TA577 (Hive0118): The Evolving Phishing Specialist Behind Modern Malware Campaigns

TA577 (aka Hive0118) is a Russian-speaking cybercrime access broker active since mid‑2020 that runs large-scale phishing campaigns (reply-chain injection, HTML smuggling, containerized payloads) to deliver loaders (previously QakBot/IcedID, now Pikabot and Latrodectus), harvest NTLM hashes and credentials, and monetize access via partnerships with ransomware affiliates (notably observed overlap with Black Basta); the report outlines their evolution, TTPs, notable operations (2023–2025), IoC patterns, and defensive recommendations.