Hacker group ReaverBits targets Russian companies

FACCT specialists discovered a new hack group that sends malicious emails to Russian organizations on behalf of various companies and ministries.

Currently, researchers are already aware of five mailings from the group, two of which were recorded in December 2023, two in January 2024, and the last one in May. The attacks were aimed at unnamed Russian companies from the retail sector, telecommunications, a processing company, an agro-industrial association and a federal fund.


According to the company's report, in one of the malicious mailings, hackers disguised themselves as the Skyey online store, telling the victim that they had allegedly won a gift card worth 10,000 rubles. In another mailing, targets were offered a fake discount on spare parts for UAZ vehicles, and in a third case, the attackers tried to impersonate the Russian Ministry of Digital Development and Communications and reported the need to install security certificates.

Among the characteristic features of ReaverBits, experts list the following:

  • All attacks known to date are aimed exclusively at Russian organizations;
  • the group actively uses spoofing;
  • Attackers use MetaStealer as a payload;
  • In one attack, the group used the LuckyDownloader downloader, presumably using the services of another attacker tracked by the name LuckyBogdan.

MetaStealer was first discovered back in March 2022. It is a fork of the well-known stealer RedLine, designed to steal confidential information from the victim’s system. The stealer is sold on hack forums by an attacker under the pseudonym __META__.

Researchers recall that this stealer was previously used by many groups, in particular ReaverBits, Sticky Werewolf, VasyGrek and probably others.