article featured image


A version of the Hive cyberattack kit created by the Central Intelligence Agency (CIA) was spotted in the wild. The pirated malicious code acts as spyware, secretly exfiltrating data from victims.

The variant was nicknamed xdr33 after its digital certification code, CN=xdr33.

The Hive variant – unrelated to the Hive ransomware group – was detected on October 21, 2022, by Netlab. Using fake Kaspersky certificates, the malware communicated with an internet protocol (IP) address.

After further lookup, we confirmed that this sample was adapted from the leaked Hive project server source code from CIA. This is the first time we caught a variant of the CIA HIVE attack kit in the wild.


What xdr33 Can Do

Features shown by this variant enable it to create a backdoor in the infected system with the purpose of stealing information. And xdr33 uses the SSL security tool to encrypt data before sending it to the threat actors.

xdr33 is a backdoor born from the CIA Hive project, its main purpose is to collect sensitive information and provide a foothold for subsequent intrusions


This is an unsophisticated version of the original, but, compared with the HIV source code, xdr33 has the following updates, according to Netlab:

  • “New CC instructions have been added
  • Wrapping or expanding functions
  • Structs have been reordered and extended
  • Trigger message format
  • Addition of CC operations to the Beacon task”

The theory about the CIA working to improve the leaked source code has been ruled out, xdr33 being the result of cybercriminal actions.

GitHub, via Cybernews, describes the original Hive spyware as “a covert communications platform for a whole range of CIA malware” used to send stolen data to agency servers and instructions for field operations.

If you liked this article, follow us on LinkedInTwitterFacebookYouTube, and Instagram for more cybersecurity news and topics.

Author Profile

Andreea Chebac

Digital Content Creator

Andreea is a digital content creator within Heimdal® with a great belief in the educational power of content. A literature-born cybersecurity enthusiast (through all those SF novels…), she loves to bring her ONG, cultural, and media background to this job.

Leave a Reply

Your email address will not be published. Required fields are marked *