Security Experts:

Connect with us

Hi, what are you looking for?



Attackers Use Keyloggers, Email to Steal Data in “NightHunter” Attacks

Researchers have been monitoring the activities of a cybercriminal group that has been harvesting login credentials from the computers of various organizations across the world.

Researchers have been monitoring the activities of a cybercriminal group that has been harvesting login credentials from the computers of various organizations across the world.

According to security firm Cyphort, which has dubbed the campaign “NightHunter” because of the stealthy methods used to exfiltrate data, the operation has been active since 2009, but it wasn’t detected until recently.

The attackers have been stealing Google, Yahoo, Facebook, Skype, Dropbox, Amazon, Yahoo, Hotmail, LinkedIn, Rediff and banking credentials from a wide range of organizations, including in sectors like energy, health, insurance, education and even charities, Cyphort said.

The security firm has not been able to determine what the attackers are doing with the stolen information, but believes that they could be using it to prepare for targeted attacks, including extortion, espionage or bank fraud.

The cybercriminals distribute the malware they’re using with the aid of phishing emails that appear to be related to purchase orders, payments, jobs and inquiries. The malicious notifications are usually sent to the finance, sales and human resources departments of trading companies, broadcasters, insurance firms, auditors, retailers, educational institutions, charities, hospitals, import/export companies and organizations in the oil industry, Cyphort said.

Cyphort told SecurityWeek that victims have been spotted in various countries, including the United States, Saudi Arabia, the United Kingdom, India and Malaysia.

The phishing emails contain an archive file that in most cases hides a keylogger.  Several such threats have been identified in this campaign, including Limitless Logger Lite, Predator Pain, Spyrex, Aux Logger,  Neptune, Mr. Clyde Logger, Ultimate Logger, Syslogger and Syndicate Logger.

Once installed on a system, keyloggers enable the attackers to steal data from Web browsers, FTP applications, games, instant messaging apps, password managers, email clients and even Bitcoin programs. Additional threats include features like obfuscation, extension spoofing, screenshot capturing, website blocking, self-removal, fake error messages, file downloaders, application disabling and Web browser data removal.

Furthermore, the malware enables users to upload information via FTP, PHP or email. The cybercriminals first used PHP, but according to Cyphort, they’ve moved to email, as using the Simple Mail Transfer Protocol (SMTP) to exfiltrate data from infected computers is stealthier than using command and control (C&C) systems because such traffic is often overlooked by security systems, researchers said.

A large number of email servers have been used to upload stolen data, but the most popular appears to be Google’s Gmail.


“The reason for larger number of samples using Gmail is probably (or likely) due to the popularity of Gmail and because most security products somehow ‘whitelist’ Google/Gmail traffic/activity making it easy to hide this email in the volume of emails sent out to Gmail,” Cyphort researcher McEnroe Navaraj wrote in a blog post. “Another possible reason is that Gmail imposes a lot of restrictions, such as how many emails a particular account can send on a particular day requiring actors to keep sending new malware with new accounts.”

“NightHunter is one the more unique campaigns we have researched at Cyphort due to the footprint and complex data collection models it exhibits, furthermore the use of low-signal evasion it is leveraging such as webmail for data exfiltration points to much larger end-goal,” Navaraj explaiend. “This points to the shifting ‘Tradecraft’ being adopted by actors leveraging BigData models to mine more interesting and strategically suitable data, whether it being for direct and targeted attacks or providing highly actionable content to other actors for economic benefits.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...