Threat Actor Employs Hawkeye Malware with Multiple Infection Vectors

Share Now


On July 13, 2017, the Phishing Defense Center reviewed a phishing campaign delivering Hawkeye, a stealthy keylogger, disguised as a quote from the Pakistani government’s employee housing society. Although actually a portable executable file , once downloaded, it masquerades its icon as a PDF. 

Upon execution, Hawkeye makes an API call to whatismyipaddress[.]com to obtain the public IP address of the victim’s machine.

Hawkeye steals email credentials and browser data, then exfiltrates it by emailing it to the threat actor, alexandernegri101zohocom, as seen below in screen captures of a memory dump and of network traffic.

To ice the cake, Hawkeye searches for attached USB drives and replicates itself as Sys.exe, creating an autorun.inf file on the infected device. The file autorun.inf instructs the computer to automatically launch a program.  The screen capture below from memory shows how the malware spread to a USB drive.


PhishMe® cautions its customers to be wary of emails containing suspicious links or attachments. Specific to this sample, we recommend that customers be observant for emails that contain the content described above.

Don’t miss another threat – stay on top of emerging phishing and malware threats and attacks, all delivered straight to your inbox completely free. Subscribe to PhishMe Threat Alerts today.

                Name: quote.exe

MD5 hash value: 130efba199b389ab71a374bf95be2304


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.