LTS Secure Warning: Financial Motivation Gives Birth to New Version of the Infamous Hawkeye Malware

The malware is developed with the intent to harvest confidential information as well as account credentials & has always posed a serious threat to individuals & organization around the world. Recently, security researchers have seen a surge in infection campaigns that are making use of the new HawkEye Reborn V9 malware.


Technical Details

The HawkEye kit has seen many developments since its birth in 2013 to aid it in its ability to spy & steal data from its victims. The latest iteration makes use of protocols like FTP, SMTP & HTTP, to transmit the sensitive information stolen from the various applications available on the victim machine. To spread the malware, the attacker shared a fake letter, which seems to originate from banks and other organization. The mail is attached with the malicious attachment, which is converted from PDF to PNG and then to LNK. After clicking on the attachment, it secretly launches the keylogger & in order to distract the user, a fake invoice is being displayed on the screen.

The malware makes use of two main exe files:-

  • mshta.exe – Is a power shell script makes a connection to the attcaker C&C server hosted on AWS.
  • gvg.exe – Contains an Autolt script, which initiates the keylogger every time the device is turned on.



  • It captures real time as well as offline keystrokes.
  • It will steal your credentials / confidential data and sends to the remote attacker.
  • Details such as username, privileges, country, IP& MAC address, OS, hardware data, installed browsers, antivirus, and firewalls are transmitted to the attacker.
  • Propagates via storage devices like USB to increase its impact radius.
  • It affects your System Performance as well as functionality.


Recommended Actions

  • Always update your anti-virus software with the latest releases.
  • Ensure that your devices are always up-to-date with the latest patches released.
  • Never download any suspicious attachments or click on any shady-looking link. Take an effort to educate your users on how to identify a mail-spam.
  • Periodically run “full system scan” on your endpoints.


LTS Secure Locations
  • Florida: 407-965-5509
    Los Angeles: 323-544-5013
    Mid West: 800 689 4506

  • Chicago/Midwest– 2406 Schumacher Drive, Mishawaka, IN, 46545

    201, Tower S4, Phase II, Cybercity, Magarpatta Township, Hadapsar, Pune-411013

Leave us a messages Leave us a messages

← Prev Step

Thanks for contacting us. We'll get back to you as soon as we can.

Please provide a valid name, email, and question.

Powered by LivelyChat
Powered by LivelyChat Delete History