{
	"id": "24576eea-fa72-480f-bd2e-95fd471d5a00",
	"created_at": "2026-04-06T00:16:52.484112Z",
	"updated_at": "2026-04-10T13:12:55.653221Z",
	"deleted_at": null,
	"sha1_hash": "3578a631069e44b2a83fea1b2b511266f4509354",
	"title": "Hupigon: Adult Dating Scam Targeting Universities | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 607872,
	"plain_text": "Hupigon: Adult Dating Scam Targeting Universities | Proofpoint\r\nUS\r\nBy April 23, 2020 Proofpoint Threat Research Team\r\nPublished: 2020-04-23 · Archived: 2026-04-05 19:02:37 UTC\r\nHupigon is a remote access Trojan (RAT) that has been around since at least 2006. Hupigon has been anecdotally\r\nassociated with state-sponsored APT threat actors among others. Proofpoint researchers have recently discovered a\r\nlarge volume Hupigon campaign primarily targeting both faculty and students at United States colleges and\r\nuniversities.\r\nMessages arrive obfuscated as adult dating lures requesting the user to choose between one of two pictures to\r\nconnect with by clicking the link under their picture as shown in Figure 1.\r\nFigure 1 Adult Dating Lure\r\nIf the recipient clicks either link, an executable download begins.\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actors-repurpose-hupigon-adult-dating-attacks-targeting-us-universities\r\nPage 1 of 4\n\nFigure 2 Hupigon Download\r\nOnce the recipient runs the file in the download, Hupigon is then installed on their system. In Figure 3 you can see\r\nthe traffic upon clicking the malicious link leading to the download of the compressed executable.\r\nFigure 3 Downloading the Hupigon Executable\r\nFigure 4 illustrates the volumes of this campaign unfolding between April 13, 2020 and April 17, 2020.\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actors-repurpose-hupigon-adult-dating-attacks-targeting-us-universities\r\nPage 2 of 4\n\nFigure 4 Hupigon Adult Dating Campaign Volume\r\nBetween the April 14, 2020 and April 15, 2020, message volumes reached approximately 80,000 messages,\r\ncoinciding with an observed rotation in payload, exemplified below:\r\nDate Used SHA256\r\nApril 14, 2020 8e2f624f7bf79f35951fa8a434537caa7d82dfbdf0bcd97461f879c43eece7fa\r\nApril 15 2020 373c7986a56ee7b428757ac7862676a6b5bbaaa1aee4122747fce5680ae024ff\r\nThis campaign delivered over 150,000 messages to over 60 different industries, with 45% focused on education,\r\ncolleges, and universities.\r\nHupigon has many features and capabilities. It allows actors to access the infected machine, has rootkit\r\nfunctionality, webcam monitoring, and the ability to log keystrokes and steal passwords.\r\nThe payload makes a DNS request to eth[.]ceo located at 142.54.162[.]66 for the initial command and control\r\ncommunication. In addition, another domain was discovered on the IP address - ‘ooeth[.]com’. Interesting to note\r\nthe domain used for delivery ‘down.gogominer[.]com’ is hosted on the same address space as the C2\r\n‘142.54.162[.]67’. \r\nProofpoint associates Hupigon with historic APT campaigns based on the language of the builder, open source\r\nbreach reporting, and multiple reports of similar APT actor behaviors between 2010 and 2012.\r\nIn this case, cybercriminals repurposed a nearly 15-year-old attack tool leveraged by state-sponsored threat actors\r\namong others. We believe this campaign is crimeware motivated. This judgment is based on the distribution\r\nmethods and message volumes referenced in Figure 4 as well as other technical associations that we observed.\r\nIndicators of Compromise\r\nPayload 8e2f624f7bf79f35951fa8a434537caa7d82dfbdf0bcd97461f879c43eece7fa\r\nPayload 373c7986a56ee7b428757ac7862676a6b5bbaaa1aee4122747fce5680ae024ff\r\nC2 142.54.162[.]66\r\nC2 eth[.]ceo\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actors-repurpose-hupigon-adult-dating-attacks-targeting-us-universities\r\nPage 3 of 4\n\nDNS ooeth[.]com\r\nDelivery Domain down.gogominer[.]com\r\nSubscribe to the Proofpoint Blog\r\nSource: https://www.proofpoint.com/us/threat-insight/post/threat-actors-repurpose-hupigon-adult-dating-attacks-targeting-us-universities\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actors-repurpose-hupigon-adult-dating-attacks-targeting-us-universities\r\nPage 4 of 4\n\nthe traffic upon Figure 3 Downloading clicking the malicious the Hupigon link leading Executable to the download of the compressed executable. \nFigure 4 illustrates the volumes of this campaign unfolding between April 13, 2020 and April 17, 2020.\n   Page 2 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/threat-actors-repurpose-hupigon-adult-dating-attacks-targeting-us-universities"
	],
	"report_names": [
		"threat-actors-repurpose-hupigon-adult-dating-attacks-targeting-us-universities"
	],
	"threat_actors": [],
	"ts_created_at": 1775434612,
	"ts_updated_at": 1775826775,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3578a631069e44b2a83fea1b2b511266f4509354.pdf",
		"text": "https://archive.orkl.eu/3578a631069e44b2a83fea1b2b511266f4509354.txt",
		"img": "https://archive.orkl.eu/3578a631069e44b2a83fea1b2b511266f4509354.jpg"
	}
}