• Threat Type: Trojan Spy

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes


Golroted is the Trend Micro detection for Hawkeye, a simple keylogger used by Nigerian scammers who targeted small and medium-sized businesses in 2015. This enabled the scammers to obtain information and knowledge about their victims' partners, affiliates and business contacts to launch more scams, and move laterally across larger organizations related to the original victims.

Golroted is distributed in Microsoft Word, Microsoft Excel and Rich Text Format files through phishing emails. The attachment contains encrypted malware code hidden within the document. This spyware sends the stolen information to the email address of the cybercriminal via Simple Mail Transfer Protocol (SMTP).

Golroted steals the following:

  • Computer Information (OS info, IP, System privileges)

  • User names and passwords of games such as Minecraft

  • File Transfer Protocol (FTP) clients or file manager software stored account information

  • Email credentials of popular mail clients

  • Browsers' user names, passwords, and hostnames

  • Users' keystrokes

It is capable of the following:

  • Information theft

  • Propagation

It has the following potential impact:

  • Financial Loss - steals financial information of user by stealing browser information.

  • Compromise system security - Disables user’s security software

  • Violation of user privacy - gathers user credentials, logs keystroke and steals user information

Golroted typically follows the infection chain below: