{
	"id": "ec03e468-d5de-4e61-90f2-a345d4a621da",
	"created_at": "2026-04-06T01:29:49.793589Z",
	"updated_at": "2026-04-12T02:21:08.384402Z",
	"deleted_at": null,
	"sha1_hash": "2e02e8cbc90a11fa1e86e35744f5183927f4bbf6",
	"title": "KeyBase Threat Grows Despite Public Takedown: A Picture is Worth a Thousand Words",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 11635026,
	"plain_text": "KeyBase Threat Grows Despite Public Takedown: A Picture is\r\nWorth a Thousand Words\r\nBy Jeff White\r\nPublished: 2016-02-25 · Archived: 2026-04-06 01:07:31 UTC\r\nBe the first to receive the latest news, cyber threat intelligence and research from Unit 42. Subscribe Now. \r\nIn June 2015, Unit 42 reported on a keylogger malware family known as KeyBase, which had first appeared in\r\nFebruary 2015. The author has since taken down its website and supposedly ceased selling the software, while\r\nalso renouncing the tool’s use for any malicious purposes. However, as of this writing, the software is still readily\r\navailable for download with minimal effort on multiple websites. What’s more, while development of KeyBase\r\nappears to have stopped, the usage of this malware has increased significantly since June. In our initial report, we\r\nidentified approximately 1,500 sessions carrying KeyBase and approximately six months later we have seen over\r\n4,900 different samples and 44,200 sessions within Palo Alto Networks AutoFocus.\r\nOne interesting discovery, identified by Unit 42 malware researcher Josh Grunzweig was that while the KeyBase\r\nweb panel requires authentication for access, the part of the KeyBase web panel which saves screenshots from the\r\ninfected computers is not properly locked down, thus requiring no authentication and allowing anyone on the\r\nInternet to freely access it. This lack of security on the miscreants’ part opens up a window to perform target\r\nanalysis of the infected machines.\r\nFigure 1 - Open /Images/ directory\r\nBy leveraging the visibility within AutoFocus along with KeyBase web panels identified through information\r\nsharing groups, 64 websites have been identified hosting 82 active KeyBase web panels with a total of 933\r\ninfected Windows systems accounting for 125,083 screenshots. These images give us a glimpse into what\r\nattackers see when they infect systems, what information they obtain outside of the normal keystroke and\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 1 of 54\n\nclipboard logging capabilities of the malware, and how that information may be used for malicious activity. This\r\nblog post will explain our findings in detail, but here is a short summary of what you’ll see if you read through to\r\nthe end.\r\nIndia, China, South Korea and the United Arab Emirates are most targeted with KeyBase, but the impact is\r\nglobal.\r\nCompanies in the manufacturing and transportation industries see the most KeyBase infections.\r\nAttackers captured screenshots of sensitive e-mails, bank account transfers, security cameras and hotel\r\nmanagement systems.\r\nAttackers who (accidentally) infected their own systems revealed the tactics, tools and procedures they used to\r\nlaunch their attacks.\r\nDefining terms \u0026 the analysis process\r\nBefore we dive into the data, it must be said that since we are analyzing images, we are making some\r\nassumptions. For example, if an image shows an e-mail being composed and the e-mail has a signature at the\r\nfooter with a company name and position, we assume this to be an indicator of the company and user’s role.\r\nSimilarly, if we see images showing three different Facebook accounts logged in during the course of the\r\ninfection, we assume the system is a shared resource among multiple people. More often than not, we needed to\r\ncombine information from multiple screenshots to determine the user or company.\r\nFigure 2 - Signature based identification on e-mail being composed\r\nThroughout the analysis of the more than 125,000 images, we defined a number of data points to track across all\r\ninfections. Below is a listing of the categories that will be referenced throughout the rest of this post and a brief\r\ndefinition of what we looked for during analysis.\r\nGeographic location – Country in which the infected user was located. Typically determined via e-mail\r\nsignature, local events, e-mail content, or corporate location.\r\nIndustry – Standard industry category names, taken from AutoFocus. Typically determined by outside\r\ncompany look-up via the Internet.\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 2 of 54\n\nCompany name – Official company name. Typically determined via e-mail signatures, corporate\r\ndocumentation, desktop images, applications, or logged in accounts.\r\nCorporate title – The corporate title displayed by the user of the infected system. Typically determined via\r\ne-mail signature or corporate documentation.\r\nCorporate data – Information that appears to be internal to the company, such as budgets, research,\r\nsalaries, roadmaps, inventory, and logistical information. Typically determined via e-mail content and\r\ncorporate documentation.\r\nClient data – Information that appears to be related to the corporate business but exposes information of\r\nthird parties, such as purchase orders, client details, contracts, and legal documents. Typically determined\r\nvia e-mail content, internal applications, or corporate documentation.\r\nShared usage – When the infected system was clearly used by more than one individual. Typically\r\ndetermined via non-corporate e-mail usage, social media accounts, and chat applications.\r\nPersonal usage – When the infected system appeared to be used for non-corporate activity, such as social\r\nmedia, watching movies, or playing games. Typically determined via browser activity or application usage.\r\nBank usage – When the infected system was used to conduct online banking activities. Typically\r\ndetermined via browser activity of online banking websites.\r\nLure Subject/Name/Address – Details on phishing e-mails used to deliver the KeyBase malware.\r\nTypically determined via e-mail activity.\r\nArchive/File Name – Details on archives or files used to deliver the KeyBase malware. Typically\r\ndetermined via e-mail activity or archive applications.\r\nThe Rise of KeyBase\r\nPalo Alto Networks began detecting an increase in KeyBase delivery sessions at the beginning of August 2015 and\r\nit began escalating quickly thereafter, with thousands of unique samples coming in per month.\r\nFigure 3 – KeyBase malware samples in AutoFocus increase in August 2015\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 3 of 54\n\nWhen looking at the dates and volumes of images collected, it matched up with the above image data curve, with\r\nthousands of screenshots being sent back to KeyBase web panels on a daily basis.\r\nFigure 4 – Volume of images collected per day from KeyBase web panels\r\nSince the KeyBase builder was leaked, more miscreants have gained access to the software and we see this\r\nreflected in its proliferation. A side effect, of course, is that once it has entered the easily accessible tool\r\npopulation, you have a wide variety of actors using it, with different intentions and different techniques. This is\r\nwhere target analysis becomes valuable as patterns begin to emerge and you can attempt to discern targeted\r\nattacks from opportunistic ones.\r\nAcross the set of extracted images, there was an average of 133 images per infection, with the minimum being 1\r\nand the maximum being 5,029; sometimes all that was needed to convey a story was 1 image, while other times\r\nhundreds may not be sufficient.\r\nWhen the KeyBase builder generates a new variant of the malware, the user of the application has the ability to\r\nspecify how often screenshots should be taken, along with the option of doing “InstaLogging” screenshots for\r\nspecific websites, such as Facebook or Google. We commonly saw screenshot intervals at 1 minute (default), 10\r\nminutes, or 30 minutes – effectively giving us 1 hour, 1 day, or 2 days of average visibility into a user’s activity.\r\nOne of the challenges faced -- assuming periods of inactivity for user sleep or PC shutoff, along with the time\r\nbetween screenshots -- is that our sample set of useful data can be quite small, so every screenshot needs to be\r\nassessed for minute details. As such, the following sections are based on observations made during the analysis of\r\nthe more than 125,000 KeyBase screenshots.\r\nOne final point before getting any further into the analysis is that we are looking at pictures from infected systems\r\nand, while we can speculate on how the data might be used, at the end of the day we really have no idea how its\r\nbeing used based solely on this information. Are the miscreants really interested in salaries, inventories, design\r\nblueprints, research, cargo manifests, and internal e-mails with devious plans to exploit the data? Or are they just\r\nlooking to steal someone’s Facebook password to sell for a quick buck? Towards the end of this blog we’ll also\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 4 of 54\n\ntake a look at a number of people who infected themselves with KeyBase, whether for testing or by accident, and\r\nsee what the bad guys are up to.\r\nObservations\r\nWhere in the world?\r\nWe found that infected systems are located primarily in Asia Pacific, Europe, Middle East, and Africa with the\r\nlargest infection bases found in India, China, South Korea, and the United Arab Emirates. The below image\r\nrepresents 342 of the 933 infected systems, identifiable by location, and their respective volume of images per\r\ncountry.\r\nFigure 5 – Geographic spread of KeyBase malware\r\nTaking a look at Industry, there were 27 different categories identified, with Manufacturing, Transportation \u0026\r\nLogistics, Wholesale \u0026 Retail, and Engineering making up the majority of infected PC’s with corporate data.\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 5 of 54\n\nFigure 6 – Industry breakdown\r\nCombining this information and overlaying industry data on top of geographic data, we can see certain countries\r\nstand out, possibly implying a concentrated effort to target industries in those locations. More often that not, the\r\nscreenshots seemed to indicate the infected system was used for company activity versus purely personal usage.\r\nManufacturing\r\nFor the manufacturing industry we see a large concentration in South and East Asia, totaling 46 different\r\ninfections across 45 different companies. These companies are heavily focused on metal materials and products\r\nthroughout the region. This is not surprising given three of the top five manufacturing economies are based in this\r\ngeographic area.\r\nFigure 7 – Manufacturing: Infection Distribution\r\nWhat stood out across this industry was the usage of websites to buy materials or sell manufactured products. One\r\nwebsite that stood out in particular was Alibaba, which is similar to an eBay for manufacturers and suppliers.\r\nHowever, making global trading easier isn’t possible without communication and each company has a profile page\r\nwith a link to contact the business.\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 6 of 54\n\nFigure 8 - Requests for goods on Alibaba.com\r\nIt’s plausible, given the number of companies infected in the same region, in the same industry, that targets may\r\nhave been selected via Alibaba or similar websites and delivered malware through their respective listed contact\r\naddresses. For the data we have available, we saw corporate titles for the recipients of the malware in five sales\r\nroles, three in purchasing/supplies, and one in exports.\r\nFigure 9 - E-mail reply to an Alibaba message\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 7 of 54\n\nFigure 10 - E-mail reply to an Alibaba message\r\nThe type of data an attacker would see varied greatly for this industry, but it wasn’t uncommon to see purchase\r\norders, invoices, quotes, client/customer information, inventories, or even designs for products.\r\nFigure 11 - Invoice data for multiple customers with values\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 8 of 54\n\nFigure 12 - Drafting document/e-mail for an upcoming quote for their product\r\nFigure 13 - E-mail with designed valve details for client approval\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 9 of 54\n\nFigure 14 - Sales drawing for another product\r\nThere was also at least one seasoning mix that was…well, a little too seasoned as you’ll see below…\r\nTransportation and Logistics\r\nThe second major industry that showed a large set of KeyBase infections is Transportation and Logistics.\r\nClustered more dominantly in the Middle East and East Asia, this mainly included companies specializing in the\r\nshipment of freight for import and export.\r\nFigure 15 – Transportation and Logistics\r\nIt is unknown exactly how a miscreant might use the information from these machines, or whether they have any\r\nintent to exploit it, but it does provide interesting data for analysis.\r\nTo illustrate, there were three separate infected systems that showed users logged into Pakistan’s customs clearing\r\nsystem with the role of “Customs Agent” or “Trader”. Information that the miscreants would see includes\r\ncontainer status, goods held within, the recipient, the sender, their location in port and vessel, the value of the\r\ngoods, etc.\r\nFigure 16 - Pakistan Web Based One Customs – “Customs Agent”\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 10 of 54\n\nFigure 17 - Pakistan Web Based One Customs – “Trader”\r\nOther infected systems showed the cargo booking for both air and sea travel, along with multiple e-mails with\r\ntheir clients organizing this activity.\r\nFigure 18 - Air cargo booking\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 11 of 54\n\nFigure 19 - Ship cargo booking\r\nFigure 20 - Discussing vessel schedules\r\nAnother infected system in Egypt shows multiple e-mails and invoices for the shipment of beef sold by various\r\ncompanies for transport from Brazil to Egypt.\r\nFigure 21 – Invoice details on 61K lbs of beef costing USD $171,000\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 12 of 54\n\nFinally, another infection of a logistics company, located in the United Arab Emirates, shows access to their bank\r\naccounts and the dollar amounts of transfers that the attackers will likely now have access to.\r\nFigure 22 – Bank withdrawals and deposits, with a balance of over USD $500,000\r\nThere were three KeyBase web panels, each had between 5-9 identifiable companies in this industry. Given the\r\nnature of the Transportation and Logistics business and making relatively large financial transfers frequently to\r\ncover the costs of moving products around the world may have been a motivator to target this industry.\r\nPayday Advance\r\nThis brings us to our next tracked data point, bank usage. Out of the infected systems, 33 were seen using online\r\nbanking websites and 28 of those were from systems we tagged as having “corporate data”. While we do not\r\nbelieve all 28 of these systems did online banking for the company, there were a number of cases where the online\r\nbanking system showed the companies’ name and multiple banks would be used by the same infected systems.\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 13 of 54\n\nFigure 23 - Corporate banking account\r\nFigure 24 - Corporate banking account\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 14 of 54\n\nFigure 25 - Fund transfer receipt for USD $51,500\r\nThese would appear to be of interest to an attacker, as KeyBase malware will log the credentials needed to access\r\nthese banking sites while the pictures will expose balances and other account details.\r\nFigure 26 - Corporate banking account\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 15 of 54\n\nFigure 27 - Corporate banking account\r\nThe image below shows an e-mail correspondence in which the user of the infected system is e-mailing their bank\r\nabout a payment of USD $1,000,000 that appears to have been transferred to another account while they were in\r\nthe hospital. This may be unrelated to having been infected with KeyBase, but it’s enough contextual information,\r\nand enough of a dollar amount, that it raised red flags for me.\r\nDoubling Down on Risk\r\nAnother group of tracked data points we were interested in was whether it could be determined that a machine was\r\nused for personal, non-business, related activities and whether it was a shared resource.\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 16 of 54\n\nThe reason this was of interest is that we saw multiple KeyBase delivery campaigns sent via e-mail phishing lures,\r\nsome received on what appeared to be personal accounts while others on corporate e-mails. The crossover usage\r\nof corporate assets for non-corporate activities is a well-known threat vector, expanding the potential surface area\r\nfor someone to become infected with malware. Out of the 933 infected systems, there were enough screenshots to\r\ndetermine that at least 216 of them appeared to only be used for corporate work, 75 were used only for personal\r\nactivities, and 134 of them were used for both corporate and personal activities.\r\nShared assets, in which we would see multiple different identities logged into social media, e-mails, or\r\napplications, accounted for 43 of the 933 infected systems. These shared systems were in much greater quantity in\r\nthe Middle East and South Asia.\r\nFigure 28 - Shared infected systems\r\nShared systems, of course, increase the risk to the individuals using them, by exposing multiple sets of credentials\r\nthrough one person unknowingly getting the system compromised. In India specifically, we saw this activity\r\nfrequently in the services industry, such as travel and tourism companies, or other roles where you move around\r\nan office frequently without dedicated assigned systems.\r\nIn an effort to avoid showing multiple Facebook accounts and still keep it somewhat interesting, the below set of\r\nimages were captured from an infected office PC that sent hundreds of screenshots displaying images of their\r\nsecurity camera. The middle desk and computer were frequently used by multiple people, which is likely typical\r\nfor these smaller offices.\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 17 of 54\n\nFigure 29 - Individual 1\r\nFigure 30 - Individual 2\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 18 of 54\n\nFigure 31 - Individual 3\r\nFigure 32 - Individual 4\r\nTactics\r\nSwitching gears to look at the panels and lures themselves, only four names were shared among panel names\r\nwhile the rest were unique values.\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 19 of 54\n\nFigure 33 - Top 10 panel names\r\nWhile most KeyBase web panels had a one-to-one relation with the site, there were a few sites that stood out as\r\nhosting multiple web panels – possibly each tied to a different campaign.\r\nFigure 34 - Top 10 domains by number of panels\r\nIt’s also worth nothing that these are only panels that were detected or shared; there are most likely additional\r\npanels located on these sites that we have yet to identify.\r\nFor e-mail campaigns, there were multiple clusters of e-mail subjects that were part of the phishing lure that stood\r\nout.\r\nFigure 35 - Top 10 e-mail lure subjects\r\nTypically, this information could be collected in the first or second screenshot of a set with the lure e-mail in the\r\nbackground, and the malicious executable in the foreground.\r\nFigure 36 - KeyBase immediately begins sending back screenshots\r\nThe top e-mail lure, with subject “A320 for ACMI” was particularly interesting, as the A320 is a single-aisle\r\nAirbus jetliner and ACMI stands for “aircraft, complete crew, maintenance, and insurance”, which makes it\r\npotentially appealing to targets who work within the aerospace industry. Sure enough, we found multiple targets\r\nthat match up in this campaign.\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 20 of 54\n\nFigure 37 - Target in the aerospace industry\r\nFigure 38 - Another target in the aerospace industry\r\nThe rest of the e-mail subjects were largely about purchase orders, inquiries, and other financial themes. This may\r\nexplain the high success rates on individuals who fall in sales or informational roles for companies.\r\nWhile there were 49 unique e-mail subjects identified as being part of KeyBase phishing lures, there were 65\r\nunique names for archives attached to the e-mails that delivered malware in the form of EXE files, Word\r\ndocuments, and Excel documents.\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 21 of 54\n\nFigure 39 - Top 10 archive names\r\nThe archives would typically mirror the e-mail subject but, when they didn’t, it was normally named after the\r\nexecutable file within the archive – which itself was usually a poor attempt to masquerade the underlying\r\nexecutable.\r\nFigure 40 - Top 10 executable names\r\nAnother tactic, whether purposeful or not, was sending English based e-mails to individuals in countries where\r\nEnglish is not the native language. On at least two occasions we saw the recipients translating the e-mail phishing\r\ncontent with Google Translate services.\r\nThe final thing we’ll talk about in this section is a company in the Healthcare industry that showed an infection on\r\nSeptember 7 and then an infection 3 days later on September 10 and again on September 13. What made this one\r\nstand out from the others is that the final infection on September 13 showed that the e-mail, which matched the\r\npreviously seen content of the other phishing lures, was sourced from an internal e-mail address of the company.\r\nThe Others\r\nTo wrap up the target analysis of infected systems, we’re going to point out three more sets of data that stood out\r\nas interesting from a target perspective.\r\nHotel and Hospitality\r\nOne particular panel/actor targeted the Hospitality industry and infected seven different hotels or resorts,\r\nspecifically the reception desks for these companies.\r\nOne particular panel/actor targeted the Hospitality industry and infected seven different hotels or resorts,\r\nspecifically the reception desks for these companies. Similar to the tactics previously discussed, we see delivery of\r\nKeyBase through the “info@” addresses that are easy to identify off of the company’s public website.\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 22 of 54\n\nFigure 41 - Infected receptionist\r\nFigure 42 - Another infected receptionist\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 23 of 54\n\nTargeting hotel receptionists provides a lot of interesting data, from guest information and their home address to\r\ntravel and payment details; this is all potentially valuable data that may be sold. Below are a couple of screenshots\r\nfrom the various infections to illustrate the type of information exposed through one of these systems.\r\nFigure 43 - Guest booking at a hotel\r\nFigure 44 - Guest credit card information\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 24 of 54\n\nFigure 45 - Another guest credit card\r\nFigure 46 - Hotel information\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 25 of 54\n\nFigure 47- A receptionist PC accessing the hotel camera system\r\nEducation\r\nThe set for educational institutions wasn’t notably attributable to any one panel, but equally distributed. What\r\nmade it stand out though is that the same tactic for delivering the KeyBase phish was applied here and\r\n“Admissions” people were targeted. These individuals are constantly sent Word or PDF documents, allegedly\r\nfrom parents, so it’s no surprise they would open the malicious files.\r\nFigure 48 - Admissions Manager asking parent for medical information via PDF\r\nBeyond e-mails, there was also a fair amount of student details.\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 26 of 54\n\nFigure 49 - Student list\r\nFigure 50 - Student documents\r\nFinally, the irony of this last one was a little bittersweet…\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 27 of 54\n\nFigure 51 - Principal sending out newsletter about Cyber Safety presentation\r\nMiscreant Selfies\r\nTo bookend the image analysis, we’ll take a look at some of the screenshots from the 16 actors using KeyBase\r\nwho infected themselves, whether to validate it works or by accident. These images provide a glimpse into what\r\nthey do on a daily basis and how they may be intending to use the information collected from their KeyBase\r\ncampaigns.\r\nActor 01\r\nIn the first image, we can see the miscreant taking credentials from the KeyBase password panel and logging into\r\nmultiple web-based e-mails. Subsequent screenshots show the individual going through the e-mails.\r\nFigure 52 - Actor logging into multiple compromised web-based e-mails\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 28 of 54\n\nActor 02\r\nWe only have two screenshots, but we can see the next actor configuring a cracked KeyBase builder and some\r\npotential other tools on his or her desktop, such as the SpyGate RAT.\r\nFigure 53 - SpyGate RAT\r\nActor 03\r\nThe third actor also shows the cracked KeyBase builder, but they are testing their KeyBase generated malware\r\nagainst razorscanner multi-engine AV scanner, which returned 2 out of 24 detections.\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 29 of 54\n\nFigure 54 - Checking detection count for generated KeyBase malware\r\nThe next couple of screenshots show the actor preparing the malware, most likely an attachment to a phishing e-mail.\r\nFigure 55 - Original generated KeyBase malware\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 30 of 54\n\nFigure 56 - Changing the name for attack\r\nAfterwards we see the actor using a combination of Gr3eNoX Exploit Scanner to find vulnerable websites off of\r\nthe Google Dork “germany supplier php?id=bee…” in the background, with Havij SQL Injection Tool in the\r\nforeground testing a site. The Google Dork being used hints that the industry and geographical targeting may be\r\naccurate.\r\nFigure 57 - Attacking a website\r\nActor 04\r\nThe next actor we see going through the entire phishing campaign. Initially the actor moves the KeyBase malware\r\ninto one of the archives we saw in previous phishing campaigns.\r\nFigure 58 - Moving the KeyBase malware into an archive for e-mail\r\nAfterwards, the actor has a conversation over Skype discussing the crafting of the phishing e-mail, including\r\nsignature to use, e-mail subject, content, and attachment details.\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 31 of 54\n\nFigure 59 - Skype discussion of the phishing lure\r\nThen they login to a compromised company e-mail account and appear to be adding e-mails from their contact list\r\nto a collection of other e-mails.\r\nFigure 60 - Adding “info” and “sales” addresses to a Word document\r\nNext they send out the phishing e-mail from the compromised account.\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 32 of 54\n\nFigure 61 - Sending the phishing e-mail with an archive containing KeyBase malware\r\nAfterwards, we see the pattern repeat but the actor looks up popular Korean women names and then uses another\r\ncompromised e-mail account to send out another round of phishing e-mails.\r\nFigure 62 - Actor performing research for phishing lure\r\nFigure 63 - Sending out another round of phishing\r\nActor 05\r\nThis next actor appears to be purchasing accounts for something, possibly Skype or PayPal, and willing to spend\r\n$50 per account.\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 33 of 54\n\nFigure 64 - Discussing purchase of accounts\r\nFigure 65 - Buying a credit card online, possibly to use to buy the accounts mentioned next\r\nHe’s also trying to aggressively brute-force Skype accounts throughout the screenshot set, yet never appears\r\nsuccessful.\r\nFigure 66 - Manually scraping proxy data\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 34 of 54\n\nFigure 67 - Automated proxy scraping\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 35 of 54\n\nFigure 68 - Attempting to brute force Skype accounts with vCrack through proxies\r\nActor 06\r\nThe next actor actually infected three of his or her PCs, for whatever reason, so there were plenty of screenshots to\r\ngo around – including doing Skype with his or her family, school projects, and the account details for the Albanian\r\nuniversity he or she attend. Based on the activity, the actor enjoys making what I could only describe as YouTube\r\nAlbanian Hip-Hop lyric videos and reads “hacking tutorials” after unsuccessfully trying to pull off XSS on\r\nFlickr…they also appear to be a part of the carding scene.\r\nFigure 69 - Miscreants have hobbies too\r\nFigure 70 - Facebook group for “Kosovo Carders”\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 36 of 54\n\nFigure 71 - Carders forum\r\nFigure 72 - Another carder forum\r\nYou also see their recent download history of multiple PayPal brute force type applications and then subsequent\r\nfraudulent purchases on eBay via Paypal and different e-mails.\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 37 of 54\n\nFigure 73 - Downloading PayPal brute forcers\r\nFigure 74 - Purchasing items off of eBay with stolen PayPal credentials\r\nLast, we see the actor conversing with another through Facebook as a new KeyBase web panel gets stood up.\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 38 of 54\n\nFigure 75 - Providing the credentials for root access to the server\r\nFigure 76 - New KeyBase web panel being created\r\nActor 07\r\nThis next actor’s resolution was such that the screenshots only captured the top left portion of his or her screen;\r\nhowever, it was enough to make some interesting observations on tactics. The actor appears to be trying to engage\r\nin romance scams with multiple women, along with preying on seniors through dating sites.\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 39 of 54\n\nFigure 77 - Sending messages on senior dating site\r\nFigure 78 - Sends the same messages to targets and moves on to IM/e-mail\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 40 of 54\n\nFigure 79 - Sending e-mail, presumably to continue the scam\r\nThe actor also has a cache of readily available dating pictures…\r\nFigure 80 - “Oldman datin pics”\r\nWhen they aren’t trying to romance, they are busy trying to scam CEOs.\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 41 of 54\n\nFigure 81 - Writing an e-mail in Notepad – possibly to deliver KeyBase or attempt fraud\r\nFigure 82 - Finding targets on “ceoemail.com”\r\nThe last picture we’ll look at in this set is the actors desktop, which shows the “Invoice” KeyBase document and a\r\ntext file called “Ali baba”, which may add weight to our suspicion that targeting was conducted through this\r\nwebsite.\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 42 of 54\n\nFigure 83 - Actors desktop showing “Ali baba”\r\nActor 08\r\nOur eighth actor up for review is slightly different than the others in that the actor may not actually be using\r\nKeyBase but is simply a victim of it…bad guys infecting bad guys. Either way, we are able to piece together his or\r\nher activities through screenshots, with a pattern explained as follows.\r\nThe actor begins with registering domains through GoDaddy and BigRock that follow a theme of web design.\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 43 of 54\n\nFigure 84 - Registering “getwebsolutionn.com”\r\nTheir next-step is to setup an Office 365 Business Premium Trial account for the newly created domain.\r\nFigure 85 - Office 365 Business Premium Trial\r\nNext, they add new users to create e-mail addresses under the domain. Note the “Burt@getwebsolutionn.com”\r\naddress, which is used later.\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 44 of 54\n\nFigure 86 - Adding new users\r\nFigure 87 - Created accounts on Office 365\r\nNext, they send out e-mails from these accounts advertising a company that appears to help advertise businesses\r\nand design websites.\r\nFigure 88 - Sending spam e-mails\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 45 of 54\n\nThis process of registering domains and then sending out spam e-mail through Office 365 repeats itself a number\r\nof times over the course of the infection. We also get a glimpse into some of the other domains used for the actor’s\r\nactivity.\r\nFigure 89 - Spam domains\r\nAfterwards, the actor sends an e-mail message with how many people replied to the spam. Another possible\r\nscenario is that KeyBase is being used as a way to monitor employees to ensure they are doing their work.\r\nFigure 90 - Replies to the spam in the background, leads e-mail in the foreground\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 46 of 54\n\nFigure 91 - The next day leads\r\nActor 09 / 10\r\nThe last two actors we’ll cover with one screenshot from each, both using a similar tactic of sending the phishing\r\ne-mail with bulk e-mailers.\r\nFigure 92 - Sending phishing e-mail with Advanced Mass Sender\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 47 of 54\n\nFigure 93 - Sending phishing e-mail with Turbo-Mailer\r\nConclusion\r\nOur analysis provides a unique opportunity to see the entire life cycle of a malware infection. Commonly, we’d\r\nsee the first image in a set to be the KeyBase executable or malicious document all the way through until the Anti-Virus alerts of an infection. Sometimes that happened all within one screenshot.\r\nFigure 94 - Infection and detection\r\nKeyBase isn’t actively being developed, but we believe its use will continue to rise given its existing capabilities\r\nand easy-to-use builder.\r\nThe idiom that “a picture is worth a thousand words” holds true, especially if you’ve made it this far. KeyBase is\r\nloaded with features but the screenshot capability has proved to be particularly useful with the context it provides\r\nby marrying surrounding information to logged keystrokes. From a target analysis perspective, it gives us some\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 48 of 54\n\ninsight into the type of companies, or people, the miscreants are going after, and hopefully this blog has shed some\r\nlight on the potential data that gets exposed through screenshots alone.\r\nThreat Prevention customers are protected from this threat by the KeyBase command and control traffic signature.\r\nAutoFocus users can identify KeyBase samples using the KeyBase tag\r\nKeyBase Indicators\r\nE-mail Subjects:\r\n25270 usd\r\nA320\r\nA320 for ACMI\r\nBalance Payment\r\nCOPY USD 23000$\r\nConfirm your bank details\r\nDemande de Cotation\r\nFW: Attn: Your best price urgently\r\nFW: Re: Purchase Order Inquiry\r\nFw: Outstanding Payment\r\nFw: RE: 4800MW Combined Cycle Power Plant\r\nFwd: : Re: Original shipping Documents\r\nFwd: Shipping Documents/ Reference Id: 20150813-523838075605\r\nFw: T/T Payment Copy\r\nGood Day\r\nINVOICE FOR ALCOHOLIC BEVERAGES\r\nInquiry\r\nInquiry Specification\r\nNEW MACHINE DESIGN\r\nNEW ORDER \u0026 ITEM WE NEED\r\nNotre demande\r\nOrder12/2015\r\nOrder_Nov\r\nOriginal shipping Documents today via dhl\r\nOur Request\r\nPayment Outstanding\r\nQuotation\r\nRE : Quoations\r\nRE : Quotations\r\nRE: Re: Purchase Order Inquiry\r\nRe : Attention\r\nRe : Purchase order No.PEC/PUR/15-16/302\r\nRe : Quotations\r\nRe: A320 on ACMI\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 49 of 54\n\nRe: Original shipping Documents\r\nRe: Purchase Order Iniquiry\r\nRe: Purchase Order Iniqury for Your Kind Attention\r\nRe: Purchase Order Inquiry\r\nRe: Purchase Order Inquiry for Food Item and Seafood\r\nRe: Purchase Order Inquiry for Kour Kind Attention\r\nRe: Purchase Order Inquiry for Your Kind Attention\r\nRe: Re: Last Order Schedule Notification 2015 (Order0261)\r\nRe:Payment for Diamond Wire for Marble\r\nRe:Urgent\r\nService Tax Clarification on Flat\r\nTR: Order0118-Nov\r\nUSD $24000 COPY\r\nUSD_30000$.scan0002.jpg\r\nWG: Order12/2015\r\nE-mail Senders:\r\nAVAL EXCHANGE\r\nAdmin\r\nAeronautical Information Services\r\nAeronautical Information Services - ANS Headquarters\r\nAmit Varaiya\r\nAshish Gupta\r\nAsif Asif\r\nDiakalidia Dissa\r\nDulal Mohato\r\nEcc Conseils\r\nGhulam Murtaza\r\nHakan Shipping Co. Ltd\r\nKrystyna Mandrykina\r\nKumar Mohammad\r\nKyle P. Zing - ABS Group (Pacific Division)\r\nLIAONING ZHONGWANG GROUP CO., LTD\r\nLIGHTECH LLC\r\nLiaoning Zhongwang Group Co., LTD\r\nMKR Global Trading\r\nMKR Global Trading Company\r\nMehnas Enterprises\r\nMuzafar Saafin\r\nPeghini, Rainer (LEN, VA)\r\nRachel Natalia\r\nRazahmad Humraz\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 50 of 54\n\nSara Ahmed\r\nShanaz Trading PTE Singapore\r\nShanez Trading Ltd, Singapore\r\nShanez Trading PTE\r\nShanez Trading PTE Ltd, Singapore\r\nTarek Ben Aissi\r\nVijay Nath\r\nYasir Enterprise\r\naly dembele\r\nmassin massin\r\nneco phil\r\nragnar lordbrook\r\nraz ahmad\r\nvijay nath\r\nwali haider\r\nE-mail Addresses:\r\nketoanhcm@inde.com.vn\r\na.engl-lohninger@anti-germ.at\r\nabs-pac@eagle.org\r\nadmin@lukeandcompany.com.au\r\nais@kcaa.or.ke\r\najooft1@naver.com\r\nalqardabyah@rakfzbc.ae\r\nbenaisi.tarek@gmail.com\r\nbicmanager@gmail.com\r\ncontact@paraboot.com\r\ncontacto@energiasrenovable.cl\r\ndiakalidiadissa@ymail.com\r\neccconseils@yahoo.fr\r\nenterpriseyasir@yahoo.com\r\nfforteza@latinhotel.com\r\ngemataly@yahoo.fr\r\nghulammurtaza2344@yahoo.com\r\ngullmuhd786@yahoo.com\r\ninfo11@redsealsuppliers.net\r\niqbal.farooqi@ammiza.com\r\nkristina@mandrykina@gmail.com\r\nlightechllc@yahooo.com\r\nmail@pcconnect.co.za\r\nmichelet220@yahoo.com\r\nmkrmkrtrading_lib@outlook.com\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 51 of 54\n\nnecophil@yahoo.com\r\npostmaster@optimal-design.cz\r\nr.hollman@mail.com\r\nraghida@jrtorbey.com\r\nragnarlordbrook@engineer.com\r\nratooltraders_2000@gmail.com\r\nrazahmad789@yahoo.com\r\nrpeghini@testo.de\r\nsarita_199228@yahoo.com\r\nshaneztrading@hotmail.com\r\ntanhuong142@gmail.com\r\ntazzyy8826@daum.net\r\ntender@unicorndenmart.com\r\ntrangtran0709@gmail.com\r\nvijaynath_drilltaps@yahoo.co.in\r\nyasirenterprisse@yahoo.com\r\nArchive Name:\r\n0000123.zip\r\n25720 USD SWIFT CCOPY.jpg\r\nA320 for ACMI\r\nA320 for ACMI (3).ace\r\nA320 for ACMI (2).ace\r\nA320 for ACMI-1.ace\r\nA320 for ACMI.ace\r\nA320 for ACMI[1].ace\r\nA320_for_ACMI.ace\r\nACMI.ace\r\nBL_036050112202xls.gz\r\nBalance Payment.zip\r\nCOPY OF THE DOCUMENT_Pdf.zip\r\nCOPY OF WHATSAPP IMAGE_scan0003jpg.zip\r\nCOPY USD 23000$.Pdf.zip\r\nCOPY USD 25000$ scan0002 jpg.zip\r\nCOPY_USD_23000$.Pdf[1].zip\r\nCopy10Scanneddoc.ace\r\nDHL SHIPPMENT DOC FOR PENDING ORDERS.zip\r\nEID MUBARAK GREETING.pdf.zip\r\nFinalCopy_Scan.ace\r\nFinalProductList.zip\r\nInvoice for alcoholic beverages (2).ace\r\nInvoice for alcoholic beverages.ace\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 52 of 54\n\nInvoice.zip\r\nMV ALFA.zip\r\nNEW MACHINE DESIGN.JPG.zip\r\nNEW ORDER \u0026 ITEMS WE NEED.Pdf.rar\r\nNew Order.ace\r\nNewCopy_Scan0261.ace\r\nNewOrder.zip\r\nORIGINAL SHIPMENT DOC\u0026 BL.zip\r\nOrder #380358967.zip\r\nOrder Inquiry Specification.ace\r\nOrder Invoice.zip\r\nOrder _380358967.zip\r\nOur Quotations.ace\r\nPayment Receipt#380358967.zip\r\nPo-September-Sept171763403583 (2).ace\r\nProductOrder List.zip\r\nQuotation.zip\r\nQuotation.rar\r\nQuotation.rar.zip\r\nRevised_OrderFinal\r\nScan0118_Revised.ace\r\nShipping documents .20150813-52383807565_pdf.rar\r\nSlip.zip\r\nSwift Copy CHF $15100 .rar.zip\r\nT.T Payment Copy.zip\r\nTT $25700 USD REMITTANCE.Pdf.zip\r\nTT APPLICATION $50,000 USD.Pdf.zip\r\nTT_H1245792776500_JPG.zip\r\nZnp0002.zip\r\norder inquiry doc.ace\r\nscan0002.jpg.zip\r\nEXE Name:\r\nACMI.exe\r\nBL_036050112202xls.exe\r\nBalance Payment.exe\r\nCOPY OF THE DOCUMENT_Pdf.exe\r\nCOPY USD 23000$.Pdf.exe\r\nCOPY_pdf.exe\r\nDHL SHIPPMENT DOC FOR PENDING ORDERS.exe\r\nEID MUBARAK GREETING.pdf.exe\r\nFinalProductList.exe\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 53 of 54\n\nInvoice for contract No. 182.exe\r\nMV ALFA.scr\r\nNEW TT RATES 28.07.2015_pdf.exe\r\nNew Order.exe\r\nPAYMENT.exe\r\nPo-September-Sept171763403583.exe\r\nQuotation.rar.exe\r\nUSD_20345_$ COPY_Pdf.exe\r\nUSD_34567 $_Pdf.exe\r\ninvoice doc.exe\r\ninvoice document.exe\r\nscan0002.jpg.exe\r\nDOC Name:\r\nNEW MTO.doc\r\nOrder01.doc\r\nOrderInvoice.doc\r\nP001.doc\r\nPart1-Product List.doc\r\nProductList.doc\r\nRevised_OrderFinal.doc\r\nSTC ORDER LIST.doc\r\nScan0118_Revised.doc\r\nKeyBase Panels:\r\nA full list of the KeyBase control panels we have identified is available on GitHub.\r\nSource: https://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nhttps://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/\r\nPage 54 of 54\n\nAnother infected companies for transport system in Egypt from Brazil shows multiple to Egypt. e-mails and invoices for the shipment of beef sold by various\nFigure 21-Invoice details on 61K lbs of beef costing USD $171,000\n   Page 12 of 54\n\n https://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/   \nFigure 77-Sending messages on senior dating site \nFigure 78-Sends the same messages to targets and moves on to IM/e-mail\n   Page 40 of 54",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/"
	],
	"report_names": [
		"keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words"
	],
	"threat_actors": [
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-12T02:00:03.07756Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy",
				"G0003"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775438989,
	"ts_updated_at": 1775960468,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2e02e8cbc90a11fa1e86e35744f5183927f4bbf6.pdf",
		"text": "https://archive.orkl.eu/2e02e8cbc90a11fa1e86e35744f5183927f4bbf6.txt",
		"img": "https://archive.orkl.eu/2e02e8cbc90a11fa1e86e35744f5183927f4bbf6.jpg"
	}
}