Threat Research

HawkEye Malware: A Technical Overview

AnyRun

HawkEye (aka PredatorPain) is a long-lived keylogger that has evolved into a full-featured stealer, delivered via spearphishing, fake software/cracks, and exploited web portals, and it maintains persistence and evasion through registry keys, scheduled tasks, hidden file copies, and process injection. The malware is sold and cracked on underground sites and has been observed used alongside other tools like Remcos and Pony in campaigns against organizations. #HawkEye #PredatorPain

Keypoints

  • HawkEye (PredatorPain) began circulating around 2008 and became widely used in spearphishing campaigns from 2013 onward.
  • The tool started as a keylogger but now includes stealer functionality (credential, wallet, and screenshot theft, and system info collection).
  • Delivery vectors include spearphishing attachments, disguised “free” software or cracks, and compromised public-facing websites.
  • HawkEye deploys a multi-stage execution: drop copies to temporary/AppData paths, extract binaries from resources/memory, then inject into processes (e.g., vbc.exe) to run in-memory payloads.
  • Persistence mechanisms observed include registry Run keys and scheduled tasks, often repeated across loader → injector → payload phases.
  • Obfuscation and resource-based PE extraction (XOR+Poly) are used to hide payloads; the injector performs process hollowing and self-deletion to evade detection.
  • The malware is widely available on underground markets and in cracked forms, enabling use by varied actors from criminals to script kiddies.

MITRE Techniques

  • [T1566.001] Spearphishing – Used as the primary initial-access vector: ‘primarily involved in spearphishing campaigns, where attackers devised convincing scenarios to trick victims into downloading the malicious file.’
  • [T1204] User Execution – Relies on user interaction to run malicious attachments: ‘relies on user interaction to execute malicious files.’
  • [T1190] Exploitation of Public-Facing Application – Abuses company-accessed portals to gain access: ‘It has also been used to target websites of portals typically accessed by companies.’
  • [T1071] Application Layer Protocol – Sends collected data to C2 servers over application protocols: ‘in memory, it gathers all possible data and sends it to a C&C.’
  • [T1053] Scheduled Task/Job – Establishes persistence using scheduled tasks: ‘schtasks.exe /Create /TN “<Path><TaskName>” /XML “<File>”‘
  • [T1547.001] Registry Run Keys / Startup Folder – Writes Run keys to persist across reboots: ‘(Registry) HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun’ and ‘Modifies registry keys to ensure malware runs at startup.’
  • [T1055] Process Injection – Injects payloads into legitimate processes (e.g., vbc.exe) to evade detection: ‘it generally consists of an executable that drops others … then injects code into one of them or into a .NET-related software.’
  • [T1036] Masquerading – Uses deceptive filenames and icons to appear legitimate: ‘they often try to have an icon that makes the victim think it’s a legitimate program.’
  • [T1564.001] Hidden Files and Directories – Drops and runs copies in hidden mode: ‘some versions launch them in hidden mode, so you can’t see them unless you’ve enabled the “View hidden files” function.’
  • [T1027] Obfuscated Files or Information – Uses obfuscators on .NET samples (Confuser, Eaz, Reactor): ‘samples in .NET, sometimes obfuscated with tools like Confuser, Eaz, Reactor.’
  • [T1140] Deobfuscate/Decode Files or Information – Extracts and decodes binaries from resources (XOR+Poly) to reveal PE files in memory: ‘Within these resources, we see two distinct types of code… To achieve this, it uses XOR + Poly, and at the end of the process, it extracts a Portable Executable.’
  • [T1112] Modify Registry – Performs registry modifications as part of persistence and checks: ‘it obfuscates a string and then decodes it to introduce, in this case, one of the binaries launched earlier.’
  • [T1562] Impair Defenses – Detects analysis tools and security software and avoids them: ‘Analysis tools detection (Dbg, traffic, etc.)’ and ‘Security software detection.’
  • [T1497] Virtualization/Sandbox Evasion – Contains checks for analysis/sandboxing to avoid detection: ‘This is an interesting technique to detect analysis tools or to determine if the process is already running.’
  • [T1555] Credentials from Password Stores – Steals credentials from browsers and third-party stores: ‘(Registry/Path query) Web Data | login data | Accounts | Profiles …’
  • [T1552] Unsecured Credentials – Collects stored credentials from various locations (mail, FTP, browsers): ‘Credential theft (Mail, FTP, browsers, video games, etc.)’
  • [T1087] Account Discovery – Gathers account information on the system as part of reconnaissance: ‘Account Discovery’ listed among TTPs and modules.
  • [T1518.001] Security Software Discovery – Enumerates security products to avoid or disable them: ‘Security software detection’ and listed T1518.001.
  • [T1033] System Owner/User Discovery – Queries user/owner info to profile the victim environment: ‘System Owner/User Discovery’ appears in the TTP list.
  • [T1012] Query Registry – Reads registry keys to find credentials and system configuration: ‘Queries to browser paths or third-party software to obtain user account information’ and registry queries listed.
  • [T1016] System Network Configuration Discovery – Collects network configuration to inform exfiltration/C2 choices: ‘System Network Configuration Discovery’ in TTPs.
  • [T1518] Software Discovery – Enumerates installed software to identify targets and avoid tools: ‘Software Discovery’ in TTPs.
  • [T1082] System Information Discovery – Collects OS, hardware, network info: ‘System information gathering (OS, HW, Network)’.
  • [T1005] Data from Local System – Reads local files and browser stores to collect data: ‘Data from Local System’ and examples like Web Data/login data listed.
  • [T1560] Archive Collected Data – Stages and possibly archives stolen data for exfiltration: ‘Local Data Staging’ and ‘Save stolen info on txt files’.
  • [T1114] Email Collection – Harvests mail data from local clients/paths: ‘Email Collection’ and modules listing mail theft.
  • [T1115] Clipboard Data – Captures clipboard contents for credential/token theft: ‘Clipboard Data’ listed among capabilities.
  • [T1113] Screen Capture – Captures screenshots to record user activity: ‘Saving screenshots of the victim’s screen’ and ‘screenshotd{1}.jpeg’.
  • [T1105] Ingress Tool Transfer – Downloads additional components or uses loaders to fetch payloads: ‘This could function as a downloader for other malware’ and ‘Ingress Tool Transfer’ listed.
  • [T1571] Non-Standard Port – Uses non-standard ports for C2/data exfiltration (listed in TTPs): ‘Non-Standard Port’ appears in TTPs.
  • [T1583.008] Malvertising – Uses compromised/advertising vectors to distribute payloads (listed): ‘Malvertising’ is included in the TTPs list.

Indicators of Compromise

  • [File hashes] Sample hashes observed in IOCs – 60fabd1a2509b59831876d5e2aa71a6b, defc51f31f6c4fa89cc6a39a62d8a08f, and 12 more hashes.
  • [IP addresses] C2 or infrastructure examples – 66[.]147[.]236[.]46, 204[.]141[.]42[.]56, 129[.]204[.]194[.]84.
  • [File paths] Dropped/duplicated locations used for persistence and execution – C:UsersAppDataLocalTemp*.exe, C:UsersAppDataRoamingMicrosoftWindowsTemplates*.exe (used to write and execute copies).
  • [Filenames] Staged or saved artifacts – ‘screenshotd{1}.jpeg’ (saved screenshots), ‘holdermail.txt’ (example of stolen info saved via vbc.exe /stext).

HawkEye (PredatorPain) has been active for over a decade and has morphed from a straightforward keylogger into a configurable stealer/builder that attackers deploy in multi-stage campaigns. Analysts observed a consistent pattern: initial social-engineering or web-based delivery, multiple copies dropped to temporary and roaming paths, extraction of additional binaries from resources or memory (using XOR+Poly decoding), and in-memory process injection (often into vbc.exe) to run the final payload while the on-disk artifacts self-delete or masquerade.

The toolkit’s builder lets operators pick modules (keylogging, credential and wallet theft, screenshot capture, security-tool checks, persistence via registry or scheduled tasks, and various exfiltration channels), which explains the large variety in observed samples. Obfuscation, resource-based PE extraction, repeated persistence checks (loader → injector → payload), and sandbox-evasion checks make detection and analysis more difficult, while cracked distribution channels broaden who can use the malware.

Because HawkEye is sold, cracked, and paired with other loaders or RATs (examples include Remcos and Pony in observed campaigns), defenders should monitor writes to AppData/Temp paths, suspicious scheduled-task creation, registry Run entries, process-injection behavior (e.g., vbc.exe launching injected code), and known hashes/IPs listed above. Blocking those IOCs and enhancing detection around resource extraction, deobfuscation patterns (XOR+Poly), and hidden-file duplication can help identify and disrupt infections early.

Read more: https://any.run/cybersecurity-blog/cybersecurity-blog/hawkeye-malware-technical-analysis/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint