According to researchers from Proofpoint, a new legal pentest framework called Nighthawk can attract the attention of attackers due to its wide functionality, similar to that of Cobalt Strike. The company's experts discovered the use of the framework in mid-September 2022, when it was used to send several test emails containing the lines "Just checking in" and "Hope this works2". However, there is no indication that a license has leaked onto the dark web or that a Nighthawk crack has emerged that hackers could exploit.
Nighthawk is a pentest toolkit released in December 2021 by MDSec. It is similar in functionality to Cobalt Strike, Silver and Brute Ratel, offering a similar set of tools. A single user license costs $10,000 per year.
According to Proofpoint, the aforementioned emails contained URL hooks that, when clicked, redirected recipients to an ISO image containing an obfuscated bootloader with a Nighthawk payload that uses a complex set of features to resist detection and go undetected.
Of particular note are the mechanisms that prevent endpoint security solutions from alerting users of newly loaded DLLs and that bypass process memory scans using self-encrypting mode.
Since attackers are already using hacked versions of Cobalt Strike and other programs for pentesting, experts believe that Nighthawk may share their fate and become another weapon in the hands of hacker groups that want to diversify their attack methods and add a relatively unknown framework to their arsenal.