Cybercriminals are targeting victims throughout Europe — primarily in Spain, Germany and Ukraine — in an ongoing information-stealing campaign, researchers have found.

The financially-motivated group tracked as Hive0145 has infected targets with Strela Stealer malware delivered through phishing emails disguised as legitimate invoice notifications. 

Although the group initially relied on fake invoices and receipts sent from fabricated accounts, they recently began weaponizing stolen emails from real entities in the financial, technology, manufacturing, media, e-commerce and other sectors, according to researchers at IBM X-Force, who analyzed the latest campaigns.

Strela Stealer is designed to extract user credentials stored in Microsoft and Mozilla email services. The malware has been in use since at least 2022, targeting organizations across Europe and the U.S. Hive0145 is believed to be the tool’s sole operator.

Over the past two years, the group has experimented with various techniques to improve the Strela Stealer infection chain, and its attacks have increased in volume, researchers said. 

Hive0145 likely uses stolen credentials for email fraud, such as tricking victims into sending money or sensitive information. It is also possible that the hackers may sell stolen emails to affiliates for further business email compromise.

Despite evolving techniques, Strela Stealer has changed little in functionality over the past two years, researchers said. In addition to targeting two email clients, the malware’s latest version also collects system information, retrieves a list of installed applications and checks the victim's keyboard language to target only those using Spanish, German, Catalan, Polish, Italian, Basque or Ukrainian.

Researchers have not attributed Hive0145 to a specific country. Ukraine’s government previously reported an increase in financially-motivated cyberattacks conducted by unidentified hacker groups associated with Russia. Like Hive0145, the hackers primarily distributed malware through phishing campaigns, often using previously compromised email addresses.