Hackers use fake payroll registers to withdraw money from the company’s accounts.
Accountants of companies again found themselves in the center of financial cyber attacks: the Hiful0117 group infects working computers through letters with attachments under the guise of accounts, acts and invoices, waiting for the connection of a cryptographic token and gets access to remote banking systems. Since the beginning of 2026, the group has committed about 400 successful attacks on Russian companies, and the average damage in March and April increased from 3 million to 10 million rubles, according to F6.
F6 specialists recorded a new wave of Hive0117 attacks on legal entities. The group has been operating since the end of 2021 and has hit Russian organizations more often before, but now has expanded its geography. In addition to Russia, recipients from Belarus, Kazakhstan and Uzbekistan were noticed in the mailing lists. In Belarus, at least six companies from the telecommunications industry, industry, trade and other spheres were hit, in Kazakhstan - three organizations, including online stores and an enterprise of the chemical industry, in Uzbekistan - a beverage manufacturer.
In 2026, the attackers sent letters to accountants of more than 3000 Russian companies from different industries. The peak of the mailings fell in February and March, then the activity decreased tenfold. Letters were disguised as the usual business correspondence: bills for payment, acts of reconciliation, invoices, notifications of storage of documents and sent messages with attachments.
The malicious file was hidden in the RAR archive, and the password from the archive was indicated directly in the letter. The technique helps to bypass some mail filters and anti-virus checks, because it is more difficult for protective systems to analyze the passworded investment. After launching the file, DarkWatchman hit the computer, a fileless remote-accessed trone that was fixed in the system and downloaded additional modules.
The next stage, the criminals set the keylogger. The module intercepted data entered from the keyboard, monitored the exchange buffer and checked whether a cryptographic token was connected to the computer. For attackers, such a token serves as a key signal: an accountant usually uses a signature device to enter the remote banking and make payments on behalf of the company.
When the keylogger detected the token in the USB connector, the attackers moved to the active phase of the attack. On the infected computer installed a remote control tool or Trojan with a hidden virtual desktop function. With the help of such access, criminals could open a browser, work with a bank cabinet and conduct operations from the victim’s computer, without attracting the attention of an accountant.
If the company uses the confirmation via SMS, criminals can act according to a different scenario: to convince the user to install an Android application to intercept the two-factor protection codes. This option allows you to obtain confirmation codes and continue the attack without a cryptographic token.
The F6 separately points to a new withdrawal scheme. Criminals issued payments on the register, outwardly similar to the transfer of wages. The register got the accounts of the drops, through which the stolen funds were then withdrawn. If the bank does not check the operations using a sessional and transactional anti-frode, the attackers get a chance to withdraw a large amount for one attack.
DarkWatchman collected information about the system, Windows version, user rights, domain, antivirus installed and connected smart cards. The Trojan could also change the control server, upload files, run commands, update and delete traces of work. The set of functions allows the group to adjust the attack to a specific company and continue to control the infected device even if part of the infrastructure is lost.
For accountants and financial employees, the main risk is not related to a rare technical vulnerability, but to a regular letter that looks like a working document. F6 recommends not to open attachments from unknown senders without verification, do not run files with extensions. EXE, . LNK and double extensions like. PDF.EXE, do not install applications on links from emails, SMS, messengers and QR codes, and if you suspect infection, immediately disconnect the computer from the network.
F6 specialists advise to strengthen the anti-fraud in the web channel, take into account the signs of remote connection, check third-party applications on user devices and recommend customers to transfer work with RBS to insulated workstations with limited Internet access. A separate recommendation applies to tokens: the means of electronic signature should not be constantly left in the computer.
Accountants of companies again found themselves in the center of financial cyber attacks: the Hiful0117 group infects working computers through letters with attachments under the guise of accounts, acts and invoices, waiting for the connection of a cryptographic token and gets access to remote banking systems. Since the beginning of 2026, the group has committed about 400 successful attacks on Russian companies, and the average damage in March and April increased from 3 million to 10 million rubles, according to F6.
F6 specialists recorded a new wave of Hive0117 attacks on legal entities. The group has been operating since the end of 2021 and has hit Russian organizations more often before, but now has expanded its geography. In addition to Russia, recipients from Belarus, Kazakhstan and Uzbekistan were noticed in the mailing lists. In Belarus, at least six companies from the telecommunications industry, industry, trade and other spheres were hit, in Kazakhstan - three organizations, including online stores and an enterprise of the chemical industry, in Uzbekistan - a beverage manufacturer.
In 2026, the attackers sent letters to accountants of more than 3000 Russian companies from different industries. The peak of the mailings fell in February and March, then the activity decreased tenfold. Letters were disguised as the usual business correspondence: bills for payment, acts of reconciliation, invoices, notifications of storage of documents and sent messages with attachments.
The malicious file was hidden in the RAR archive, and the password from the archive was indicated directly in the letter. The technique helps to bypass some mail filters and anti-virus checks, because it is more difficult for protective systems to analyze the passworded investment. After launching the file, DarkWatchman hit the computer, a fileless remote-accessed trone that was fixed in the system and downloaded additional modules.
The next stage, the criminals set the keylogger. The module intercepted data entered from the keyboard, monitored the exchange buffer and checked whether a cryptographic token was connected to the computer. For attackers, such a token serves as a key signal: an accountant usually uses a signature device to enter the remote banking and make payments on behalf of the company.
When the keylogger detected the token in the USB connector, the attackers moved to the active phase of the attack. On the infected computer installed a remote control tool or Trojan with a hidden virtual desktop function. With the help of such access, criminals could open a browser, work with a bank cabinet and conduct operations from the victim’s computer, without attracting the attention of an accountant.
If the company uses the confirmation via SMS, criminals can act according to a different scenario: to convince the user to install an Android application to intercept the two-factor protection codes. This option allows you to obtain confirmation codes and continue the attack without a cryptographic token.
The F6 separately points to a new withdrawal scheme. Criminals issued payments on the register, outwardly similar to the transfer of wages. The register got the accounts of the drops, through which the stolen funds were then withdrawn. If the bank does not check the operations using a sessional and transactional anti-frode, the attackers get a chance to withdraw a large amount for one attack.
DarkWatchman collected information about the system, Windows version, user rights, domain, antivirus installed and connected smart cards. The Trojan could also change the control server, upload files, run commands, update and delete traces of work. The set of functions allows the group to adjust the attack to a specific company and continue to control the infected device even if part of the infrastructure is lost.
For accountants and financial employees, the main risk is not related to a rare technical vulnerability, but to a regular letter that looks like a working document. F6 recommends not to open attachments from unknown senders without verification, do not run files with extensions. EXE, . LNK and double extensions like. PDF.EXE, do not install applications on links from emails, SMS, messengers and QR codes, and if you suspect infection, immediately disconnect the computer from the network.
F6 specialists advise to strengthen the anti-fraud in the web channel, take into account the signs of remote connection, check third-party applications on user devices and recommend customers to transfer work with RBS to insulated workstations with limited Internet access. A separate recommendation applies to tokens: the means of electronic signature should not be constantly left in the computer.
