Cybercriminals target accountants to drain Russian firms’ bank accounts

Cybercriminals have stolen millions from Russian companies by hacking accountants’ computers and disguising transfers as salary payments, according to areport released this week.

Researchers at Russian cybersecurity firm F6 said the financially motivated groupHive0117 carried out a wave of attacks from February to March 2026 targeting corporate finance departments.

The attackers used phishing emails to infect accountants’ computers with malware, allowing them to access remote banking systems used to manage company payments.

Once inside, the hackers created payment orders that appeared to be legitimate salary transfers but in fact routed funds to accounts they controlled.

More than 3,000 Russian organizations received the malicious emails, researchers said. The largest confirmed theft exceeded 14 million rubles (about $178,000).

According to the report, the attackers carefully tailored their phishing emails to employees working in accounting or finance departments.

The emails were sent from what appeared to be legitimate but likely compromised accounts, including one belonging to a Moscow-based web and mobile application developer. Attached files were packaged in password-protected archives disguised as routine business documents such as invoices, reconciliation statements and shipping paperwork.

When victims opened the archive and executed a hidden file inside, their computers became infected with DarkWatchman, a remote access trojan that allows attackers to maintain covert control over compromised systems.

DarkWatchman gives attackers the ability to run commands remotely, download additional malicious tools and move laterally across a company’s network, researchers said. The malware has been linked to Hive0117 since at least 2021 and is typically distributed through phishing campaigns.

With control of an accountant’s machine, attackers could log into corporate online banking portals and initiate transactions directly from the compromised system, making the activity appear legitimate.

In the recent campaign, the hackers exploited payroll mechanisms by creating payment orders tied to bank accounts stored in a registry that appeared to belong to employees but were actually controlled by the attackers.

If those transfers cleared bank anti-fraud controls, the criminals were able to withdraw large sums from company accounts, the report said.

Hive0117 has been active since late 2021 and primarily targets financial departments across multiple industries. While most recent attacks focused on Russian organizations, previous activity has also targeted users in Lithuania, Estonia, Belarus and Kazakhstan, according to F6.

Researchers previously said the group’s operations do not appear to be connected to the broader cyber conflict between Russia and Ukraine, and the attackers’ origin remains unknown.

The latest campaign follows earlier activity reported by F6 last year, when the group used a modified version of DarkWatchman to target Russian companies across multiple sectors.

In 2023, Western researchers also observed Hive0117 impersonating Russian government communications in phishing emails disguised as military conscription notices, another campaign that deployed the same malware.