About Cofense
About Cofense
Free Tools
Free Tools
Build Resilience
Create Transparency
Speed Response

Welcome to the Cofense Blog

Get the latest information on phishing threats and trends, BEC, ransomware and credential phishing, plus Cofense product updates.

Follow us on Social Media

Threat Actor Employs Hawkeye Malware with Multiple Infection Vectors

On July 13, 2017, the Phishing Defense Center reviewed a phishing campaign delivering Hawkeye, a stealthy keylogger, disguised as a quote from the Pakistani government’s employee housing society. Although actually a portable executable file [1], once downloaded, it masquerades its icon as a PDF. 

Upon execution, Hawkeye makes an API call to whatismyipaddress[.]com to obtain the public IP address of the victim’s machine.

Hawkeye steals email credentials and browser data, then exfiltrates it by emailing it to the threat actor, alexandernegri101[at]zoho[dot]com, as seen below in screen captures of a memory dump and of network traffic.

To ice the cake, Hawkeye searches for attached USB drives and replicates itself as Sys.exe, creating an autorun.inf file on the infected device. The file autorun.inf instructs the computer to automatically launch a program.  The screen capture below from memory shows how the malware spread to a USB drive.


PhishMe® cautions its customers to be wary of emails containing suspicious links or attachments. Specific to this sample, we recommend that customers be observant for emails that contain the content described above.

Don’t miss another threat – stay on top of emerging phishing and malware threats and attacks, all delivered straight to your inbox completely free. Subscribe to PhishMe Threat Alerts today.

[1]                 Name: quote.exe

MD5 hash value: 130efba199b389ab71a374bf95be2304