{"description": "Enterprise techniques used by HexEval Loader, ATT&CK software S1249 (v1.0)", "name": "HexEval Loader (S1249)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[HexEval Loader](https://attack.mitre.org/software/S1249) has used HTTP and HTTPS POST requests to communicate with C2.(Citation: Socket Contagious Interview NPM April 2025)(Citation: Socket BeaverTail XORIndex HexEval Contagious Interview July 2025)(Citation: Socket HexEval BeaverTail Contagious Interview June 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": "[HexEval Loader](https://attack.mitre.org/software/S1249) has executed malicious JavaScript code.(Citation: Socket Contagious Interview NPM April 2025)(Citation: Socket HexEval BeaverTail Contagious Interview June 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[HexEval Loader](https://attack.mitre.org/software/S1249) has decoded its payload prior to execution.(Citation: Socket Contagious Interview NPM April 2025)(Citation: Socket BeaverTail XORIndex HexEval Contagious Interview July 2025)(Citation: Socket HexEval BeaverTail Contagious Interview June 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1041", "comment": "[HexEval Loader](https://attack.mitre.org/software/S1249) has exfiltrated victim data using HTTPS POST requests to its C2 servers.(Citation: Socket Contagious Interview NPM April 2025)(Citation: Socket HexEval BeaverTail Contagious Interview June 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[HexEval Loader](https://attack.mitre.org/software/S1249) has been used to download a malicious payload to include [BeaverTail](https://attack.mitre.org/software/S1246).(Citation: Socket Contagious Interview NPM April 2025)(Citation: Socket BeaverTail XORIndex HexEval Contagious Interview July 2025)(Citation: Socket HexEval BeaverTail Contagious Interview June 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[HexEval Loader](https://attack.mitre.org/software/S1249) has utilized a cross-platform keylogger that has the capability to capture keystrokes on Windows, macOS and Linux systems.(Citation: Socket HexEval BeaverTail Contagious Interview June 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[HexEval Loader](https://attack.mitre.org/software/S1249) has masqueraded and typosquatted as legitimate code repository packages and projects.(Citation: Socket Contagious Interview NPM April 2025)(Citation: Socket HexEval BeaverTail Contagious Interview June 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[HexEval Loader](https://attack.mitre.org/software/S1249) has encoded module names and C2 URLs as hexadecimal strings in attempts to evade analysis.(Citation: Socket Contagious Interview NPM April 2025)(Citation: Socket HexEval BeaverTail Contagious Interview June 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[HexEval Loader](https://attack.mitre.org/software/S1249) has identified the OS and MAC address of victim device through host fingerprinting scripting.(Citation: Socket HexEval BeaverTail Contagious Interview June 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "comment": "[HexEval Loader](https://attack.mitre.org/software/S1249) has a function where the C2 endpoint can identify the geographical location of a victim host based on request headers, execution environment and runtime conditions.(Citation: Socket HexEval BeaverTail Contagious Interview June 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[HexEval Loader](https://attack.mitre.org/software/S1249) has leveraged server-side client configurations to identify the public IP of the victim host.(Citation: Socket HexEval BeaverTail Contagious Interview June 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[HexEval Loader](https://attack.mitre.org/software/S1249) has collected the username from the victim host.(Citation: Socket HexEval BeaverTail Contagious Interview June 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by HexEval Loader", "color": "#66b1ff"}]}