Skip to content
Malware family

HawkEye

HawkEye, also known as PredatorPain or Predator Pain, is a long-running commercially sold malware family commonly categorized as a keylogger but also functioning as an information stealer, downloader, and versatile Trojan.

Profile source: Mallory opens in a new tab

HawkEye

Family profile

HawkEye, also known as PredatorPain or Predator Pain, is a long-running commercially sold malware family commonly categorized as a keylogger but also functioning as an information stealer, downloader, and versatile Trojan. The content states it has been active since at least 2008 and was widely sold on hacking forums, dark web markets, and public-facing websites, with reported pricing in the $20–$50 range; cracked versions also circulated. It gained popularity from at least 2013, including through spear-phishing campaigns, and has remained in active use, including COVID-19-themed phishing activity.

HawkEye has primarily been delivered through spear-phishing, including malicious attachments, compressed files, malicious documents, and campaigns using embedded OLE objects; it has also been spread via trojanized or fake free software and by other malware acting as loaders. The malware has been observed infecting organizations across many sectors globally and has been used in business email compromise, phishing, and spam operations. The content also notes use by diverse actors and references historical associations including GOLD GALLEON and a campaign by the Chinese APT group SixLittleMonkeys, though in that case HawkEye is described as a RAT used as a last-stage payload.

Technically, many HawkEye samples are .NET binaries and may be obfuscated with Confuser, Eaz, or Reactor. Samples may copy themselves into locations such as AppData\\Local\\Temp, AppData\\Roaming, AppData\\Roaming\\Microsoft\\Windows\\Templates, AppData\\Local\\Temp\\System, and the user Music folder, often using variable filenames and sometimes hidden attributes. HawkEye establishes persistence via HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run and in some cases scheduled tasks created with schtasks.exe. It can extract embedded PE components from resources using XOR plus Poly deobfuscation, yielding an injector and payload, and has been observed using self-deletion, process hollowing, and injection into vbc.exe or another temporary-path process.

Its capabilities include keylogging, clipboard theft, screenshot capture, system, hardware, network, and security software discovery, and theft of credentials and stored data from browsers, email clients, FTP software, and other applications. The content specifically cites HawkEye as associated with browser credential theft affecting browsers such as Firefox, Safari, and Edge. It can also steal form data, cryptocurrency wallet data, and locally stage stolen information before exfiltrating it over FTP, HTTP, or SMTP. The content also attributes self-spreading capability to HawkEye.

Reported indicators in the content include MD5 60fabd1a2509b59831876d5e2aa71a6b and IP addresses 66.147.236[.]46, 204.141.42[.]56, and 129.204.194[.]84.

Reported operators

Threat actors

5 named in public reporting
GOLD GALLEON

HawkEye, also known as PredatorPain (Predator Pain), is a malware categorized as a keylogger, but over the years, it has adopted new functionalities that align it with the capabilities of other tools like stealers.

GOLD SKYLINE

HawkEye, also known as PredatorPain (Predator Pain), is a malware categorized as a keylogger, but over the years, it has adopted new functionalities that align it with the capabilities of other tools like stealers.

Mikroceen

HawkEye, also known as PredatorPain (Predator Pain), is a malware categorized as a keylogger, but over the years, it has adopted new functionalities that align it with the capabilities of other tools like stealers.

Get Rich or Die

HawkEye, also known as PredatorPain (Predator Pain), is a malware categorized as a keylogger, but over the years, it has adopted new functionalities that align it with the capabilities of other tools like stealers.

Uche y Okiki

HawkEye, also known as PredatorPain (Predator Pain), is a malware categorized as a keylogger, but over the years, it has adopted new functionalities that align it with the capabilities of other tools like stealers.

MITRE ATT&CK

HawkEye in ATT&CK

36 distinct techniques

Reporting

Research mentioning HawkEye

Jun 3
Huntress

Infostealers Crash Course: A Tradecraft Tuesday Recap | Huntress

In 2011, the source code of Zeus leaked, leading to the rapid expansion of infostealers like AZORult and HawkEye across the threat landscape.

Nov 13
Rexorvc0

HawkEye | PredatorPain | RexorVc0

HawkEye, also known as PredatorPain (Predator Pain), is a malware categorized as a keylogger, but over the years, it has adopted new functionalities that align it with the capabilities of other tools like stealers.

Mar 25
Mandiant Threat Intelligence

HawkEye Credential Theft Malware Distributed in Recent Phishing Campaign | Mandiant | Google Cloud Blog

HawkEye is a versatile Trojan used by diverse actors for multiple purposes... offers a variety of functions for stealing stored data, grabbing form data, self-spreading... stealing user credentials for diverse online services.

Mar 19
Ncc Group Research

Threat Actors: exploiting the pandemic

Notable examples include ... information stealers (LokiBot, Formbook, AZORult, HawkEye)...

Dec 24
Bleeping Computer

Emotet Reigns in Sandbox's Top Malware Threats of 2019

Another keylogger, HawkEye has been in the game since at least 2013, sold by the developer on hacking forums and dark web markets.

Aug 1
Securelist

APT trends report Q2 2019

We found an active campaign by a Chinese APT group we call SixLittleMonkeys that uses a new version of the Microcin Trojan and a RAT that we call HawkEye as a last stager.

Mar 14
Tidal Cyber

Tidal Cyber - Inception Framework: Alive and Well, and Hiding Behind Proxies

Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc. [FireEye HawkEye Malware July 2017 [[URL_a8db2ded_30]]]

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.