Hive0137 threat actor has been observed leveraging Large Language Models (LLMs) to generate phishing emails that look more authentic and are harder to detect using traditional signature-based methods.

The new behavior was seen by the IBM X-Force threat intelligence team in an Italian campaign distributing Dave-crypted X-Worm. Additionally, Hive0137 appears to use Generative AI for creating its tooling, the team noted.

Hive0137 is a highly active email spammer distributing malware used for initial access in ransomware attacks. Active since at least October 2023, the group has been distributing various malware payloads such as DarkGate, NetSupport, T34-Loader, and Pikabot using what IBM X-Force describes as the “most complex infection chain,” which often involve the use of advanced crypters. These crypters indicate a possible relationship with former members of ITG23, also known as the Conti/Trickbot group. The connection suggests that Hive0137 may be collaborating with or has absorbed members from ITG23.

Following a large-scale law enforcement effort known as “Operation Endgame,” which targeted several malware botnets, including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot, X-Force observed Hive0137 introducing a new backdoor known as WarmCookie. The threat actor has also changed its payload delivery method. The group started using Microsoft Project files with embedded macros to download NetSupport payloads.

Hive0137's campaigns have delivered emails containing malicious PDF attachments or URLs leading to malware like DarkGate and NetSupport. The group has been observed using new loaders such as T34-Loader, with overlapping tactics noted in Proofpoint's TA571 cluster.

In early 2024, Hive0137 expanded its techniques, experimenting with new attachment types, such as Excel files containing malicious URLs. These campaigns typically led to the download of VBS or JavaScript files, which then deployed the final payload, often the DarkGate malware.

In mid-June, Hive0137 employed HTML files to copy malicious PowerShell code into users' clipboards, prompting execution and downloading the WarmCookie backdoor.

In a July 2024 campaign, Hive0137 targeted Italian-speaking victims using ZIP archives containing .URL files linked to Dave-crypted X-Worm.

"Being one of the most active malware distributors, Hive0137 demonstrates a willingness to explore new payloads and technologies such as GenAI," the researchers said. "They have quickly moved onto the same level as other high-profile distributors such as TA577, and will likely be responsible for future phishing campaigns, facilitating initial access for ransomware affiliates."