HawkEye, also known as PredatorPain or Predator Pain, is a long-running commercially sold malware family commonly categorized as a keylogger but also functioning as an information stealer, downloader, and versatile Trojan. The content states it has been active since at least 2008 and was widely sold on hacking forums, dark web markets, and public-facing websites, with reported pricing in the $20–$50 range; cracked versions also circulated. It gained popularity from at least 2013, including through spear-phishing campaigns, and has remained in active use, including COVID-19-themed phishing activity.
HawkEye has primarily been delivered through spear-phishing, including malicious attachments, compressed files, malicious documents, and campaigns using embedded OLE objects; it has also been spread via trojanized or fake free software and by other malware acting as loaders. The malware has been observed infecting organizations across many sectors globally and has been used in business email compromise, phishing, and spam operations. The content also notes use by diverse actors and references historical associations including GOLD GALLEON and a campaign by the Chinese APT group SixLittleMonkeys, though in that case HawkEye is described as a RAT used as a last-stage payload.
Technically, many HawkEye samples are .NET binaries and may be obfuscated with Confuser, Eaz, or Reactor. Samples may copy themselves into locations such as AppData\Local\Temp, AppData\Roaming, AppData\Roaming\Microsoft\Windows\Templates, AppData\Local\Temp\System, and the user Music folder, often using variable filenames and sometimes hidden attributes. HawkEye establishes persistence via HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and in some cases scheduled tasks created with schtasks.exe. It can extract embedded PE components from resources using XOR plus Poly deobfuscation, yielding an injector and payload, and has been observed using self-deletion, process hollowing, and injection into vbc.exe or another temporary-path process.
Its capabilities include keylogging, clipboard theft, screenshot capture, system, hardware, network, and security software discovery, and theft of credentials and stored data from browsers, email clients, FTP software, and other applications. The content specifically cites HawkEye as associated with browser credential theft affecting browsers such as Firefox, Safari, and Edge. It can also steal form data, cryptocurrency wallet data, and locally stage stolen information before exfiltrating it over FTP, HTTP, or SMTP. The content also attributes self-spreading capability to HawkEye.
Reported indicators in the content include MD5 60fabd1a2509b59831876d5e2aa71a6b and IP addresses 66.147.236[.]46, 204.141.42[.]56, and 129.204.194[.]84.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
HawkEye, also known as PredatorPain (Predator Pain), is a malware categorized as a keylogger, but over the years, it has adopted new functionalities that align it with the capabilities of other tools like stealers.
HawkEye, also known as PredatorPain (Predator Pain), is a malware categorized as a keylogger, but over the years, it has adopted new functionalities that align it with the capabilities of other tools like stealers.
HawkEye, also known as PredatorPain (Predator Pain), is a malware categorized as a keylogger, but over the years, it has adopted new functionalities that align it with the capabilities of other tools like stealers.
HawkEye, also known as PredatorPain (Predator Pain), is a malware categorized as a keylogger, but over the years, it has adopted new functionalities that align it with the capabilities of other tools like stealers.
HawkEye, also known as PredatorPain (Predator Pain), is a malware categorized as a keylogger, but over the years, it has adopted new functionalities that align it with the capabilities of other tools like stealers.
36 distinct techniques documented for this family, organized by ATT&CK tactic.
we also find samples that establish persistence in tasks using commands like the following: schtasks.exe /Create /TN "<Path>\<TaskName>" /XML "<File>"
samples in .NET, sometimes obfuscated with tools like Confuser, Eaz, Reactor, or similar
they often try to have an icon that makes the victim think it’s a legitimate program, or the malware description might be altered to make it seem like legitimate software
"HawkEye offers a variety of functions for stealing stored data, grabbing form data..."
Agent Tesla became popular among business email compromise (BEC) scammers, who use it to record keystrokes and take screenshots on the infected host.
"HawkEye offers a variety of functions for stealing stored data, grabbing form data..."
Agent Tesla became popular among business email compromise (BEC) scammers, who use it to record keystrokes and take screenshots on the infected host.
Save stolen info on txt files \vbc.exe /stext "*\AppData\Local\Temp\holdermail.txt"
17 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Infostealer mentioned as one of the families that proliferated after the Zeus source code leak.
Long-lived .NET malware sold since at least 2008 and commonly delivered via spear-phishing, fake software, and loaders. It drops copies of itself in temp/roaming paths, establishes persistence via registry run keys and scheduled tasks, extracts injector and payload components from resources, uses process hollowing/injection, and steals keystrokes, clipboard data, credentials, wallet data, screenshots, and system information before exfiltrating via FTP/HTTP/SMTP.
Information stealer mentioned as being disseminated via Coronavirus-themed lures.
Keylogger with credential theft and clipboard theft capabilities, regularly updated and marketed as an advanced monitoring and data exfiltration solution.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.