Experts from Proofpoint have released a report on Nighthawk, an advanced C2 framework that hackers can start using instead of Cobalt Strike.
After observing how the framework was used by a certain red team in September 2022, the researchers concluded that criminals might also like Nighthawk.Let me remind you that we also wrote that Google Decided to Fight Hacked Versions of Cobalt Strike, and also, for example, that Hackers Are Switching from Cobalt Strike to Brute Ratel C4.
Nighthawk is developed and marketed by the European company MDSec, which offers its customers tools and services for intruder behavior modeling and penetration testing.
Experts write that in September they observed the use of the Nighthawk red team of an unknown company, but so far have not found any signs of hacked or “leaked” versions of the Nighthawk that could be used by attackers. However, the company encourages incident responders to start looking for signs of Nighthawk abuse by hackers.
In response to this, representatives of MDSec have already published their own statement, in which they explain that Proofpoint experts did not contact them before their publication and for some reason draw the attention of attackers to Nighthawk, describing some of the functions of the tool (which became known, including through reverse engineering).
The company emphasizes that they carefully check all buyers of Nighthawk licenses, sell their product only to certain countries (EU, Australia, Canada, Japan, New Zealand, Norway, Switzerland and the United States), and also do not distribute trial versions of Nighthawk, as this led to the abuse of other similar products in the past.
Overall, Cobalt Strike is still the most popular among hackers, and because of the high price, attackers use hacked or old versions of the program.