Connect with us

Hi, what are you looking for?



New Variant of HawkEye Stealer Emerges

A new variant of HawkEye, a piece of malware used for keylogging and data theft, is being leveraged in ongoing malware distribution campaigns, Cisco’s Talos security researchers warn.

A new variant of HawkEye, a piece of malware used for keylogging and data theft, is being leveraged in ongoing malware distribution campaigns, Cisco’s Talos security researchers warn.

A malware kit marketed on underground forums for the past several years, HawkEye has been under active development since at least 2013. Its main purpose is to steal and exfiltrate sensitive information from applications.

In December 2018, the malware’s owner changed and a new variant emerged on hacking forums, namely HawkEye Reborn v9. Marketed as an “Advance Monitoring Solution,” the threat is being sold through a licensing model and buyers are promised access to updates for specific periods of time.

A Terms of Service agreement is also provided, prohibiting buyers from using the software on systems without permission and from scanning its executables using antivirus programs, most likely in an attempt to prevent detection.

“Following these changes, the new developer of HawkEye Reborn has continued to make changes and we expect this to continue as long as the developer can monetize their efforts,” Talos notes.

Starting with the second half of 2018 and continuing into 2019, the HawkEye Reborn keylogger/stealer was observed in ongoing malicious email campaigns. Purporting to deliver invoices, bills of materials, order confirmations, and the like, the emails attempt to trick users into executing the malware.

The attackers employed malicious Microsoft Excel, RTF and DOC files as attachments for malware delivery. Some of the campaigns would use file-sharing platforms like Dropbox for hosting the documents rather than directly attaching them.

Advertisement. Scroll to continue reading.

During their investigation, the security researchers discovered that the documents had similarities with previously analyzed Remcos Trojan attacks, including matching metadata and blurry documents to trick the user into enabling content.

Many of the servers hosting HawkEye are used to host other malicious binaries as well, and many contain open directory listings revealing they are used to deliver additional stealers, RATs, and other malware.

The delivery documents attempt to exploit Office vulnerabilities such as CVE-2017-11882 to drop a heavily obfuscated payload. The keylogger also packs anti-analysis features and can disable certain anti-virus programs.

The malware attempts to exfiltrate information such as machine name, username, privileges, country, IP, MAC address, BIOS, operating system, hardware data, installed browsers, antivirus, and firewalls.

The malware also steals passwords from browsers, FileZilla, Beyluxe Messenger, CoreFTP, and the video game Minecraft. The information is sent to the attacker’s email address, Talos discovered.

The threat uses MailPassView and WebBrowserPassView freeware tools from Nirsoft to steal web and email passwords.

“Recent changes in both the ownership and development efforts of the HawkEye Reborn keylogger/stealer demonstrate that this is a threat that will continue to experience ongoing development and improvement moving forward,” Talos concludes.

Related: Report Shows Increase in Email Attacks Using .com File Extensions

Related: Nigerian Hackers Attempt to Steal Millions From Shipping Firms

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...