{
	"id": "96801c0d-db5a-46ee-9be3-456211df771d",
	"created_at": "2026-04-06T00:09:27.594003Z",
	"updated_at": "2026-04-10T03:22:50.414527Z",
	"deleted_at": null,
	"sha1_hash": "f36f1a299495d09742c69bc22f7cc8710252b995",
	"title": "New HawkEye Reborn Variant Emerges Following Ownership Change",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3451652,
	"plain_text": "New HawkEye Reborn Variant Emerges Following Ownership\r\nChange\r\nBy Edmund Brumaghin\r\nPublished: 2019-04-15 · Archived: 2026-04-05 22:21:52 UTC\r\nEdmund Brumaghin and Holger Unterbrink authored this blog post.\r\nExecutive summary\r\nMalware designed to steal sensitive information has been a threat to organizations\r\naround the world for a long time. The emergence of the greyware market and the\r\nincreased commercialization of keyloggers, stealers, and remote access trojans\r\n(RATs) has magnified this threat by reducing the barrier to entry for attackers. In\r\nmany cases, the adversaries leveraging these tools do not need to possess\r\nprogramming skills or in-depth computer science expertise, as they are now being\r\nprovided as commercial offerings across the cybercriminal underground. We have\r\npreviously released in-depth analyses of these types of threats and how malicious\r\nattackers are leveraging them to attack organizations with Remcos in August and\r\nAgent Tesla in October.\r\nHawkEye is another example of a malware kit that is actively being marketed across various hacking forums.\r\nOver the past several months, Talos observed ongoing malware distribution campaigns attempting to leverage the\r\nlatest version of the HawkEye keylogger/stealer, HawkEye Reborn v9, against organizations to steal sensitive\r\ninformation and account credentials for use in additional attacks and account compromise.\r\nHistory of HawkEye\r\nHawkEye is a malware kit that has been around for several years and has seen\r\ncontinuous development and iterations since at least 2013. It is commonly sold on\r\nvarious hacking forums as a keylogger and stealer that can be used to monitor\r\nsystems and exfiltrate information from those systems. It features robust stealing\r\ncapabilities as it can be used to obtain sensitive information from a variety of\r\ndifferent applications. This information can then be transmitted to the attacker\r\nusing protocols such as FTP, HTTP, and SMTP. Talos has recently identified\r\nhttps://blog.talosintelligence.com/2019/04/hawkeye-reborn.html\r\nPage 1 of 18\n\nseveral changes concerning HawkEye Reborn in the latest version, HawkEye\r\nReborn v9.\r\nIn December 2018, a thread on HackForums described a change in the ownership and ongoing development of the\r\nHawkEye keylogger.\r\nShortly following this exchange, new posts began to appear that were attempting to market and sell new versions\r\nof HawkEye (HawkEye Reborn v9), with these new posts also referencing the change in ownership of the project\r\nmoving forward.\r\nHawkEye Reborn v9 is currently marketed as an \"Advance Monitoring Solution.\" It is currently being sold using a\r\nlicensing model, with purchasers gaining access to the software and updates for different periods based on a tiered\r\npricing model.\r\nhttps://blog.talosintelligence.com/2019/04/hawkeye-reborn.html\r\nPage 2 of 18\n\nHawkEye Reborn v9 also features a Terms of Service agreement that provides some additional insight. While the\r\nseller specifies that HawkEye Reborn should only be used on systems with permission, they also explicitly forbid\r\nscanning of HawkEye Reborn executables using antivirus software, likely an attempt to minimize the likelihood\r\nthat anti-malware solutions will detect HawkEye Reborn binaries.\r\nFollowing these changes, the new developer of HawkEye Reborn has continued to make changes and we expect\r\nthis to continue as long as the developer can monetize their efforts.\r\nhttps://blog.talosintelligence.com/2019/04/hawkeye-reborn.html\r\nPage 3 of 18\n\nAs with other malware that we wrote about last year, while the developer claims that the software should only be\r\nused on systems with permission, or \"for educational purposes,\" malicious attackers have been continuously\r\nleveraging it against various targets around the world.\r\nDistribution campaigns\r\nFor several months during the last half of 2018 and continuing into 2019, Cisco\r\nTalos has observed ongoing malicious email campaigns that are being used to\r\ndistribute versions of the HawkEye Reborn keylogger/stealer. The current version,\r\nHawkEye Reborn v9 has been modified from earlier versions and heavily\r\nobfuscated to make analysis more difficult.\r\nThe email campaigns that have been observed feature characteristics that are consistent with what is commonly\r\nseen with malspam campaigns, with the emails purporting to be associated with various documents such as\r\ninvoices, bills of materials, order confirmations, and other corporate functions. An example of one of these emails\r\nis below:\r\nhttps://blog.talosintelligence.com/2019/04/hawkeye-reborn.html\r\nPage 4 of 18\n\nFigure 1: Example email message\r\nWhile the current email contains leverage malicious Microsoft Excel files, earlier campaigns have also been\r\nobserved leveraging RTF and DOC files. Additionally, a small number of campaigns over this same period also\r\nmade use of various file-sharing platforms like Dropbox for hosting the malicious documents rather than directly\r\nattaching them to the messages themselves.\r\nhttps://blog.talosintelligence.com/2019/04/hawkeye-reborn.html\r\nPage 5 of 18\n\nFigure 2: Example malicious Excel document\r\nSimilar to the technique described in our previous blog about Remcos, the contents of the documents have been\r\nintentionally made to appear as if they are blurry, with the user being prompted to enable editing to have a clearer\r\nview of the contents.\r\nAnother interesting characteristic of the malicious documents is that the metadata associated with the document\r\nfiles themselves also matches that found in many of the malicious documents that were previously being used to\r\nspread Remcos.\r\nhttps://blog.talosintelligence.com/2019/04/hawkeye-reborn.html\r\nPage 6 of 18\n\nFigure 3: Document metadata\r\nAdditionally, the creation and modification dates associated with these documents are shortly after we released a\r\ndetailed analysis of Remcos distribution campaigns that were being observed throughout 2018.\r\nAssuming the victim opens the attachment, the infection process begins as described in the following section.\r\nMany of the distribution servers that are being used to host the HawkEye keylogger binaries that are retrieved\r\nduring the infection process are hosting large numbers of malicious binaries and, in many cases, contain open\r\ndirectory listings that can be used to identify the scope of the infections that they are being used to facilitate. In\r\nmany cases, additional stealers, RATs, and other malware were observed being hosted on the same web servers.\r\nAnalysis of HawkEye Reborn  \r\nThe campaign starts with sending the aforementioned Excel sheets that exploit the\r\nwell-known CVE-2017-11882 vulnerability, an arbitrary code execution bug in\r\nMicrosoft Office. The exploit works similarly to what we saw with Agent Tesla in\r\nOctober. It leverages a buffer overflow in the Equation Editor, which occurs if\r\nhttps://blog.talosintelligence.com/2019/04/hawkeye-reborn.html\r\nPage 7 of 18\n\nsomeone hands over a font name that's too long. The shellcode starts after the\r\nMTEF font tag \"08 13 36\" in this case.\r\nAfter execution in the Equation Editor (EQNEDT32.EXE) context, it downloads the malicious data from the\r\nmalware server as you can see in the ThreatGrid Process Timeline screenshot below. After a successful download,\r\nit creates and starts the RegAsm.exe process.\r\nThis RegAsm.exe process is a heavily obfuscated AutoIT script compiled into a PE. After decompiling it from the\r\nPE file, it is heavily obfuscated and still almost unreadable.\r\nhttps://blog.talosintelligence.com/2019/04/hawkeye-reborn.html\r\nPage 8 of 18\n\nWe deobfuscated the script to understand how the infection process works. It first creates the \"winrshost\" mutex.\r\nThen, it extracts the final payload malware from two objects in the PE resource section (capisp1, appsruprov2).\r\nIt concatenates them and uses AES to decrypt the result, using the hardcoded key \"pydbdio…\" which is handed\r\nover to the DecryptData function (see above). The screen capture below shows the decryption function.\r\nhttps://blog.talosintelligence.com/2019/04/hawkeye-reborn.html\r\nPage 9 of 18\n\nIt then calls the StartAndPatchRegAsm function.\r\nThis function tries to find the original Microsoft RegAsm executable path. It hands over the decrypted buffer\r\nextracted from the resource section and the path from the original RegAsm executable to the\r\nstart_protect_hexcode function.\r\nThen it starts the process-hollowing shellcode, which is stored in the HEXCODE1 variable. This shellcode injects\r\nthe final payload taken from the resource section into the original RegAsm.exe process. The shellcode in\r\nHEXCODE1 is very similar to this RunPE example.\r\nThe AutoIT script is offering a lot of other functions which are not used in this campaign, like anti-virtual machine\r\ndetection, USB drive infection and others.\r\nhttps://blog.talosintelligence.com/2019/04/hawkeye-reborn.html\r\nPage 10 of 18\n\nThe final payload — which we found in the AutoIT PE file resource section and was started by the process-hollowing shellcode — is a .NET PE file that's obfuscated with ConfuserEx.\r\nDeobfuscated, we can see it is the HawkEye Keylogger — Reborn v9, Version=9.0.1.6.\r\nWhen HawkEye is executed, in line 34,\r\nbyte[] byte_ = gclass.method_0()[\"0\", GClass30.GEnum3.RCDATA].Byte_0;\r\nit reads the encrypted configuration from the RCDATA resource and in line 33,\r\nbyte[] byte_2 = GClass29.smethod_12(byte_, GClass12.string_0);\r\nand then decrypts this data with the Rijndael algorithm you can see below in the RijndaelManaged function to\r\ninitialize the HawkEye configuration settings.\r\nhttps://blog.talosintelligence.com/2019/04/hawkeye-reborn.html\r\nPage 11 of 18\n\nThe decrypted configuration shows us the account used for exfiltration:\r\nThe main loop of HawkEye has the following functions:\r\nhttps://blog.talosintelligence.com/2019/04/hawkeye-reborn.html\r\nPage 12 of 18\n\nThis shows the rich feature set of HawkEye. The adversaries can get detailed information about the victim's\r\nmachine, as you can see in the screenshot below.\r\nBeside the system information, it steals passwords from common web browsers, Filezilla, Beyluxe Messenger,\r\nCoreFTP and the video game \"Minecraft.\" It also starts a keylogger, steals clipboard content, takes screenshots\r\nfrom the desktop and pictures from the webcam.\r\nVersion 9 is still using the well-known MailPassView and WebBrowserPassView freeware tools from Nirsoft to\r\nsteal web and email passwords. These tools are embedded in the PE file in the form of data which is decoded at\r\nruntime and added to the local resources. Then, they are using the process hollowing technique to hide the\r\nexecution of these tools inside of the original Microsoft vbc.exe (VisualBasic Compiler) process. They are starting\r\nhttps://blog.talosintelligence.com/2019/04/hawkeye-reborn.html\r\nPage 13 of 18\n\nan instance of vbc.exe via ProcessCreate, injecting the tool and resume the threat. The stolen passwords are ending\r\nup in a temporary file, which is read in and added to the list of data to be exfiltrated. HawkEye offers the\r\nfollowing exfiltration options based on the configuration: email, FTP, SFTP, HTTP POST to PanelURL API or\r\nProxyURL.\r\nAs mentioned above, in the comments of the main loop section, it also comes with several anti-analysis features,\r\nincluding starting an anti-debugging thread or disabling certain AV-related programs via the Image File Execution\r\nOptions (IFEO) evasion technique by registering invalid debuggers that redirect and effectively disable various\r\nsystem and security applications.\r\nhttps://blog.talosintelligence.com/2019/04/hawkeye-reborn.html\r\nPage 14 of 18\n\nThe following diagram summarizes the full infection process:\r\nhttps://blog.talosintelligence.com/2019/04/hawkeye-reborn.html\r\nPage 15 of 18\n\nConclusion\r\nRecent changes in both the ownership and development efforts of the HawkEye\r\nReborn keylogger/stealer demonstrate that this is a threat that will continue to\r\nexperience ongoing development and improvement moving forward. HawkEye has\r\nbeen active across the threat landscape for a long time and will likely continue to\r\nbe leveraged in the future as long as the developer of this kit can monetize their\r\nefforts. While the Terms of Service have been written in an attempt to absolve the\r\ndeveloper of any wrongdoing, it is actively leveraged by malicious adversaries.\r\nOrganizations should be aware of this and similar threats and deploy\r\ncountermeasures such as Multi-Factor Authentication (MFA) solutions such as\r\nDuo, to help reduce the impact of credential theft within their environments. Talos\r\ncontinues to monitor this threat as it changes to ensure that customers remain\r\nprotected from this and other threats as they continue to emerge and evolve.\r\nCoverage Additional ways our customers can detect and block this threat are listed\r\nbelow.\r\nhttps://blog.talosintelligence.com/2019/04/hawkeye-reborn.html\r\nPage 16 of 18\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), andMeraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIndicators of compromise\r\nThe following IOCs are associated with various malware distribution campaigns\r\nthat were observed during the analysis of Hawkeye Reborn v9 activity.\r\nAttachment hashes (SHA256)\r\nA list of hashes observed to be associated with malicious email attachments can be found here.\r\nPE32 hashes (SHA256)\r\nA list of hashes observed to be associated with malicious PE32 executables can be found here.\r\nDomains\r\nThe following domains have been observed to be associated with malware campaigns.\r\nhttps://blog.talosintelligence.com/2019/04/hawkeye-reborn.html\r\nPage 17 of 18\n\ntfvn[.]com[.]vn\r\nshirkeswitch[.]net\r\nguideofgeorgia[.]org\r\ngulfclouds[.]site\r\njhssourcingltd[.]com\r\nkamagra4uk[.]com\r\npioneerfitting[.]com\r\npositronicsindia[.]com\r\nscseguros[.]pt\r\nspldernet[.]com\r\ntoshioco[.]com\r\nwww[.]happytohelpyou[.]in\r\nIP addresses\r\nThe following IP addresses have been observed to be associated with malware campaigns.\r\n112.213.89[.]40\r\n67.23.254[.]61\r\n62.212.33[.]98\r\n153.92.5[.]124\r\n185.117.22[.]197\r\n23.94.188[.]246\r\n67.23.254[.]170\r\n72.52.150[.]218\r\n148.66.136[.]62\r\n107.180.24[.]253\r\n108.179.246[.]138\r\n18.221.35[.]214\r\n94.46.15[.]200\r\n66.23.237[.]186\r\n72.52.150[.]218\r\nURLs:\r\nThe following URLs have been observed to be associated with malware campaigns.\r\nhttps[:]//a[.]pomf[.]cat/\r\nhttp[:]//pomf[.]cat/upload[.]php\r\nSource: https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html\r\nhttps://blog.talosintelligence.com/2019/04/hawkeye-reborn.html\r\nPage 18 of 18\n\n  https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html  \nThe decrypted configuration shows us the account used for exfiltration:\nThe main loop of HawkEye has the following functions: \n   Page 12 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html"
	],
	"report_names": [
		"hawkeye-reborn.html"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434167,
	"ts_updated_at": 1775791370,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f36f1a299495d09742c69bc22f7cc8710252b995.pdf",
		"text": "https://archive.orkl.eu/f36f1a299495d09742c69bc22f7cc8710252b995.txt",
		"img": "https://archive.orkl.eu/f36f1a299495d09742c69bc22f7cc8710252b995.jpg"
	}
}