Skip to content


HAWKBALL is a backdoor that was observed in targeting of the government sector in Central Asia.1

Item Value
ID S0391
Associated Names
Version 1.1
Created 20 June 2019
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols HAWKBALL has used HTTP to communicate with a single hard-coded C2 server.1
enterprise T1560 Archive Collected Data -
enterprise T1560.003 Archive via Custom Method HAWKBALL has encrypted data with XOR before sending it over the C2 channel.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell HAWKBALL has created a cmd.exe reverse shell, executed commands, and uploaded output via the command line.1
enterprise T1041 Exfiltration Over C2 Channel HAWKBALL has sent system information and files over the C2 channel.1
enterprise T1203 Exploitation for Client Execution HAWKBALL has exploited Microsoft Office vulnerabilities CVE-2017-11882 and CVE-2018-0802 to deliver the payload.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion HAWKBALL has the ability to delete files.1
enterprise T1559 Inter-Process Communication -
enterprise T1559.002 Dynamic Data Exchange HAWKBALL has used an OLE object that uses Equation Editor to drop the embedded shellcode.1
enterprise T1106 Native API HAWKBALL has leveraged several Windows API calls to create processes, gather disk information, and detect debugger activity.1
enterprise T1027 Obfuscated Files or Information HAWKBALL has encrypted the payload with an XOR-based algorithm.1
enterprise T1082 System Information Discovery HAWKBALL can collect the OS version, architecture information, and computer name.1
enterprise T1033 System Owner/User Discovery HAWKBALL can collect the user name of the system.1