Security Experts:

Connect with us

Hi, what are you looking for?



Business Users Targeted by HawkEye Keylogger Malware

HawkEye keylogger campaigns observed in April and May 2019 focused on targeting business users, IBM X-Force security researchers say. 

HawkEye keylogger campaigns observed in April and May 2019 focused on targeting business users, IBM X-Force security researchers say. 

Under active development since at least 2013, the HawkEye keylogger has been marketed on dark web forums for the past few years for its ability to steal and exfiltrate sensitive information from various applications. 

HawkEye Reborn v9, the latest variant of the malware, has been around for the past several months, being advertised as an “Advance Monitoring Solution.” The malware was sold to a new owner in December 2018 and is available under a licensing model, with updates promised for specific periods of time. 

In addition to stealing sensitive information, HawkEye can download additional malware onto the infected machines, which allows its operators to take advantage of the created botnets for additional monetization. 

Campaigns observed in April 2019 were targeting industries such as transportation and logistics, healthcare, import and export, marketing, agriculture, and others, IBM reports

The keylogger is being distributed via malicious spam emails, now with a clear focus on business users, likely in an attempt to make higher profits, compared to attacking individual users. 

“Businesses have more data, many users on the same network and larger bank accounts that criminals prey on. X-Force is not surprised to see HawkEye operators follow the trend that’s become somewhat of a cybercrime norm,” IBM notes. 

The malicious emails observed in these attacks pose as messages coming from a large bank in Spain (or fake emails from legitimate companies or from other banks), while the infection process leverages various executable files that use malicious PowerShell scripts. 

IBM noticed that, while the targeted users are located all around the world, the IP addresses originating the malspam came from Estonia in this campaign. However, these details change with every campaign, especially given that HawkEye can be operated by various actors, since it is a commercial offering. 

“A few campaigns X-Force analyzed in April and May 2019 show that the infrastructure the malspam came from is hosted on similar assets. It is possible that HawkEye operators further pay for other services from the malware’s vendor, or from another cybercrime vendor serving up spamming campaigns,” IBM concluded. 

Related: New Variant of HawkEye Stealer Emerges

Related: Nigerian Hackers Attempt to Steal Millions From Shipping Firms

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.