This article is sponsored by the threat researcher Aaron Jornet Sales (aka RexorVc0) Find him on X and LinkedIn.HawkEye Malware
Within recent years however, the term has evolved and so have its functionalities – HawkEye aka PredatorPain, is a malware known as a keylogger (but moves in line with other stealers).
History of HawkEye Malware
HawkEye has been around for quite some time, considering its earliest record of sale as well as usage dating back to 2008 — which is clearly pre-2010 in a tech sense. This infamous malware gained prominence in 2013 after several spearphishing campaigns with its attachments.
The keylogger has been offered on multiple dark web sites, even having separate selling websites where the tool was being sold. This keylogger has been busted for over a decade and utilized by other actors without requiring the subscription method requested by its developers, priced from between $20-$50. This is part of what made it infamous but also led to its adoption by script kiddies who lacked the skills, due to how easy it was to trigger.
It may not be one of the most commonly used malwares, but it is still being actively used and saw a major revival during the time of COVID. At this time, some actors exploited the general hysteria to gather data of companies through phishing campaigns.
Furthermore, HawkEye has also been deployed alongside other loaders and/or malware that called this keylogger. During its extensive history, numerous actors and malware have been leveraged to target companies such as Galleon Gold, Mikroceen, the iSPY crypter associated with Gold Skyline, Remcos utilized in campaigns with HawkEye, Pony exploited in Pacific Center campaigns via HawkEye.
Technical Analysis HawkEye Malware
HawkEye’s delivery method has changed over the years, as has the types of sources behind the attacks. Nevertheless,
Outro
As we discussed earlier, different groups have used this keylogger, as well as independent criminals or even script kiddies. In my research, I found different places where this keylogger was sold—there were up to 4-5 different sites, as it changed developers and domains over time, which is quite common.
It has also been distributed through cracks, where it was sold or offered on forums to members, avoiding the usual membership fees or markets, offering it for very low payments compared to the standard price, which as we mentioned earlier, ranged from $20 to $50.