Skip Navigation

August 25, 2023 |

Creepy ‘Whiffy Recon’ malware designed to give hackers victims’ location

Loading table of contents...

A new Wi-Fi scanning malware, ‘Whiffy Recon,’ has been observed on Windows machines previously compromised with SmokeLoader. Once installed, Whiffy Recon scans the Windows WLAN API every 60 seconds and sends the results to Google’s geolocation API to triangulate the device’s location. The location information is ultimately sent to a command and control (C2) server under the threat actor’s control in the form of a JSON string. Whiffy Recon achieves persistence by placing a shortcut in the Windows startup folder.

Source: The Hacker News


The ability to geolocate a victim’s device is not typically a capability associated with cybercriminal activity, as, in and of itself, it cannot be used for financial gain or to obtain sensitive data. In most cases, the location of a victim is typically irrelevant, unless the threat actor has some sort of agreement with their host government to only target victims outside their host country. If this is the case, controls to prevent unwanted victims are usually built into the malware itself, such as terminating when a specific language pack, time-zone, or IP address is detected.

Whiffy Recon could be extremely useful to nation-state law enforcement and intelligence agencies seeking to monitor a target’s whereabouts. Similarly, cyber stalkers could use Whiffy Recon to spy on their spouses or intimate partners. However, it’s very likely that the deployment of Whiffy Recon will be limited to select targets, given the unique demand for the capability and that it requires the host to first be compromised with SmokeLoader.


Field Effect’s team of Security Intelligence professionals constantly monitor the cyber threat landscape for threats like SmokeLoader and Whiffy Recon. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users are automatically notified when vulnerable software and devices are detected in their environment and are encouraged to review these AROs as quickly as possible.