The Evolution of Keyloggers

10048232671?profile=RESIZE_400xKeyloggers have been around for decades. They have constantly adapted to the changing technology landscape and remain an effective method used by attackers to obtain information about computer users.  In this report we take a look at what keyloggers do, how they have changed, and what keyloggers to look out for going forward.

Keyloggers are software or hardware devices used to record keyboard inputs by users on a computer. They were originally invented for corporations to monitor employee computer usage, for parents to check on their children’s computer behaviors, and for IT departments to troubleshoot problems. Keylogging is useful for surveillance purposes, but it didn’t take long for attackers to take advantage of keylogging functionality to steal credentials and other personal information from victims.

Keyloggers have advanced over the years to allow users to log screenshots or videos, access microphones and cameras, and log the clipboards from targeted machines. Some keyloggers send their logs to a remote server so malicious actors can review the information for useful inputs like credentials, Personal Identification Numbers (PINs), and banking information.

There are two general types of keyloggers; hardware keyloggers and software keyloggers. Hardware keyloggers are physical devices that are installed between the keyboard and computer. From an attacker’s perspective, the hardware variation of the keylogger is more difficult to install than the software keylogger because it requires physical access to the target machine. The attacker must go undetected in the physical installation process in order for the attack to be successful. Depending on the device, the logger may be able to send the information to a remote server, or it may store the logs locally, in which case the attacker would again need to access the machine to recover the device. The physical access required to deploy a physical keylogger greatly limits its usability.

Software keyloggers are easier to install and thus are more frequently deployed. The software variation of keyloggers can be installed as malware through phishing emails and trojan downloads. The keylogger is designed to avoid detection and cause minimal interruptions while stealing your information.

One software keylogger that has been in the wild for close to a decade is the HawkEye keylogger.[1] HawkEye is most frequently installed through phishing emails, however there are instances of it being installed as a trojan. HawkEye deceives users and antivirus software by using a technique called process hollowing. Process hollowing is where the malware generates new instances of a harmless process and swaps the code that it is running with malicious code.

HawkEye also injects the payload into MSBuild.exe, RegAsm.exe, and VBC.exe which are all part of the .NET framework used for software development. Efforts to remain undetected include a delay before execution to avoid automated sandbox tools, targeting specific antivirus processes and stopping them as well as blocking access to domains used to update antivirus software. HawkEye stores the stolen information in Tmp files in the %Temp% folder and once the information is sent to a remote server these files will be deleted. HawkEye also takes control of the command prompt, registry editor, and task manager, to prevent users from disabling processes. Finally, HawkEye scans the computer for other malicious software and removes any other malware that it finds.[2]

As the technology world evolves so too does the cyber threat landscape. With more people accessing information with mobile devices like smartphones and tablets, attackers have had to change their tactics. Keyloggers are still a relevant attack vector, but there is a new method that attackers are leveraging to take advantage of the shift towards mobile connectivity.

Much like the origin of computer keyloggers, mobile keyloggers have been developed to monitor employees, children, spouses, and troubleshoot technology issues. While the use of keyloggers for monitoring purposes is legal, attackers are leveraging these keyloggers to illegally spy, stalk, and steal the identities of victims.

Your cellphone stores and uses a significant amount of sensitive information. Credentials for social media accounts, email accounts, bank accounts, and more are all readily available in your pocket when you need them. If an attacker has installed a keylogger on your Android or iOS device, they can also access this information. Mobile keyloggers can also access messages, geolocation, microphones for ambient listening, and some can even hijack your phone.

Mobile keyloggers include Neatpsy, Spyic, Spyzie, Minspy, sPyine, FlexiSPY, Highster Mobile, TheTruthSpy, Mobile Spy, XNSpy, Copy9, Appmia, TTSPY, mSpy, Hoverwatch, and iKeyMonitor.[3] The majority of these products require a license subscription and are used for legitimate purposes, but there are still developers working on mobile malware to target cellphones.

The Rogue malware seen in early 2021 is an example of malware targeting mobile devices. It has been seen on the dark web and in underground forums for purchase for $29.99 and features many of the functions of the commercial mobile keyloggers.[4]

This attack type has not garnered the same attention as more widespread methods like computer keyloggers or ransomware, but that does not mean it should be ignored.

Pictured below is a graph created using the Cyber Threat Analysis Collection (CTAC) tool by Red Sky Alliance.  The graph indicates the amount of keylogger ‘hits’ were injested by our data collection between January 1, 2020 and January 1, 2022, spanning the past two years.  The keyloggers that CTAC collects data on include HawkEye and Predator Pain.


This collection table from July of 2021 shows a marked high of 283,119 hits.  This can be attributed to the hits being hung up reaching the collection databse due to a technical issue.  This back log of data was collected during the prior months and was processed all at once, on 8 July 2021.  

The following graph contains the same data omitting July 2021. The data shows a visibile decline in keylogger hits as the year 2021 progresses.

The CTAC data collected from keyloggers has been decresing steadily since May of 2021.  With less than 100 hits in October and December, and only 84 hits in January 2022 - it begs the question what is happening to the keylogger data?

The Snake keylogger was first detected in November of 2020 and following an extensive phishing campaign through Summer 2021, it has risen to the position of second most prevelant malware.[5]  Pictured below is a graph showing the different variants of the Snake keylogger the were uploaded to MalwareBazaar between 20 December 2021 and 25 January 2022.


There were a total of 195 different samples of malware with the Snake Keylogger signature uploaded in this time period.  Between December of 2020 and January of 2022, a total of 4,622 samples of Snake malware have been uploaded to MalwareBazaar.  Between March 2020 and December of 2021, there were 919 total samples of malware with the HawkEye signature uploaded to MawlwareBazaar.  Comparing the number of Snake samples to the HawkEye samples it is likely that HawkEye has fallen out of favor with attackers, and they are adopting the Snake malware as the go-to keylogger and credential stealer.  This shift in keylogger usage likely explains the down trend in keylogger collections in CTAC (as CTAC collects credentials compromised using HawkEye and Predator Pain keyloggers).

The downtrend in CTAC keylogger data does not necessarily mean that keyloggers are no longer a threat, in fact we can reasonably conclude that keyloggers are still widley attack method based on the influx of Snake keylogger samples being uploaded to MalwareBazaar and the data ranking Snake Keylogger as the second most popular malware worldwide.  The methods of this attack remains conctant even though the tools are evolving. 

In order to protect against keylogging, it is vital to raise employee awareness about phishing attempts; always ensuring that all software and file downloads come from trusted sources, antivirus software is up to date.  Never click links in suspicious emails or messages.  Always use strong passwords, and use multifactor authentication where applicable.  Mobile keylogging can have negative symptoms including decreased battery life, physical heat coming from the device, a decrease in performance, and an increase in crashes.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or     

 Weekly Cyber Intelligence Briefings:

 Weekly Cyber Intelligence Briefings:

 REDSHORTS - Weekly Cyber Intelligence Briefings






E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!