Researchers discovered a suspicious ELF file in October 2022 that interacted with an IP address using SSL and fake Kaspersky certificates, propagated via an F5 vulnerability, and had zero VT detection. This sample was derived from the CIA-leaked Hive project server source code, according to a study just published by Netlab.
The Xdr33 version of the HIVE kit primarily serves as a backdoor. It gathers private information and gives future intrusions a foothold. The original traffic is encrypted using the AES or XTEA method, and the network communication traffic is secured using SSL with Client-Certificate Authentication mode enabled.