The HawkEye trojan is deployed via Microsoft Word Intruder documents, typically delivered by scam emails. If the document is opened on a system running an unpatched version of Windows, it will install malware without any user interaction. HawkEye spyware can steal clipboard data, keystrokes, license information from apps, and passwords from apps including browsers, FTP, and email. The information collected by HawkEye is sent unencrypted via HTTP to one of two servers. Attackers can obtain email login credentials and use that information to sign into the victim’s account and send emails instructing customers and other individuals to deposit money in an account controlled by the attacker. This tactic relies on the malware operating under the radar and quietly stealing large amounts of money. Attackers also use the HawkEye trojan for industrial espionage as well. Since March 2015, cybercriminals have used the Hawkeye trojan to target more than 130 companies in over 30 countries. The victims are mostly small to medium businesses (SMBs) in the industrial sector. The attackers used the HawkEye trojan as spyware, incorporated in an executable file within ZIP file sent by spear-phishing emails.


  • June 2015: Nigerian cybercriminals use HawkEye to target SMBs worldwide. (Trend Micro)

  • August 2016: HawkEye is used by cybercriminals to target SMBs since March 2015. (Softpedia)

  • July 2017: An email phishing campaign is delivering the HawkEye trojan by disguising it as an attached quote from the Pakistani government's employee housing society. (PhishMe)

Technical Details

  • Trend Micro provides technical details on HawkEye, available here.

Update 07/01/2019: Researchers at Cisco Talos have discovered a malware loader specifically designed to evade detection by IDS (intrusion detection system). This loader, utilizing the ‘Heaven’s Gate’ technique, is meant to obfuscate the distribution of various strains of malware such as the HawkEye Reborn keylogger/stealer, the Remcos remote access tool (RAT), and several XMR-based malicious miners. The increasingly active campaign initiates dissemination of the loader through malspam emails and commonly abuse the CVE-2017-11882 vulnerability. Once opened, these malicious emails—masquerading as invoices, banking statements, or other legitimate business documents—contain Microsoft Word documents and Excel spreadsheets that will initiate the download of the loader from attacker-controlled servers. A full list of IOC’s and technical details are available in the Cisco Talos blog post.

HawkEye example

HawkEye example