Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 2 actors

Hawking Listener

Hawking Listener is an early-stage 32-bit .NET/C# Windows implant that uses the .NET HTTPListener class to open a listener on a specified port and execute commands through cmd.exe. Reporting links it to the Iran-aligned threat group BladedFeline, which ESET assesses with medium confidence to be a subgroup of OilRig. The malware has been described as part of BladedFeline’s broader toolset used in long-term cyberespionage operations against Kurdish and Iraqi government officials, including Kurdistan Regional Government environments, and it has also been mentioned alongside activity affecting a regional telecommunications provider in Uzbekistan. Hawking Listener receives commands via HTTP, including through a specific QueryString key, and functions as a supplementary implant within a larger intrusion set that also includes tools such as Slippery Snakelet, Laret, Pinar, Whisper, Shahmaran, PrimeCache, and Flog. A Hawking Listener sample was reported uploaded to VirusTotal in March 2024 by the same submitter associated with the Flog web shell.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
BladedFeline

Hawking Listener, so named for its PDB string ... is a 32-bit .NET/C# Windows binary ... It implements the .NET HTTPListener class to set up a listener.

via eset welivesecurity blogwelivesecurity.com
OilRig

The threat group has also deployed newer implants like Slippery Snakelet and Hawking Listener, as well as tunneling tools Laret and Pinar for persistence.

via sentinelone blogsentinelone.com
MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique
T1059.003Windows Command ShellEvidence1

Possible commands include... Execute a PowerShell script... Slippery Snakelet is a small Python-based backdoor with limited capabilities: 1. executes a command via cmd.exe ... Once received, Hawking executes the value in cmd.exe and returns the output.

Stealth

1 technique
T1070.006TimestompEvidence1

Both have timestomped PE compilation timestamps – a tactic that is common amongst Middle Eastern (and particularly Iran-nexus) threat groups... Both these versions of Whisper have timestomped compilation timestamps... BladedFeline routinely timestomps the compilation timestamps of malware that the group develops.

Command and Control

1 technique
T1071.001Web ProtocolsEvidence1

PrimeCache uses standard web protocols for communication with the C&C server.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.