Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Proofpoint: Watch Out for Nighthawk Hacking Tool Abuse

Security researchers at Proofpoint are calling attention to the discovery of a commercial red-teaming tool called Nighthawk, warning that the command-and-control framework is likely to be abused by threat actors.

Security researchers at Proofpoint are calling attention to the discovery of a commercial red-teaming tool called Nighthawk, warning that the command-and-control framework is likely to be abused by threat actors.

According to a new report from Proofpoint, Nighthawk is an advanced C2 framework sold by MDSec, a European outfit that sells adversary simulation and penetration testing tools and services.

“Nighthawk is at its core a commercially distributed remote access trojan (RAT) that is similar to other frameworks such as Brute Ratel and Cobalt Strike. Like those, Nighthawk could see rapid adoption by threat actors wanting to diversify their methods and add a relatively unknown framework to their arsenal,” Proofpoint said.

The discovery of Nighthawk comes just days after Google published open-source YARA rules and other IOCs to help defenders detect cracked versions of Cobalt Strike that regularly appear in malware toolkits.

In the report, Proofpoint’s security team said it noticed initial use of the Nighthawk framework in September 2022 and attributed it to a legitimate red team operation.

The company said it did not see any indication that leaked versions of Nighthawk are being used by attributed threat actors in the wild but recommended that security response pros start looking for signs of Nighthawk in the wild.

[ READ: US-UK Gov Warning: SolarWinds Attackers Using Sliver Platform ]

“Proofpoint researchers expect Nighthawk will show up in threat actor campaigns as the tool becomes more widely recognized or as threat actors search for new, more capable tools to use against targets,” the company said.

The report documents the continued abuse of red team and penetration testing platforms by malicious actors. In the last two years, Proofpoint said it observed a 161% increase in malicious abuse of Cobalt Strike and quickfire adoption of Bishop Fox’s Sliver, an open-source, cross-platform adversary simulation and red team platform. 

Proofpoint pointed to the Sliver release and abuse timeline to underscore the point. “Sliver was first released in 2019 and by December 2020 had been incorporated into threat actors’ tactics, techniques, and procedures — a timeline which could possibly occur with Nighthawk in the future,” Proofpoint noted.

“By late 2021, Proofpoint had identified an initial access facilitator for ransomware threat actors using Sliver. And, as recently as summer 2022, other security researchers have noted a range of threat actors of varying skills, resources, and motivations integrating it as well as Brute Ratel, another red teaming and adversarial attack simulation tool, into their campaigns,” the company added.

MDSec, the British company that markets Nighthawk, issued a statement to detail a “layered mix of soft and technical controls” it uses to mitigate the risk of malicious hacker abuse.  

“MDSec does not offer self hosted trials of Nighthawk. Instead, on the rare occasions that the vetted prospective customers insist on a hands-on evaluation of the product in advance of purchase, we offer them access to an isolated MDSec hosted lab environment containing the product where a number of technical controls have been put in place to limit both accidental and intentional exposure of the product,” the company said.

[ READ: Google Making Cobalt Strike Pentesting Tool Harder to Abuse ]

Prior to access to this environment, MDSec said prospective customers must sign a mutual non-disclosure agreement and agree to several conditions that prohibit the product or its artifacts being extracted from the lab or reverse engineered within it.

“Once the vetting process is complete and the purchase is agreed, access to the product and its updates is distributed via user accounts on a multi-factor authentication protected portal. We explicitly do not provide downloads through API key or simple online forms where the download cannot be attributed to an individual.”

“While we acknowledge that this approach does create additional inconvenience for the customer, our belief is that it does provide additional confidence that the downloader is who we expect and that an API key hasn’t been accidentally leaked or shared,” MDSec added.

Despite these assurances, Proofpoint said it would be “incorrect and dangerous to assume that this tool will never be appropriated by threat actors with a variety of intents and purposes.” 

“Nighthawk is a mature and advanced commercial C2 framework for lawful red team operations that is specifically built for detection evasion, and it does this well. Historic adoption of [legitimate hacking] tools by advanced adversaries, including those aligned with state interests and engaging in espionage, provides a template for possible future threat landscape developments,” Proofpoint said.

The company called on detection vendors to  ensure proper coverage of Nighthawk as cracked versions of effective and flexible post-exploitation frameworks are likely to appear in threat actor toolkits.

Related: Google Making Cobalt Strike Pentesting Tool Harder to Abuse

Related: After Nation-State Hackers, Cybercriminals Also Add Sliver Pentest Tool

Related: US-UK Gov Warning: SolarWinds Attackers Using Sliver Platform

Related: Threat Actors Abuse MSBuild for Cobalt Strike Beacon Execution

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.