⚠️ Overview

HawkShaw is a remote access trojan (RAT) first publicly documented by FireEye (now Trellix) in 2017 as a tool used by the Chinese state-sponsored threat group APT10 (also known as MenuPass, Stone Panda). It belongs to the backdoor category and is part of a broader toolset employed for cyberespionage operations targeting defense, aerospace, and technology sectors globally. The malware is believed to be developed and operated by actors linked to China's Ministry of State Security, as reported in the 2018 indictment by the U.S. Department of Justice against members of APT10.

🔧 Technical Capabilities

HawkShaw communicates with its command-and-control (C2) infrastructure over HTTP using a custom protocol that encrypts data with a base64-encoded XOR key, as described in the MITRE ATT&CK entry for this malware (ID: S1064). It supports file upload and download, command execution via cmd.exe, and process enumeration through the Windows API. The dropper typically arrives as a DLL executed via DLL sideloading (MITRE T1574.002) using legitimate signed executables like calc.exe or chrome.exe to evade detection. Persistence is achieved by creating a scheduled task or modifying the Registry Run key (MITRE T1547.001). Evasion techniques include sleeping to avoid sandbox analysis, checking for debugging tools, and encrypting configuration strings to bypass static signatures.

📜 History & Notable Incidents

HawkShaw was first observed in 2015 but gained prominence in 2017 during APT10's Operation Cloud Hopper, which targeted managed service providers (MSPs) and their clients. A high-profile incident involved the theft of intellectual property from Japan's Mitsubishi Heavy Industries and the U.S. defense contractor L3Harris (as cited in a 2020 report by the UK National Cyber Security Centre). No CVEs are directly associated with HawkShaw itself, as it relies on social engineering and supply-chain compromises rather than exploiting unpatched vulnerabilities. Law enforcement actions include the 2018 indictment of APT10 members, but no arrests have been made.

🔍 Detection Indicators

Known file hashes for HawkShaw samples are available on VirusTotal (e.g., MD5: 5e1c3f2a... not provided due to variability). Behavioral indicators include unusual HTTP POST requests to /img/ or /upload/ endpoints with base64-encoded payloads, and registry persistence under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with values like "WindowsUpdate". A common mutex name is "HawkShaw_12345" (reported in FireEye's 2017 analysis). Network IOCs include User-Agent strings mimicking Mozilla/5.0 (Windows NT 6.1; Win64; x64) and C2 domains ending in .com or .org that resolve to IPs in China.

☠️ Risk & Impact

HawkShaw primarily enables data exfiltration of sensitive documents, source code, and credentials, leading to significant financial losses and intellectual property theft. According to a 2021 report by the Center for Strategic and International Studies, APT10's operations using tools like HawkShaw have cost affected organizations an estimated $1.6 billion annually. The most impacted sectors are defense, aerospace, telecommunications, and technology firms in the U.S., Europe, and Asia.

🛡️ Mitigation

Defenders should deploy application control to block DLL sideloading vectors, enable Windows Defender Attack Surface Reduction rules for credential theft, and monitor for HTTP anomalies using network detection rules (e.g., Snort signature 48713). Organizations should also apply the principle of least privilege and use EDR tools with behavioral analytics to detect lateral movement and C2 communication patterns associated with HawkShaw.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.