Nighthawk is an advanced C2 framework intended for red team operations through commercial licensing. Proofpoint researchers observed initial use of the framework in September 2022 by a likely red team. Proofpoint has seen no indications at this time that leaked versions of Nighthawk are being used by attributed threat actors in the wild. The tool has a robust list of configurable evasion techniques that are referenced as “opsec” functions throughout its code. Proofpoint researchers expect Nighthawk will show up in threat actor campaigns as the tool becomes more widely recognized or as threat actors search for new, more capable tools to use against targets.
MALWARE FAMILY: Nighthawk
ATT&CK IDS: T1562 - Impair Defenses, T1106 - Native API, T1027 - Obfuscated Files or Information, T1036 - Masquerading, T1574 - Hijack Execution Flow, T1071 - Application Layer Protocol, T1056 - Input Capture, T1119 - Automated Collection, T1566 - Phishing