HawkEye, also known as PredatorPain (Predator Pain), is a malware categorized as a keylogger, but over the years, it has adopted new functionalities that align it with the capabilities of other tools like stealers.
HawkEye
HawkEye, also known as PredatorPain or Predator Pain, is a long-running commercially sold malware family commonly categorized as a keylogger but also functioning as an information stealer, downloader, and versatile Trojan.
Profile source: Mallory opens in a new tabHawkEye
Family profile
HawkEye, also known as PredatorPain or Predator Pain, is a long-running commercially sold malware family commonly categorized as a keylogger but also functioning as an information stealer, downloader, and versatile Trojan. The content states it has been active since at least 2008 and was widely sold on hacking forums, dark web markets, and public-facing websites, with reported pricing in the $20–$50 range; cracked versions also circulated. It gained popularity from at least 2013, including through spear-phishing campaigns, and has remained in active use, including COVID-19-themed phishing activity.
HawkEye has primarily been delivered through spear-phishing, including malicious attachments, compressed files, malicious documents, and campaigns using embedded OLE objects; it has also been spread via trojanized or fake free software and by other malware acting as loaders. The malware has been observed infecting organizations across many sectors globally and has been used in business email compromise, phishing, and spam operations. The content also notes use by diverse actors and references historical associations including GOLD GALLEON and a campaign by the Chinese APT group SixLittleMonkeys, though in that case HawkEye is described as a RAT used as a last-stage payload.
Technically, many HawkEye samples are .NET binaries and may be obfuscated with Confuser, Eaz, or Reactor. Samples may copy themselves into locations such as AppData\\Local\\Temp, AppData\\Roaming, AppData\\Roaming\\Microsoft\\Windows\\Templates, AppData\\Local\\Temp\\System, and the user Music folder, often using variable filenames and sometimes hidden attributes. HawkEye establishes persistence via HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run and in some cases scheduled tasks created with schtasks.exe. It can extract embedded PE components from resources using XOR plus Poly deobfuscation, yielding an injector and payload, and has been observed using self-deletion, process hollowing, and injection into vbc.exe or another temporary-path process.
Its capabilities include keylogging, clipboard theft, screenshot capture, system, hardware, network, and security software discovery, and theft of credentials and stored data from browsers, email clients, FTP software, and other applications. The content specifically cites HawkEye as associated with browser credential theft affecting browsers such as Firefox, Safari, and Edge. It can also steal form data, cryptocurrency wallet data, and locally stage stolen information before exfiltrating it over FTP, HTTP, or SMTP. The content also attributes self-spreading capability to HawkEye.
Reported indicators in the content include MD5 60fabd1a2509b59831876d5e2aa71a6b and IP addresses 66.147.236[.]46, 204.141.42[.]56, and 129.204.194[.]84.
Reported operators
Threat actors
5 named in public reportingHawkEye, also known as PredatorPain (Predator Pain), is a malware categorized as a keylogger, but over the years, it has adopted new functionalities that align it with the capabilities of other tools like stealers.
HawkEye, also known as PredatorPain (Predator Pain), is a malware categorized as a keylogger, but over the years, it has adopted new functionalities that align it with the capabilities of other tools like stealers.
HawkEye, also known as PredatorPain (Predator Pain), is a malware categorized as a keylogger, but over the years, it has adopted new functionalities that align it with the capabilities of other tools like stealers.
HawkEye, also known as PredatorPain (Predator Pain), is a malware categorized as a keylogger, but over the years, it has adopted new functionalities that align it with the capabilities of other tools like stealers.
MITRE ATT&CK
HawkEye in ATT&CK
36 distinct techniquesTechniques
36 techniquesReporting
Research mentioning HawkEye
Infostealers Crash Course: A Tradecraft Tuesday Recap | Huntress
In 2011, the source code of Zeus leaked, leading to the rapid expansion of infostealers like AZORult and HawkEye across the threat landscape.
HawkEye | PredatorPain | RexorVc0
HawkEye, also known as PredatorPain (Predator Pain), is a malware categorized as a keylogger, but over the years, it has adopted new functionalities that align it with the capabilities of other tools like stealers.
HawkEye Credential Theft Malware Distributed in Recent Phishing Campaign | Mandiant | Google Cloud Blog
HawkEye is a versatile Trojan used by diverse actors for multiple purposes... offers a variety of functions for stealing stored data, grabbing form data, self-spreading... stealing user credentials for diverse online services.
Threat Actors: exploiting the pandemic
Notable examples include ... information stealers (LokiBot, Formbook, AZORult, HawkEye)...
Emotet Reigns in Sandbox's Top Malware Threats of 2019
Another keylogger, HawkEye has been in the game since at least 2013, sold by the developer on hacking forums and dark web markets.
APT trends report Q2 2019
We found an active campaign by a Chinese APT group we call SixLittleMonkeys that uses a new version of the Microcin Trojan and a RAT that we call HawkEye as a last stager.
Tidal Cyber - Inception Framework: Alive and Well, and Hiding Behind Proxies
Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc. [FireEye HawkEye Malware July 2017 [[URL_a8db2ded_30]]]