APT / THREAT GROUP
Hook
2
aliases
Last seen:Mar 17, 2026
Intelligence Profile
According to ThreatFabric, this is a malware family based on apk.ermac. The name hook is the self-advertised named by its vendor DukeEugene. It provides WebSocket communication and has RAT capabilities.
Threat Analysis
Hook is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.
Intelligence Reports Mentioning Hook
GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks
The Hacker News· Jun 11, 2026
Pre-Stuxnet Fast16 Malware Tampered with Nuclear Weapons Simulations
The Hacker News· May 18, 2026
SAP NPM Packages Targeted in Supply Chain Attack
SecurityWeek· Apr 30, 2026
n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails
The Hacker News· Apr 15, 2026
Claude Code Flaws Allow Remote Code Execution and API Key Exfiltration
The Hacker News· Feb 25, 2026
Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files | CVE-2025-59536 | CVE-2026-21852
Check Point Research· Feb 25, 2026
APT28 Targeted European Entities Using Webhook-Based Macro Malware
The Hacker News· Feb 23, 2026
Predator spyware hooks iOS SpringBoard to hide mic, camera activity
BleepingComputer· Feb 21, 2026
External References
Quick Facts
TypeAPT / Threat Group
Aliases2
Also Known As
apk.hookHook
External Intelligence
Malpedia: apk.hookResearch Links
Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.