Tag: keylogger

35 Attack Reports | 0 Vulnerabilities

Attack reports

Operation Poisson – Analyzing a Cybercriminal’s Entire Operation

A comprehensive analysis of 339 commands issued by a French-speaking threat actor nicknamed 'Poisson' over 33 days, targeting a French automotive small business and four French individuals. The attacker utilized a multi-stage fileless attack deploying a 70-line Python keylogger to harvest banking a…
openssh
credential-theft
keylogger
tailscale
havoc
france
rustdesk
2026-06-19
fileless-attack
havoc-c2
poisson
vpn-mesh-persistence
Published: June 19, 2026
Downloadable IOCs: 9

Android Banker with Complete Device Takeover Capabilities

A newly identified Android banking trojan named Rokarolla has been discovered, distributed through malicious websites masquerading as popular applications like TikTok or Google Chrome. The malware targets 217 distinct cryptocurrency and banking applications using 137 sophisticated commands for devi…
keylogger
cryptocurrency theft
overlay attacks
accessibility abuse
sms hijacking
android trojan
2026-06-16
banking credentials
rokarolla
Published: June 16, 2026
Downloadable IOCs: 44

BRUSHWORM and BRUSHLOGGER uncovered

A South Asian financial institution was targeted with two custom malware components: BRUSHWORM, a modular backdoor, and BRUSHLOGGER, a keylogger. BRUSHWORM features anti-analysis checks, encrypted configuration, scheduled task persistence, modular payload downloading, USB worm propagation, and exte…
keylogger
2026-03-27
brushlogger
brushworm
Published: March 27, 2026
Downloadable IOCs: 3

EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company

A Chinese APT group compromised a Philippine military company using a new, fileless malware framework called EggStreme. This sophisticated multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code directly into memory and leveraging DLL sideloading. The core compone…
backdoor
apt
espionage
dll sideloading
keylogger
military
stowaway
fileless malware
2025-09-10
philippines
eggstremefuel
eggstremereflectiveloader
eggstreme
eggstremewizard
eggstremeloader
eggstremekeylogger
eggstremeagent
Published: September 10, 2025
Downloadable IOCs: 12

TINKYWINKEY KEYLOGGER

TinkyWinkey is a sophisticated Windows-based keylogger that combines persistent service execution, low-level keyboard hooks, and comprehensive system profiling. It captures all keystrokes, including special keys and multi-language input, alongside detailed system metrics such as CPU, memory, OS ver…
windows
persistence
service
keylogger
stealth
dll injection
2025-09-01
system profiling
tinkywinkey
Published: September 1, 2025
Downloadable IOCs: 3

This 'SAP Ariba Quote' Isn't What It Seems—It's Ransomware

A sophisticated ransomware campaign has been uncovered, masquerading as a new SAP Ariba tool. The attack uses email lures, sender spoofing, and impersonation of legitimate software vendors to deliver LeeMe Ransomware. The malware employs SAP branding, a fake GUI, and a Portuguese ransom note. It ta…
phishing
social engineering
ransomware
encryption
bitcoin
keylogger
data exfiltration
2025-08-15
sap ariba
leeme ransomware
Published: August 15, 2025
Downloadable IOCs: 0

CVE-2017-11882 Will Never Die

The report discusses the persistent exploitation of CVE-2017-11882, a remote code execution vulnerability affecting Microsoft Office's Equation Editor. Despite being an old vulnerability, it continues to be used by attackers to spread modern malware. The analysis focuses on a malicious Excel file t…
obfuscation
exploit
CVE-2017-11882
keylogger
microsoft office
vipkeylogger
2025-08-13
equation editor
Published: August 13, 2025
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 6

Behind Random Words: DoubleTrouble Mobile Banking Trojan Revealed

A sophisticated mobile banking trojan, DoubleTrouble, has evolved in distribution methods and capabilities. Initially spread through phishing websites impersonating European banks, it now utilizes Discord channels for distribution. The malware employs advanced obfuscation techniques, abuses Android…
android
discord
keylogger
2025-08-01
mobile banking trojan
Published: August 1, 2025
Downloadable IOCs: 40

LNK Trojan delivers REMCOS

This report details a multi-stage malware campaign delivering the REMCOS backdoor via a malicious Windows LNK shortcut file. The attack begins with social engineering, leveraging PowerShell for initial execution and deploys a persistent backdoor capable of full system compromise. The infection chai…
backdoor
powershell
remcos
keylogger
lnk file
c2 communication
pif file
multi-stage attack
base64 encoding
2025-07-30
Published: July 30, 2025
Downloadable IOCs: 8

Applications of Snake Keylogger in Geopolitics: Abuse of Trusted Java Utilities in Cybercriminal Activities

A new phishing campaign using Snake Keylogger, a Russian-origin stealer, has been discovered targeting various victims including corporations, governments, and individuals. The campaign uses spear-phishing emails offering petroleum products, with malicious attachments exploiting the legitimate jsad…
credential theft
dll sideloading
java
keylogger
geopolitical
maas
snake keylogger
spear-phishing
2025-07-06
petroleum
Published: July 6, 2025
Downloadable IOCs: 0

Snake Keylogger in Geopolitical Affairs: Abuse of Trusted Java Utilities in Cybercrime Operations

The S2 Group’s intelligence team has identified through adversary tracking a new phishing campaign by Snake Keylogger, a Russian origin stealer programmed in .NET, targeting various types of victims, such as companies, governments or individuals. The campaign has been identified as using spearphish…
phishing
spearphishing
infostealer
russia
malware-as-a-service
keylogger
maas
snake keylogger
credential stealer
2025-06-30
Published: June 30, 2025
Downloadable IOCs: 34

Stealth Falcon and Horus: A Saga of Middle Eastern Cyber Espionage

Check Point Research (CPR) uncovered an active-weaponized Microsoft WebDAV zero‑day (CVE‑2025‑33053) exploited by the Stealth Falcon APT in a targeted campaign against defense and government organizations across the Middle East and Africa. The attack began with a spear-phishing-disguised .url file …
apt
cyberespionage
webdav
keylogger
mythic
CVE-2025-33053
2025-06-11
zeroday
Published: June 11, 2025
Downloadable IOCs: 40

From Gamer to Malware Developer: Exploring SilverRat and Its Syrian Roots

This analysis delves into the development and capabilities of Silver RAT, a Remote Access Trojan created by a Syrian developer known as 'noradlb1'. The malware, initially observed in November 2023, offers features such as keylogging, UAC bypass, and data encryption. The developer, active on various…
ransomware
keylogger
remote access trojan
antivirus bypass
telegram channels
2025-06-04
syrian developer
hacking forums
silver rat
Published: June 4, 2025
Downloadable IOCs: 0

Operation Endgame 2.0

International law enforcement agencies have taken additional actions in Operation Endgame, targeting cybercriminal organizations, particularly those behind DanaBot. DanaBot is a powerful modular malware family written in Delphi, capable of keylogging, capturing screenshots, recording desktop videos…
espionage
darkgate
ddos
danabot
malware-as-a-service
smokeloader
hijackloader
operation endgame
keylogger
targeted attacks
lumma
globeimposter
cactus
2025-05-23
Published: May 23, 2025
Downloadable IOCs: 9

Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT

A new PowerShell-based shellcode loader has been discovered, designed to execute a variant of Remcos RAT. The attack chain begins with malicious LNK files in ZIP archives, using mshta.exe for initial execution. The loader employs fileless techniques, executing code directly in memory to evade tradi…
powershell
keylogger
process hollowing
remcos rat
evasion techniques
uac bypass
shellcode loader
2025-05-15
tls communication
fileless execution
Published: May 15, 2025
Downloadable IOCs: 5

TerraStealerV2 and TerraLogger: Golden Chickens' New Malware Families Discovered

Insikt Group has discovered two new malware families, TerraStealerV2 and TerraLogger, linked to the financially motivated threat actor Golden Chickens. TerraStealerV2 is designed to steal browser credentials, cryptocurrency wallet data, and browser extension information, while TerraLogger functions…
stealer
credential theft
malware-as-a-service
keylogger
revc2
venomlnk
2025-05-01
terraloader
terrastealerv2
terralogger
browser data
Published: May 1, 2025
Downloadable IOCs: 39

APT Group Profiles - Larva-24005

A new operation named Larva-24005, linked to the Kimsuky group, has been discovered by ASEC. The threat actors exploited RDP vulnerabilities to infiltrate systems, installing MySpy malware and RDPWrap for continuous remote access. They also deployed keyloggers to record user inputs. The group has b…
apt
phishing
kimsuky
south korea
CVE-2017-11882
keylogger
CVE-2019-0708
japan
2025-04-22
randomquery
rdp exploitation
bluekeep
myspy
kimalogger
Published: April 22, 2025
Downloadable IOCs: 0

VHDs Used to Distribute VenomRAT and Other Malware

A phishing campaign is utilizing virtual hard disk (VHD) image files to deliver VenomRAT malware. The attack begins with a purchase order-themed email containing a ZIP archive with a VHD file. When opened, the VHD mounts as a drive and executes a heavily obfuscated batch script. This script employs…
obfuscation
phishing
powershell
persistence
venomrat
keylogger
aes encryption
2025-03-14
vhd
Published: March 14, 2025
Downloadable IOCs: 0

Rat Race: ValleyRAT Malware Targets Organizations with New Delivery Techniques

ValleyRAT, a sophisticated multi-stage malware attributed to Silver Fox APT, has updated its tactics, techniques, and procedures. The malware targets key roles in finance, accounting, and sales departments using phishing emails, malicious websites, and instant messaging platforms. The infection cha…
phishing
persistence
valleyrat
keylogger
dll side-loading
c2 communication
anti-vm
2025-02-05
ghostrat
silver fox apt
Published: February 5, 2025
Downloadable IOCs: 12

Fileless Python InfoStealer Targeting Exodus

A new Python-based info stealer targeting the Exodus crypto wallet has been discovered. This malware employs fileless techniques, clipboard monitoring, and keylogging to capture wallet passwords and sensitive data. It checks for the existence of 'passphrase.json' and, if not found, uses a keylogger…
python
infostealer
keylogger
2025-01-28
exodus
crypto-wallet
Published: January 28, 2025
Downloadable IOCs: 1

Analysis of Attack Cases Against Korean Solutions by the Andariel Group (SmallTiger)

The Andariel group has been targeting various South Korean software solutions, particularly asset management and document management systems. Recent attacks involve the installation of SmallTiger malware, often through exploiting vulnerabilities in outdated software versions. In asset management so…
south korea
rdp
smalltiger
keylogger
web shell
2024-12-31
modeloader
document management
asset management
Published: December 31, 2024
Downloadable IOCs: 5

VIPKeyLogger Infostealer in the Wild

A new infostealer called VIPKeyLogger has been observed with increased activity. It shares similarities with Snake Keylogger and is distributed through phishing campaigns. The malware is delivered as an archive or Microsoft 365 file attachment, which downloads and executes a .NET compiled file. VIP…
infostealer
CVE-2017-11882
keylogger
snake keylogger
2024-12-16
vipkeylogger
Published: December 16, 2024
Downloadable IOCs: 0

Under the SADBRIDGE with GOSAR: QUASAR Gets a Golang Rewrite

Elastic Security Labs has uncovered a new intrusion set targeting Chinese-speaking regions, dubbed REF3864. The threat group employs a custom loader called SADBRIDGE to deploy GOSAR, a Golang-based reimplementation of the QUASAR backdoor. The infection chain involves trojanized MSI installers masqu…
backdoor
keylogger
golang
quasar
2024-12-16
sadbridge
gosar
Published: December 16, 2024
Downloadable IOCs: 13

HawkEye Malware: Technical Analysis

HawkEye, also known as PredatorPain, is a long-lived keylogger malware that has evolved to include stealer capabilities. Originating before 2010, it gained popularity in 2013 through spearphishing campaigns. The malware is typically delivered via phishing emails or compromised websites, and utilize…
spearphishing
stealer
exfiltration
persistence
injection
keylogger
2024-11-13
predatorpain
hawkeye
Published: November 13, 2024
Downloadable IOCs: 4

Unwrapping the emerging Interlock ransomware attack

A new ransomware group called Interlock has emerged, targeting various sectors with big-game hunting and double extortion attacks. The group uses a sophisticated delivery chain including a RAT disguised as a browser updater, PowerShell scripts, credential stealers, and keyloggers. They primarily mo…
rat
ransomware
azure
rdp
keylogger
double-extortion
rhysida
2024-11-07
credential-stealer
interlock
Published: November 7, 2024
Downloadable IOCs: 2

Recent Keylogger Attributed to North Korean Group Andariel

A new keylogger, attributed to the North Korean group Andariel (APT45), has been linked to targeted attacks against U.S. organizations. The malware captures keystrokes and mouse activity, storing data in an encrypted archive. It employs anti-analysis techniques like code obfuscation through junk co…
persistence
anti-analysis
keylogger
apt45
2024-11-04
andariel keylogger
hook procedures
clipboard theft
Published: November 4, 2024
Downloadable IOCs: 1

The New Malware Distribution Service

This analysis uncovers a novel malware distribution mechanism utilizing VBE scripts stored in archive files to spread various malware families, including AgentTesla, Remcos, Snake, and NjRat. It details the infection chain, which involves downloading encoded files from a command-and-control server,…
malware
evasion
remcos
injection
njrat
bladabindi
njw0rm
lv
keylogger
2024-10-16
agenttesla
ekans
snakehose
distribution
Published: October 16, 2024
Downloadable IOCs: 7

Agent Tesla Indicators of Compromise (IOC) Feed

Agent Tesla is a sophisticated malware functioning primarily as a keylogger, capable of capturing sensitive data like usernames and passwords from infected computers. It can also take screenshots, extract credentials from various software, and act as a remote access tool. The malware's versatility …
agent tesla
keylogger
2024-09-18
remote access tool
Published: September 18, 2024
Downloadable IOCs: 9

PowerShell Keylogger

A newly identified keylogger operating via PowerShell script has been analyzed, revealing its capabilities to capture keystrokes, gather system information, and exfiltrate data. The malware uses a cloud server in Finland as a proxy and an Onion server for C2 communication, ensuring anonymity. It im…
powershell
proxy
keylogger
2024-09-04
screen capture
Published: September 4, 2024
Downloadable IOCs: 3

Deep Analysis of Snake Keylogger’s New Variant

FortiGuard Labs recently caught a phishing campaign delivering a new variant of Snake Keylogger, a keylogger malware that can steal sensitive data like saved credentials, keystrokes, and screenshots. The analysis examines the phishing email, malicious Excel document, and techniques used by the malw…
phishing
persistence
credential theft
CVE-2017-0199
keylogger
2024-08-30
process injection
snake keylogger
Published: August 30, 2024
Linked vulnerabilities : CVE-2017-0199
Downloadable IOCs: 8

Kimsuky Group’s New Backdoor (HappyDoor)

This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communicati…
powershell
keylogger
happydoor
2024-07-08
pebbledash
alphaseed
infostealing
regsvr32
Published: July 8, 2024
Downloadable IOCs: 7

Exploiting CVE-2021-40444 to Infiltrate Systems

A recently detected attack exploited a vulnerability in Microsoft Office to deploy spyware called MerkSpy. The initial vector was a deceptive Word document posing as a job description. Opening it triggered the exploitation of CVE-2021-40444, allowing arbitrary code execution. This downloaded an HTM…
vulnerability
spyware
keylogger
2024-07-02
information theft
CVE-2021-40444
merkspy
Published: July 2, 2024
Linked vulnerabilities : CVE-2021-40444
Downloadable IOCs: 6

An Android RAT targets Telegram Users

This analysis discusses SpyMax, a Remote Access Trojan (RAT) that targets Android devices and specifically aims at obtaining data from Telegram users. It employs phishing techniques to trick victims into installing a malicious application disguised as the legitimate Telegram app. Once installed, Sp…
surveillance
rat
phishing
android
keylogger
2024-06-28
spymax
Published: June 28, 2024
Downloadable IOCs: 4

Sustained Campaign Using Chinese Espionage Tools Targets Telcos

Attackers using tools associated with Chinese espionage groups have breached multiple telecom operators in a single Asian country in a long-running espionage campaign. The attackers placed backdoors on the networks of targeted companies and also attempted to steal credentials.
backdoor
espionage
credential theft
keylogger
2024-06-20
coolclient
quickheal
rainyday
telecommunications
responder
Published: June 20, 2024
Downloadable IOCs: 47

Keylogger Installed Using MS Office Equation Editor Vulnerability (Kimsuky)

This technical analysis examines a campaign by the Kimsuky threat group that exploited a vulnerability (CVE-2017-11882) in the Microsoft Office Equation Editor to distribute malware. The attackers used mshta.exe to run a malicious script that downloads additional components, including a keylogger. …
apt
CVE-2017-11882
2024-06-13
keylogger
Published: June 13, 2024
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 0
Click here to see more Attack Reports