The HawkEye trojan is deployed via Microsoft Word Intruder documents, typically delivered by scam emails. If the document is opened on a system running an unpatched version of Windows, it will install malware without any user interaction. HawkEye spyware can steal clipboard data, keystrokes, license information from apps, and passwords from apps including browsers, FTP, and email. The information collected by HawkEye is sent unencrypted via HTTP to one of two servers. Attackers can obtain email login credentials and use that information to sign into the victim’s account and send emails instructing customers and other individuals to deposit money in an account controlled by the attacker. This tactic relies on the malware operating under the radar and quietly stealing large amounts of money. Attackers also use the HawkEye trojan for industrial espionage as well. Since March 2015, cybercriminals have used the Hawkeye trojan to target more than 130 companies in over 30 countries. The victims are mostly small to medium businesses (SMBs) in the industrial sector. The attackers used the HawkEye trojan as spyware, incorporated in an executable file within ZIP file sent by spear-phishing emails.


  • June 2015: Nigerian cybercriminals use HawkEye to target SMBs worldwide. (Trend Micro)
  • August 2016: HawkEye is used by cybercriminals to target SMBs since March 2015. (Softpedia)
  • July 2017: An email phishing campaign is delivering the HawkEye trojan by disguising it as an attached quote from the Pakistani government's employee housing society. (PhishMe)

Technical Details

  • Trend Micro provides technical details on HawkEye, available here.
HawkEye example

HawkEye example