Cybercriminals orchestrated a phishing operation built around a DarkWatchman RAT Trojan, masking the malware delivery as legitimate mobilization instructions. This technique was captured by the information security firm FACCT and detailed on the Habr portal, illustrating how threat actors blend authentic workflow with concealed malicious payloads to evade scrutiny.
On May 10, FAC.CT observed and blocked more than 600 phishing emails aimed at Russian organizations, targeting human resources departments and administrative personnel. The messages pretended to represent officials from the Main Directorate of the Military Commissariat of the Ministry of Defense of the Russian Federation and used a spoofed address associated with a familiar domain. Recipients were urged to open an attachment that seemed to contain crucial mobilization information.
The advisory directed recipients to report to the enlistment registry and the enlistment office at 8:00 am on May 11 for background checks. To appear credible, the email included an electronic copy of a mobilization order stored inside a zip archive labeled Mobilization Decree No. 5010421409-VVK dated 05/10/2023. Within the archive was an executable file that, when launched, installed the DarkWatchman RAT—providing attackers with persistent access and visibility into the victim’s system activity.
The DarkWatchman RAT Trojan is linked to Hive0117, a financially motivated hacking collective known to use the tool for reconnaissance, credential harvesting, and groundwork for larger-scale intrusions. The operation demonstrates a classic social-engineering playbook: threat actors leverage government-sounding references to lower suspicion and raise the chance of malware execution. [Citation: FACCT threat report, 2023; Hive0117 attribution confirmed in FACCT briefing]
Analysts from FAC.CT note that potential targets span a broad spectrum, including financial institutions, IT service providers, manufacturing firms, and other small and medium-sized enterprises. The incident underscores a recurring pattern where critical infrastructure and business partners become indirect targets via compromised staff or contractors, widening the attack surface beyond direct module infiltration. [Citation: FACCT security briefing, 2023]
Additionally, reports from socialbites.ca indicate that apps flagged as dangerous, including a variant cataloged as Fleckpe Trojan, have circulated through app distribution channels such as the Google Play Store. This highlights an evolving threat landscape where adversaries exploit multiple vectors to reach end users, spreading malicious payloads beyond traditional email channels. The Fleckpe entries appear as part of broader campaigns aimed at masquerading as legitimate software updates or administrative tools. [Citation: Socialbites.ca anomaly notes, 2023]
In practice, the phishing wave leveraged familiar administrative procedures and government language to prompt quick action. Recipients who opened the attachments faced the risk of infection, enabling attackers to harvest credentials, map networks, and prepare for subsequent intrusions. The campaign illustrates how malware operators prefer layered tactics—combining social engineering, credible-looking documents, and multi-channel reach—to maximize impact without immediate detection. [Citation: FACCT assessment, 2023]