{
	"id": "98e4572a-6220-4dff-9bef-f206a48482ad",
	"created_at": "2026-04-06T00:17:40.973633Z",
	"updated_at": "2026-04-10T13:12:31.632137Z",
	"deleted_at": null,
	"sha1_hash": "510bd6a2248a7902e188626f941590e9abe2bb89",
	"title": "Hawkeye Keylogger - Reborn v8: An in-depth campaign analysis | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1469377,
	"plain_text": "Hawkeye Keylogger - Reborn v8: An in-depth campaign analysis |\r\nMicrosoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2018-07-11 · Archived: 2026-04-05 13:39:34 UTC\r\nMuch of cybercrime today is fueled by underground markets where malware and cybercriminal services are\r\navailable for purchase. These markets in the deep web commoditize malware operations. Even novice\r\ncybercriminals can buy malware toolkits and other services they might need for malware campaigns: encryption,\r\nhosting, antimalware evasion, spamming, and many others.\r\nHawkeye Keylogger is an info-stealing malware that’s being sold as malware-as-a-service. Over the years, the\r\nmalware authors behind Hawkeye have improved the malware service, adding new capabilities and techniques. It\r\nwas last used in a high-volume campaign in 2016.\r\nThis year marked the resurgence of Hawkeye. In April, malware authors started peddling a new version of the\r\nmalware that they called Hawkeye Keylogger – Reborn v8. Not long after, on April 30, Office 365 Advanced\r\nThreat Protection (Office 365 ATP) detected a high-volume campaign that distributed the latest variants of this\r\nkeylogger.\r\nAt the onset, Office 365 ATP blocked the email campaign and protected customers, 52% of whom are in the\r\nsoftware and tech sector. Companies in the banking (11%), energy (8%), chemical (5%), and automotive (5%)\r\nindustries are also among the top targets\r\nFigure 1. Top industries targeted by the April 2018 Hawkeye campaign\r\nOffice 365 ATP uses intelligent systems that inspect attachments and links for malicious content to protect\r\ncustomers against threats like Hawkeye in real time. These automated systems include a robust detonation\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/\r\nPage 1 of 17\n\nplatform, heuristics, and machine learning models. Office 365 ATP uses intelligence from various sensors,\r\nincluding multiple capabilities in Windows Defender Advanced Threat Protection (Windows Defender ATP).\r\nWindows Defender AV (a component of Windows Defender ATP) detected and blocked the malicious attachments\r\nused in the campaign in at least 40 countries. United Arab Emirates accounted for 19% of these file encounters,\r\nwhile the Netherlands (15%), the US (11%), South Africa (6%) and the UK (5%) make the rest of the top 5\r\ncountries that saw the lure documents used in the campaign. A combination of generic and heuristic protections in\r\nWindows Defender AV (TrojanDownloader:O97M/Donoff, Trojan:Win32/Tiggre!rfn, Trojan:Win32/Bluteal!rfn,\r\nVirTool:MSIL/NetInject.A) ensured these threats are blocked in customer environments.\r\nFigure 2. Top countries that encountered malicious documents used in the Hawkeye campaign\r\nAs part of our job to protect customers from malware attacks, Office 365 ATP researchers monitor malware\r\ncampaigns like Hawkeye and other developments in the cybercriminal landscape. Our in-depth investigation into\r\nmalware campaigns like Hawkeye and many others adds to the vast threat intelligence we get from the Microsoft\r\nIntelligent Security Graph, which enables us to continuously raise the bar in security. Through the Intelligent\r\nSecurity Graph, security technologies in Microsoft 365 share signals and detections, allowing these technologies\r\nto automatically update protection and detection mechanisms, as well as orchestrate remediation across Microsoft\r\n365.\r\nFigure 3. Microsoft 365 threat protection against Hawkeye\r\nCampaign overview\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/\r\nPage 2 of 17\n\nDespite its name, Hawkeye Keylogger – Reborn v8 is more than a common keylogger. Over time, its authors have\r\nintegrated various modules that provide advanced functionalities like stealth and detection evasion, as well as\r\ncredential theft and more.\r\nMalware services like Hawkeye are advertised and sold in the deep web, which requires anonymity networks like\r\nTor to access, etc. Interestingly, the Hawkeye authors advertised their malware and even published tutorial videos\r\non a website on the surface web (that has since been taken down). Even more interesting, based on underground\r\nforums, it appears the malware authors have employed intermediary resellers, an example of how cybercriminal\r\nunderground business models expand and evolve.\r\nOur investigation into the April 2018 Hawkeye campaign shows that the cybercriminals have been preparing for\r\nthe operation since February, when they registered the domains they later used in the campaign.\r\nTypical of malware campaigns, the cybercriminals undertook the following steps:\r\nBuilt malware samples and malware configuration files using a malware builder they acquired from the\r\nunderground\r\nBuilt weaponized documents to be used a social engineering lure (possibly by using another tool bought in\r\nthe underground)\r\nPacked or obfuscated the samples (using a customized open-source packer)\r\nRegistered domains for delivery of malware\r\nLaunched a spam campaign (possibly using a paid spam service) to distribute the malware\r\nLike other malware toolkits, Hawkeye comes with an admin panel that cybercriminals use to monitor and control\r\nthe attack.\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/\r\nPage 3 of 17\n\nFigure 4: Hawkeye’s admin panel\r\nInterestingly, some of the methods used in this Hawkeye campaign are consistent with previous attacks. This\r\nsuggests that the cybercriminals behind this campaign may be the same group responsible for malware operations\r\nthat delivered the remote access tool (RAT) Remcos and the info-stealing bot malware Loki. The following\r\nmethods were used in these campaigns:\r\nMultiple documents that create a complicated, multi-stage delivery chain\r\nRedirections using shortened bit.ly links\r\nUse of malicious macro, VBScript, and PowerShell scripts to run the malware; the Remcos campaign\r\nemployed an exploit for CVE-2017-0199 but used the same domains\r\nConsistent obfuscation technique across multiple samples\r\nPoint of entry\r\nIn late April, Office 365 ATP analysts spotted a new spam campaign with the subject line RFQ-GHFD456 ADCO\r\n5647 deadline 7th May carrying a Word document attachment named Scan Copy 001.doc. While the attachment’s\r\nfile name extension was .doc, it was in fact a malicious Office Open XML format document, which usually uses a\r\n.docx file name extension.\r\nIn total, the campaign used four different subject lines and five attachments.\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/\r\nPage 4 of 17\n\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/\r\nPage 5 of 17\n\nFigure 5: Sample emails used in the Hawkeye campaign\r\nBecause the attachment contains malicious code, Microsoft Word opens with a security warning. The document\r\nuses a common social engineering lure: it displays a fake message and an instruction to “Enable editing” and\r\n“Enable content”.\r\nFigure 6: The malicious document with social engineering lure\r\nThe document contains an embedded frame that connects to a remote location using a shortened URL.\r\nFigure 7: frame in settings.rels.xml on the document\r\nThe frame loads an .rtf file from hxxp://bit[.]ly/Loadingwaitplez, which redirects to hxxp://stevemike-fireforce[.]info/work/doc/10.doc.\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/\r\nPage 6 of 17\n\nFigure 8: RTF loaded as a frame inside malicious document\r\nThe RTF has an embedded malicious .xlsx file with macro as an OLE object, which in turn contains a stream\r\nnamed PACKAGE that contains the .xlsx contents.\r\nThe macro script is mostly obfuscated, but the URL to the malware payload is notably in plaintext.\r\nFigure 9: Obfuscated macro entry point\r\nDe-obfuscating the entire script makes its intention clear. The first section uses PowerShell and the\r\nSystem.Net.WebClient object to download the malware to the path C:\\Users\\Public\\svchost32.exe and execute it.\r\nThe macro script then terminates both winword.exe and excel.exe. In specific scenarios where Microsoft Word\r\noverrides default settings and is running with administrator privileges, the macro can delete Windows Defender\r\nAV’s malware definitions. It then changes the registry to disable Microsoft Office’s security warnings and safety\r\nfeatures.\r\nIn summary, the campaign’s delivery comprises of multiple layers of components that aim to evade detection and\r\npossibly complicate analysis by researchers.\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/\r\nPage 7 of 17\n\nFigure 10: The campaign’s delivery stages\r\nThe downloaded payload, svchost32.exe, is a .NET assembly named Millionare that is obfuscated using a custom\r\nversion of ConfuserEx, a well-known open-source .NET obfuscator.\r\nFigure 11: Obfuscated .NET assembly Millionare showing some of the scrambled names\r\nThe obfuscation modifies the .NET assembly’s metadata such that all the class and variable names are non-meaningful and scrambled names in Unicode. This obfuscation causes some analysis tools like .NET Reflector to\r\nshow some namespaces or classes names as blank, or in some cases, display parts of the code backwards.\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/\r\nPage 8 of 17\n\nFigure 12: .NET Reflector presenting the code backwards due to obfuscation\r\nFinally, the .NET binary loads an unpacked .NET assembly, which includes DLL files embedded as resources in\r\nthe portable executable (PE).\r\nFigure 13: Loading the unpacked .NET assembly during run-time\r\nMalware loader\r\nThe DLL that initiates the malicious behavior is embedded as a resource in the unpacked .NET assembly. It is\r\nloaded in memory using process hollowing, a code injection technique that involves spawning a new instance of a\r\nlegitimate process and then “hollowing it out”, i.e., replacing the legitimate code with malware.\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/\r\nPage 9 of 17\n\nFigure 14: In-memory unpacking of the malware using process hollowing.\r\nUnlike previous Hawkeye variants (v7), which loaded the main payload into its own process, the new Hawkeye\r\nmalware injects its code into MSBuild.exe, RegAsm.exe, and VBC.exe, which are signed executables that ship with\r\n.NET framework. This is an attempt to masquerade as a legitimate process.\r\nFigure 15: Obfuscated calls using .NET reflection to perform process hollowing injection routine that injects the\r\nmalware’s main payload into RegAsm.exe\r\nAdditionally, in the previous version, the process hollowing routine was written in C. In the new version, this\r\nroutine is completely rewritten as a managed .NET that calls the native Windows API.\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/\r\nPage 10 of 17\n\nFigure 16: Process hollowing routine implemented in .NET using native API function calls\r\nMalware functionalities\r\nThe new Hawkeye variants created by the latest version of the malware toolkit have multiple sophisticated\r\nfunctions for information theft and evading detection and analysis.\r\nInformation theft\r\nThe main keylogger functionality is implemented using hooks that monitor key presses, as well as mouse clicks\r\nand window context, along with clipboard hooks and screenshot capability.\r\nIt has specific modules for extracting and stealing credentials from the following applications:\r\nBeyluxe Messenger\r\nCore FTP\r\nFileZilla\r\nMinecraft (replaced the RuneScape module in previous version)\r\nLike many other malware campaigns, it uses the legitimate BrowserPassView and MailPassView tools to dump\r\ncredentials from the browser and email client. It also has modules for taking screenshots of the desktop, as well as\r\nthe webcam, if it exists.\r\nNotably, the malware has a mechanism to visit certain URLs for click-based monetization.\r\nStealth and anti-analysis\r\nOn top of the processes hollowing technique, this malware uses other methods for stealth, including alternate data\r\nstreams that remove mark of the web (MOTW) from the malware’s downloaded files.\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/\r\nPage 11 of 17\n\nThis malware can be configured to delay execution by any number of seconds, a technique used mainly to avoid\r\ndetection by various sandboxes.\r\nIt prevents antivirus software from running using an interesting technique. It adds keys to the registry location\r\nHKLM\\Software\\Windows NT\\Current Version\\Image File Execution Options and sets the Debugger value for\r\ncertain processes to rundll32.exe, which prevents execution. It targets the following processes related to antivirus\r\nand other security software:\r\nAvastSvc.exe\r\nAvastUI.exe\r\navcenter.exe\r\navconfig.exe\r\navgcsrvx.exe\r\navgidsagent.exe\r\navgnt.exe\r\navgrsx.exe\r\navguard.exe\r\navgui.exe\r\navgwdsvc.exe\r\navp.exe\r\navscan.exe\r\nbdagent.exe\r\nccuac.exe\r\nComboFix.exe\r\negui.exe\r\nhijackthis.exe\r\ninstup.exe\r\nkeyscrambler.exe\r\nmbam.exe\r\nmbamgui.exe\r\nmbampt.exe\r\nmbamscheduler.exe\r\nmbamservice.exe\r\nMpCmdRun.exe\r\nMSASCui.exe\r\nMsMpEng.exe\r\nmsseces.exe\r\nrstrui.exe\r\nspybotsd.exe\r\nwireshark.exe\r\nzlclient.exe\r\nFurther, it blocks access to certain domains that are usually associated with antivirus or security updates. It does\r\nthis by modifying the HOSTS file. The list of domains to be blocked is determined by the attacker using a config\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/\r\nPage 12 of 17\n\nfile.\r\nThis malware protects its own processes. It blocks the command prompt, registry editor, and task manager. It does\r\nthis by modifying registry keys for local group policy administrative templates. It also constantly checks active\r\nwindows and renders action buttons unusable if the window title matches “ProcessHacker”, “Process Explorer”,\r\nor “Taskmgr”.\r\nMeanwhile, it prevents other malware from infecting the machine. It repeatedly scans and removes any new\r\nvalues to certain registry keys, stops associated processes, and deletes related files.\r\nHawkeye attempts to avoid automated analysis. The delay in execution is designed to defeat automated sandbox\r\nanalysis that allots only a certain time for malware execution and analysis. It likewise attempts to evade manual\r\nanalysis by monitoring windows and exiting when it finds the following analysis tools:\r\nSandboxie\r\nWinsock Packet Editor Pro\r\nWireshark\r\nDefending mailboxes, endpoints, and networks against persistent malware\r\ncampaigns\r\nHawkeye illustrates the continuous evolution of malware in a threat landscape fueled by the cybercriminal\r\nunderground. Malware services make malware accessible to even unsophisticated operators, while simultaneously\r\nmaking malware more durable with advanced techniques like in-memory unpacking and abuse of .NET’s CLR\r\nengine for stealth. In this blog we covered the capabilities of its latest version, Hawkeye Keylogger – Reborn v8,\r\nhighlighting some of the enhancements from the previous version. Given its history, Hawkeye is likely to release a\r\nnew version in the future.\r\nOrganizations should continue educating their employees about spotting and preventing social engineering\r\nattacks. After all, Hawkeye’s complicated infection chain begins with a social engineering email and lure\r\ndocument. A security-aware workforce will go a long way in securing networks against attacks.\r\nMore importantly, securing mailboxes, endpoints, and networks using advanced threat protection technologies can\r\nprevent attacks like Hawkeye, other malware operations, and sophisticated cyberattacks.\r\nOur in-depth analysis of the latest version and our insight into the cybercriminal operation that drives this\r\ndevelopment allow us to proactively build robust protections against both known and unknown threats.\r\nOffice 365 Advanced Threat Protection (Office 365 ATP) protects mailboxes as well as files, online storage, and\r\napplications from malware campaigns like Hawkeye. It uses a robust detonation platform, heuristics, and machine\r\nlearning to inspect attachments and links for malicious content in real-time, ensuring that emails that carry\r\nHawkeye and other threats don’t reach mailboxes and devices. Learn how to add Office 365 ATP to existing\r\nExchange or Office 365 plans.\r\nWindows Defender Antivirus (Windows Defender AV) provides an additional layer of protection by detecting\r\nmalware delivered through email, as well as other infection vectors. Using local and cloud-based machine\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/\r\nPage 13 of 17\n\nlearning, Windows Defender AV’s next-gen protection can block even new and unknown threats on Windows 10\r\nand Windows 10 in S mode.\r\nAdditionally, endpoint detection and response (EDR) capabilities in Windows Defender Advanced Threat\r\nProtection (Windows Defender ATP) expose sophisticated and evasive malicious behavior, such as those used by\r\nHawkeye. Sign up for free Windows Defender ATP trial.\r\nWindows Defender ATP’s rich detection libraries are powered by machine learning and allows security operations\r\nteams to detect and respond to anomalous attacks in the network. For example, machine learning detection\r\nalgorithms surface the following alert when Hawkeye uses a malicious PowerShell to download the payload:\r\nFigure 16: Windows Defender ATP alert for Hawkeye’s malicious PowerShell component\r\nWindows Defender ATP also has behavior-based machine learning algorithms that detect the payload itself:\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/\r\nPage 14 of 17\n\nFigure 17: Windows Defender ATP alert for Hawkeye’s payload\r\nThese security technologies are part of the advanced threat protection solutions in Microsoft 365. Enhanced signal\r\nsharing across services in Windows, Office 365, and Enterprise Mobility + Security through the Microsoft\r\nIntelligent Security Graph enables the automatic update of protections and orchestration of remediation across\r\nMicrosoft 365.\r\nOffice 365 ATP Research\r\nIndicators of Compromise (Ioc)\r\nEmail subject lines\r\n{EXT} NEW ORDER ENQUIRY #65563879884210#\r\nB/L COPY FOR SHIPMENT\r\nBetreff: URGENT ENQ FOR Equipment\r\nRFQ-GHFD456 ADCO 5647 deadline 7th May\r\nAttachment file names\r\nBetreff URGENT ENQ FOR Equipment.doc\r\nBILL OF LADING.doc\r\nNEW ORDER ENQUIRY #65563879884210#.doc\r\nScan Copy 001.doc\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/\r\nPage 15 of 17\n\nSwift Copy.doc\r\nDomains\r\nlokipanelhostingpanel[.]gq\r\nstellarball[.]com\r\nstemtopx[.]com\r\nstevemike-fireforce[.]info\r\nShortened redirector links\r\nhxxp://bit[.]ly/ASD8239ASdmkWi38AS (was also used in a Remcos campaign)\r\nhxxp://bit[.l]y/loadingpleaswaitrr\r\nhxxp://bit[.l]y/Loadingwaitplez\r\nFiles (SHA-256)\r\nd97f1248061353b15d460eb1a4740d0d61d3f2fcb41aa86ca6b1d0ff6990210a – .eml\r\n23475b23275e1722f545c4403e4aeddf528426fd242e1e5e17726adb67a494e6 – .eml\r\n02070ca81e0415a8df4b468a6f96298460e8b1ab157a8560dcc120b984ba723b – .eml\r\n79712cc97a19ae7e7e2a4b259e1a098a8dd4bb066d409631fb453b5203c1e9fe – .eml\r\n452cc04c8fc7197d50b2333ecc6111b07827051be75eb4380d9f1811fa94cbc2 – .eml\r\n95511672dce0bd95e882d7c851447f16a3488fd19c380c82a30927bac875672a – .eml\r\n1b778e81ee303688c32117c6663494616cec4db13d0dee7694031d77f0487f39 – .eml\r\n12e9b955d76fd0e769335da2487db2e273e9af55203af5421fc6220f3b1f695e – .eml\r\n12f138e5e511f9c75e14b76e0ee1f3c748e842dfb200ac1bfa43d81058a25a28 – .eml\r\n9dfbd57361c36d5e4bda9d442371fbaa6c32ae0e746ebaf59d4ec34d0c429221 – .docx (stage 1)\r\nf1b58fd2bc8695effcabe8df9389eaa8c1f51cf4ec38737e4fbc777874b6e752 – .rtf (stage 2)\r\n5ad6cf87dd42622115f33b53523d0a659308abbbe3b48c7400cc51fd081bf4dd – .doc\r\n7db8d0ff64709d864102c7d29a3803a1099851642374a473e492a3bc2f2a7bae – .rtf\r\n01538c304e4ed77239fc4e31fb14c47604a768a7f9a2a0e7368693255b408420 – .rtf\r\nd7ea3b7497f00eec39f8950a7f7cf7c340cf9bf0f8c404e9e677e7bf31ffe7be – .vbs\r\nccce59e6335c8cc6adf973406af1edb7dea5d8ded4a956984dff4ae587bcf0a8 – .exe (packed)\r\nc73c58933a027725d42a38e92ad9fd3c9bbb1f8a23b3f97a0dd91e49c38a2a43 – .exe (unpacked)\r\n*Updated 07/12/18 (Removed statement that Hawkeye Keylogger is also known as iSpy Keylogger\r\nTalk to us\r\nQuestions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows\r\nDefender Security Intelligence.\r\nFollow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/\r\nPage 16 of 17\n\nSource: https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/"
	],
	"report_names": [
		"hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434660,
	"ts_updated_at": 1775826751,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/510bd6a2248a7902e188626f941590e9abe2bb89.pdf",
		"text": "https://archive.orkl.eu/510bd6a2248a7902e188626f941590e9abe2bb89.txt",
		"img": "https://archive.orkl.eu/510bd6a2248a7902e188626f941590e9abe2bb89.jpg"
	}
}