Do you know what questions to ask when you're looking for an IT firm? We're here to help. Get the free guide delivered right to your inbox:
Nighthawk is an advanced C2 framework intended for red team operations through commercial licensing. Proofpoint researchers observed initial use of the framework in September 2022 by a likely red team. Proofpoint has seen no indications at this time that leaked versions of Nighthawk are being used by attributed threat actors in the wild. The tool has a robust list of configurable evasion techniques that are referenced as “opsec” functions throughout its code. Proofpoint researchers expect Nighthawk will show up in threat actor campaigns as the tool becomes more widely recognized or as threat actors search for new, more capable tools to use against targets.
Based on the repository URL, Proofpoint researchers initially attributed Nighthawk to a developer named “Atropos”. Proofpoint subsequently discovered that the same developer was behind another known tool called “Prowl.” In a blog post published in May 2021, Atropos  described Prowl as “a ducky-like framework that allows you to quickly carry out different tasks without having to worry about automation and scripting of these attacks.” Atropos’ Github account was [publicly] available at the time of that post, the repository URL has not been updated since that time.
In June 2022, a vendor listed Prowl as one of their products.  An open-source C2 framework for penetration testers and red teams, Prowl is developed in Python, uses Postgres for its database, and can be configured to use several keylogging techniques. It also has an “opsec” function module to hide generic IP addresses seen in logs. An older description of the product is available on Github , but no official website listing or documentation appears to be present. The availability of Prowl also appears to be limited to a relatively small set of products and services.
In August 2022, Proofpoint researchers observed the use of an unknown C2 framework (in this case, Nighthawk) in social media accounts belonging to a likely red team. As noted above, Proofpoint has not observed indications that the leaked version of Nighthawk is being used by attributed threat actors in the wild at this time. The use of new frameworks and tools by threat actors may lead to increased use of automated tools and malware families across the threat landscape as attackers attempt enforce consistency among their own operations as well as with other malicious activity they encounter.