Keypoints
- HawkEye began as a keylogger but now includes stealer-like features such as credential theft and screenshot capture.
- The malware has been active since at least 2008 and spread widely via spearphishing campaigns.
- It has been sold on dark web marketplaces for modest prices ($20–$50) and is also available as cracked/free variants.
- Delivery vectors include spearphishing emails, malicious attachments, disguised installers, and compromised websites.
- Common installation locations are AppDataLocalTemp and AppDataRoaming, with persistence via registry run keys and scheduled tasks.
- HawkEye is modular and customizable through builders, and is frequently used alongside other loaders and malware families.
MITRE Techniques
- [T1566.001] Spear Phishing – Uses targeted spearphishing emails to deliver the malware. (‘Utilizes spearphishing emails to deliver malware to victims.’)
- [T1204] User Execution – Relies on victim interaction to run malicious files delivered by attackers. (‘Victims execute the malware by opening malicious files.’)
- [T1053] Scheduled Task/Job – Creates scheduled tasks to maintain persistence across reboots. (‘Establishes persistence through scheduled tasks.’)
- [T1547.001] Registry Run Keys / Startup Folder – Adds registry run keys so the malware starts automatically. (‘Uses registry keys to maintain persistence on system startup.’)
- [T1055] Process Injection – Injects code into legitimate processes such as vbc.exe to hide execution. (‘Injects malicious code into legitimate processes like vbc.exe.’)
- [T1005] Data from Local System – Collects files and system data from the infected host for exfiltration. (‘Collects and exfiltrates data from the compromised system.’)
- [T1113] Screen Capture – Takes screenshots of the victim’s desktop to capture sensitive information. (‘Captures screenshots of the victim’s screen.’)
- [T1555] Credential Dumping – Harvests credentials by querying browser paths and third-party application stores. (‘Queries browser paths and third-party software to obtain user credentials.’)
- [T1027] Obfuscated Files or Information – Uses obfuscation to hide malicious payloads and evade inspection. (‘Uses obfuscation techniques to hide malicious code.’)
- [T1497] Virtualization/Sandbox Evasion – Implements checks to avoid analysis in virtualized or sandboxed environments. (‘Implements techniques to evade detection by analysis tools.’)
Indicators of Compromise
- [File Hash] sample malicious binaries – 60fabd1a2509b59831876d5e2aa71a6b, defc51f31f6c4fa89cc6a39a62d8a08f, and other 8 hashes
- [IP Address] C2 or hosting infrastructure – 66.147.236.46, 204.141.42.56, and 1 more IP
- [File Path] common drop/persistence locations – AppDataLocalTemp, AppDataRoaming
HawkEye started as a straightforward keylogger but has steadily been extended into a feature-rich stealer. Over more than a decade of activity, operators added capabilities like credential harvesting, screenshot capture, and local data collection, turning it into a flexible tool used by both skilled criminals and lower-tier actors who buy or use cracked versions.
Distribution relies heavily on social engineering: spearphishing emails, malicious attachments, and fake installers leading victims to execute the payload. Once run, HawkEye commonly drops components into AppData paths, injects into legitimate processes (for example vbc.exe), and establishes persistence via registry run keys and scheduled tasks to survive reboots.
The malware’s modular builders let operators enable or disable features, which—combined with obfuscation and sandbox-evasion checks—helps it avoid detection and analysis. It is frequently paired with loaders and other malware families, and a range of file hashes and IP addresses have been tied to recent samples and infrastructure activity.
Read more: %source_url% – get from article