Hatvibe malware

Hatvibe is a custom loader written in VBScript, first identified in 2023 and used by the threat actor UAC-0063, suspected to be linked to APT28 based on victimology overlap.

It is used by the threat actor UAC-0063 (suspected to be linked to APT28 / Fancy Bear based on victimology overlap).

Hatvibe functions as a first-stage payload. Its primary role is to load and execute additional malicious modules on the infected system. The malware uses AES encryption for its communication and has anti-analysis features such as checks for sandbox environments and virtual machines.

More technical details about this loader and its use in campaigns targeting Central Asian entities can be found on Malpedia.

Read our latest blog articles

Product News

June 23, 2026

Sekoia’s new identity: Designed for clarity

Sekoia has partnered with branding agency Bruno to develop a new brand identity and digital experience that reflects who we really are.

Sekoia Team

Threat Research & Intelligence

TDR

June 11, 2026

APT28, an evolution of tradecraft

Sekoia TDR looks back at how APT28's arsenal has evolved over two decades, from its signature X-Agent implants to disposable modules, edge-device infrastructure and the first LLM-driven malware.

Amaury-Jacques GARCON

Threat Detection & Research Team

Threat Research & Intelligence

TDR

June 16, 2026

Unveiling ErrTraffic: inside a growing ClickFix malware distribution framework

This report details the ErrTraffic threat and its associated ecosystem, highlighting three specific campaigns and their operators' arsenal.

Jérémy SCION

Quentin BOURGUE

Threat Detection & Research Team