these Gamma variants have evolved over time from the initial VBS-based GammaLoad variant, to include multiple obfuscation stages and several scripts designed to enumerate victims and spread malware via connected USB devices. Of note, the most recent iterations of the GammaLoad PowerShell variant moved to a fileless approach and stored all malicious code dispersed in the registry. Likewise, the same has been observed for the GammaSteel PowerShell variant used to exfiltrate files upon infection.

X-Force assesses with high confidence that the evolution of rapid remapping of infrastructure to include multi-channel DNS fluxing, continuous malware development and the growing sophistication of malware and obfuscation is evidence of Hive0051’s increasingly elevated level of capability.