The 5 Most Notorious Spyware Attacks

Spyware is somewhat more offensive than other forms of malware in that the attack itself can feel somewhat more personal.

Many Malware categories can lock machines or steal credit card numbers but Spyware can take over a person’s life, harvesting every detail and even giving hackers insight into their private lives.

Spyware, as the name implies, is a piece of malicious spying software. When it takes root on a device, it will communicate back to the hackers’ control center, and there are a few different ways it can manifest.

Screen grabbing is a common Spyware behavior. This kind of Spyware takes screenshots of your devices’ current display. This is not as commonly used as some of the other methods.

Camera Control is an incredibly invasive Spyware manifestation. This Spyware will access a device’s camera, feeding all footage back to the hackers’ command center. There are some novel remedies around this, such as placing a block over your device’s physical camera lens. However, this issue has become much more serious with the adoption of Internet-of-Things devices worldwide. Many homes now have arrays of cameras, both inside and outside, controlled by or linked to an app. These are tempting targets for any hacker with Spyware in their command. Related to this is Microphone Control. This is the same idea, only recording the users’ audio.

Keylogging, or Keystroke logging, is perhaps the most common and most lucrative category of Spyware. When Spyware infects a device with a keylogger, every key pushed on the keyboard is recorded and returned to the hacker. This will return as streams of data, which will need to be searched by the hacker for user passwords and other credentials. This may seem like a cumbersome task, but a malicious program recording text data leaves a much smaller footprint than a bulkier program trying to return audio or video.

Spyware often walks a line between legal and illegal.

For example, many types of Spyware including keyloggers and screen grabbers are available over-the-counter for businesses who wish to install them on company computers to monitor employee activity at work.

Law-Enforcement agencies have long used Spyware. The Federal Bureau of Investigation developed Magic Lantern as a keylogger to monitor suspects and targets. MSNBC broke the news of Magic Lanterns’ existence publicly in 2001, and it lead to a wider conversation regarding if antivirus software should detect government-developed spyware for the user.

This conversation has again heated up. In 2016, The Shadow Brokers stole several tools for the National Surveillance Agency, many of which were Spyware orientated. Considering much government-development spyware has fallen into the wrong hands, it seems wise for antivirus companies to block them.

There has been thousands of Spyware incidents over the years, and many times the same names will appear in one form or another. Let’s look at the 5 most notorious Spyware attacks we’ve seen on the web.

Most Notorious Spyware Attacks #5: DarkHotel


DarkHotel first appeared in South Korea in 2014 and has been a persistent threat since. DarkHotel is a remarkably complex form of Spyware and its attack campaigns specifically target hotels.

DarkHotel will target a hotel’s unsecured wifi. Once in, it will falsify certificates and prompt users to make software downloads updated with that network’s certification.

Once downloaded, DarkHotel will activated as keylogging Spyware.

Although anybody in the hotel can fall victim to this, DarkHotel was specifically engineered to target senior company executives.

The executives it targets are from various sectors; investments and development, government agencies, defense industries, electronic manufacturers, and energy policymakers.

The majority of the victims have been in Korea, Russia, China, and Japan, though DarkHotel has hit several US victims in the last 2 years.

DarkHotel will log a certain of keys before deleting itself to avoid detection. Business passwords, banking credentials, and even intellectual properties have all been stolen by DarkHotel.

Most Notorious Spyware Attacks #4: CoolWebSearch


CoolWebSearch (also known as CoolWWWSearch or abbreviated as CWS) is not as complicated as its counterparts, but its longevity and propagation cement its place as #4 on the list.

CWS was first spotted way back in 2003, and has never left the digital landscape. Year after year, it tops lists as most-removed Spyware from antivirus companies because of how widespread it is.

When CWS is first installed on a computer is instantly noticeable. The main browser’s homepage will be redirected to The browser will continuously create pop-ups, usually to pornography and gambling websites. This classifies CWS as Adware as well as Spyware.

CWS will change permissions within the browsers, marking unsafe sites as unsafe and will try pull the user toward them. While it will key log all information typed into these sites, it will also try to key log every other site if it has burrowed deeply enough into a computer.

CWS is generally easy to remove with most antivirus software programs, however it is in a constant state of update, making it more difficult to remove each time.

Most Notorious Spyware Attacks #3: Olympic Vision


Olympic Vision is a widespread and lucrative form of Spyware.

It is available to purchase online for just $25, which has lent to it’s global propagation – It is currently in 18 countries, including the United Sates.

Olympic Visions’ ability to make money resides in it’s most common target choice: Businesses.

Once installed in a system, Olympic Vision can access data stored within the Windows Registry (to avoid detection, within the browser, and within Email clients. It will key log nearly 100% of inputs on the host device and send them back to the hackers command center.

A regular attack vector for Olympic Vision campaigns requires a high amount of social engineering. By reading business emails, hackers will study the corporate infrastructure of it’s target, and find who is responsible for making bank transfers.

It will then craft convincing emails, requesting money. This will usually replace regular cash transfers that take place within a business. In 2016, the FBI reported that hackers using Olympic Vision had managed to make off with $800 million dollars from businesses.

Most Notorious Spyware Attacks #2: HawkEye


HawkEye was considered dormant for many years, but it made a significant comeback in 2020 at the start of the COVID-19 Pandemic.

In 2013, HawkEye was a notable but standard piece of Spyware; Once it infected it machines, it keylogged some inputs and returned them to the control center.

It enjoyed some time in the center stage, but eventually began to be detected less. There were rumors that HawkEye had seen a change of management between criminal organizations.

The rumours were true, and in 2019 the Internet saw ‘HawkEye Reborn v9’. While operating much like it’s previous form, it now had exceptional anti-detection features, making it very difficult to remove from a host, or even find.

Furthermore, HawkEye had developed a business model for itself. The underworld organization behind it were now selling licenses that independent hackers could purchase, effectively renting HawkEye for a limited amount of uses.

The unscrupulous developers have gone a step forward with HawkEye, adding a constant stream of updates to improve the service.

When the COVID-19 Pandemic hit, HawkEye saw a huge surge in popularity.

The hackers decided to try prey on the fear of people, worried about the nature of COVID itself and of the vaccine.

It began being distributed as an email purports to be an “alert” from the Director-General of the World Health Organization (WHO). The alert email would have important information about either COVID or the vaccine contained in an attachment, but of course the attachment was simply to deploy HawkEye onto the users machine.

At time of writing, HawkEye is still being propagated on the same campaign.

Most Notorious Spyware Attacks #1: Agent Tesla


As of February 2021, Agent Tesla (AT) is the most complex and most difficult to detect piece of Spyware available to hackers.

AT will access the machine as a trojan, usually within an email. It will then activate as Remote-Access-Trojan (RAT). What this means is that not only does AT have Spyware capabilities, but it can also control your device entirely.

The organization behind AT may, in fact, be the same as HawkEye’s – They operate a business, selling monthly licenses. They even offer 24/7 support for their users and a Discord (A popular messaging service similar to the chat rooms of the 90s and 00s) chat channel to brainstorm new attack vectors and ideas.

The developers even offer guides on how to proliferate across several avenues.

The combination of key-logging and remote access can prove to be very troublesome. If you have AT, the hacker could take your passwords and then wait until they can confirm your computer is active but unattended. They could then make changes to your accounts without you knowing – Automatic logins will skip 2-Factor-Authentication because they’re coming from a known device.

In January of 2021, AT received an update that allows it to modify the code in Windows Defender to avoid detection. This kind of complexity is a first for Spyware programs.

While initially detected in 2018, it is believed AT has been at large for 7 years without any detection.

With skilled developers, a decent schedule of updates, easy availability, reasonable pricing, and an ever-growing community of subscribers, Agent Tesla may remain #1 on the list of most notorious Spyware for quite a while.

Protection Against Spyware

Like stopping a bullet, there are no cybersecurity solutions that are always 100% effective against Spyware. But SaferNet gives you a fighting chance stopping one of the above deploying on your machine.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.



Leave a Reply

Your email address will not be published. Required fields are marked *