{
	"id": "dd8baec2-3414-47b1-aec7-2ffb612229f4",
	"created_at": "2026-04-06T00:17:30.900152Z",
	"updated_at": "2026-04-10T03:21:24.840586Z",
	"deleted_at": null,
	"sha1_hash": "3a31bbeb00a15851c554c67f910a46a083901639",
	"title": "iSpy Keylogger | Zscaler Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 923415,
	"plain_text": "iSpy Keylogger | Zscaler Blog\r\nBy Atinderpal Singh\r\nPublished: 2016-09-16 · Archived: 2026-04-05 21:38:03 UTC\r\nKeyloggers have always been present in attackers’ toolkits. They give attackers the power to record every\r\nkeystroke from a victim’s machine and steal sensitive information. Zscaler ThreatLabZ recently came across a\r\nsigned keylogger campaign in our cloud sandbox. In this blog, we will provide an analysis of this malicious\r\ncommercial keylogger, known as iSpy. Written in .Net 2.0, iSpy is configured for keylogging, stealing passwords\r\nand screenshots, and monitoring webcams and clipboards. It is being sold on underground forums via multiple\r\nsubscription packages as shown in Figure 1.\r\nFigure 1: iSpy keylogger subscription packages\r\niSpy keylogger infection\r\niSpy is delivered via spam email that has malicious JavaScript or Document as an attachment, which then\r\ndownloads the keylogger payload. The main iSpy payload is usually compressed using a custom packer. So far,\r\nwe have seen packers written in Visual Basic 6.0, AutoIt, and .Net. We have also seen a campaign of signed .NET\r\ncrypter where iSpy was served. This crypter uses different digital certificates (mostly invalid certificates) and\r\ndrops different malware samples, as shown in Table 1 below\r\nhttps://www.zscaler.com/blogs/research/ispy-keylogger\r\nPage 1 of 11\n\nFigure 2: Certificate used by .Net Crypter\r\nTable 1: Different malware samples dropped by .NET crypter\r\nMD5 Email used in certificate Malware\r\nb99491b53faabb559adf42d6156d9dad web@vazi.com iSpy\r\n2b8e2d23c88b11bbcf59928d5d440bdb sales@maltech.net Phorpiex\r\n73dcbece89a474bccfb76f022e5e81a4 sales@maltech.net Skypoot\r\nc1838d9542e6860cd44d706883b49a73 sales@maltech.net Skypoot\r\n2aac4e7b7a1ab407039e12b53a4af942 sales@maltech.net Phorpiex\r\n398680cbdd017f7b99e9add1477939a8 owner@reca.net Phorpiex\r\n2368102c5e12b0c881bc09256546d255 owner@reca.net Skypoot\r\n92a342a6ce4b0accfb20c61fd657104b sales@maltech.net Phorpiex\r\n1ffadc9cde4d4a1d794362c9179a0ec9 sales@maltech.net Phorpiex\r\nc17cddb6f63d9797583167a30c5711c1 sales@maltech.net Phorpiex\r\nhttps://www.zscaler.com/blogs/research/ispy-keylogger\r\nPage 2 of 11\n\nde7db381733f3c5a479865120f58a8c1 sales@maltech.net Phorpiex\r\n58334fb57165350ccb06c1949459a65c sales@maltech.net Skypoot\r\n5e6114b726b1b8a52331890054157969 sales@maltech.net Skypoot\r\n12f4de75e2e299e6d444a58fff78d83d sales@maltech.net Phorpiex\r\n92eaac8b2266fb2514e66a8e2cf98f13 sales@salung.com Kasidet\r\na9867d69c3d7d716339dd10ac4b29216 sales@salung.com Phorpiex\r\nedaf8ce53d4919c52e422c7ce7242738 sales@salung.com Phorpiex\r\n2b478db2af56153a2cee33f71213cc2f sales@salung.com Hawkeye\r\n214280b4e09fe4c4cc46aebef533e07e support@yapilo.com Phorpiex\r\nba8c47e679eba575c4e8605da97f4e77 support@yapilo.com Phorpiex\r\nd151378aeae384e85ab10f5bb19ef254 support@yapilo.com Phorpiex\r\n881e968ddf34c38943a56651a3870174 email@vario.co Subti\r\n0e565eb881a25180993539f34e88ec3d sales@maltech.net Bladabindi\r\nInstallation\r\nThe malware sample we analyzed was packed with a VB6 (native) custom packer. The packer uses the XOR-based method to decrypt the payload and contains obfuscated zombie code between instructions to slow down\r\nanalysis. Figure 3 shows the installation and functionality overview of iSpy.\r\nhttps://www.zscaler.com/blogs/research/ispy-keylogger\r\nPage 3 of 11\n\nFigure 3: Installation workflow and functionality overview of iSpy\r\nThe second layer of packing contains multiple anti-VM and anti-analysis tricks, some of which include:\r\nChecks PEB flags for debugger presence\r\nChecks for sandbox and debugger using GetTickCount and Sleep\r\nLoops until cursor movement is detected\r\nhttps://www.zscaler.com/blogs/research/ispy-keylogger\r\nPage 4 of 11\n\nChecks if screen resolution is 800 x 600 or more\r\nFinally, it decrypts the payload file and injects the decrypted file into another instance of the same process using\r\nprocess hollowing technique as seen below:\r\nFigure 4: Spawns process in Suspended mode for injection\r\nThe decrypted file is a loader file that contains a DLL and .NET binary in its resource section. It first loads the\r\nDLL file that further loads the final iSpy payload (.NET binary) using LoadDotNetPE export function.\r\nThe malware checks configuration settings to select the folder for dropping the executable. Based on the\r\nconfiguration, it drops itself into one of the following locations:\r\n%APPDATA%\r\n%LOCALAPPDATA%\r\n%USERPROFILE%\\Documents\r\n%TEMP%\r\nhttps://www.zscaler.com/blogs/research/ispy-keylogger\r\nPage 5 of 11\n\nFigure 5: Installation function\r\nAfter copying itself into any of the above mentioned locations, it deletes “Zone.Identifier” flag from Alternate\r\nData Stream (ADS) to disable the security warning message that is displayed every time the malware file is\r\nexecuted.\r\nPersistence\r\nIt creates an entry in “SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run” key under HKLM or HKCU, based\r\non configuration settings, to execute the malware on system startup.\r\nConfiguration\r\niSpy has many customizable features (Figure 6) including the functionality to record keystrokes, recover\r\npasswords, and retrieve serial keys from various software, then sending the stolen data over SMTP, HTTP, or FTP.\r\nIt also has a web panel that helps the attacker to monitor the activity of iSpy infections.\r\nhttps://www.zscaler.com/blogs/research/ispy-keylogger\r\nPage 6 of 11\n\nFigure 6: iSpy configuration class\r\nAs mentioned earlier, depending on the configuration, it can send stolen data via three different methods: HTTP,\r\nSMTP, or FTP. FTP and SMTP credentials, directly encoded in the file, are encrypted using a custom encryption\r\nmethod. Function decrypt, in the class StringCipher, is used for the decryption of credentials as well as other\r\nstrings. MUTEX value from the configuration is used as the key for decryption. For the HTTP method, iSpy uses\r\nthe PHP_KEY authentication to upload data to C\u0026C server.\r\nData stealing\r\nThe current sample, discussed in this blog, uses FTP for sending the stolen data to attacker. The FTP account –\r\nhttps://www.zscaler.com/blogs/research/ispy-keylogger\r\nPage 7 of 11\n\nftp://ftp[.]bhika[.]comxa[.]com –was active at the time of analysis and the ftp credentials are embedded in the file\r\nitself. The website resolves to IP address “31.170.160.209” which belongs to comxa.com, which is owned by\r\n000webhost Network, a provider of free hosting. We have notified comxa.com of the offending account.\r\nAfter successful installation, iSpy collects computer information such as username, Windows version, and\r\ninstalled program details (AV, firewall, browser, etc.), and sends this information along with install notification\r\n(Figure 7) to a C\u0026C server.\r\nFigure 7: Installation notification contents\r\nKeylogging code is the main component of this malware. It logs timestamped key presses and sends them to the\r\nattacker. It also contains code to steal the license keys of application software, such as Adobe Photoshop,\r\nMicrosoft Office, and others. It also collects saved passwords from web browsers, email clients (such as Outlook),\r\nFTP clients (like FileZilla and CoreFTP), and games like Minecraft.\r\nKillAV\r\niSpy has the functionality to disable antivirus programs by creating a sub-key of the program name under registry\r\nkey, “Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\” and then setting\r\n“rundll32.exe” as the value of “Debugger” under that key. It also disables access to that newly created registry key\r\nby setting all RegistryRights to deny so it cannot be easily removed. After this change in registry, Windows will\r\nload “rundll32.exe” when the targeted process is started. As a result, the given AV process will not start. Below is\r\nthe list of AV processes that iSpy targets:\r\n\"rstrui.exe\", \"AvastSvc.exe\", \"avconfig.exe\", \"AvastUI.exe\", \"avscan.exe\", \"instup.exe\", \"mbam.exe\",\r\nhttps://www.zscaler.com/blogs/research/ispy-keylogger\r\nPage 8 of 11\n\n\"mbamgui.exe\", \"mbampt.exe\", \"mbamscheduler.exe\", \"mbamservice.exe\", \"hijackthis.exe\", \"spybotsd.exe\",\r\n\"ccuac.exe\", \"avcenter.exe\", \"avguard.exe\", \"avgnt.exe\", \"avgui.exe\", \"avgcsrvx.exe\", \"avgidsagent.exe\",\r\n\"avgrsx.exe\", \"avgwdsvc.exe\", \"egui.exe\", \"zlclient.exe\", \"bdagent.exe\", \"keyscrambler.exe\", \"avp.exe\",\r\n\"wireshark.exe\", \"ComboFix.exe\", \"MSASCui.exe\", \"MpCmdRun.exe\", \"msseces.exe\", \"MsMpEng.exe\"\r\nWebCam Snapshot \u0026 Screen grabber\r\nIf the webcam logger is configured, it will capture snapshots using the victim’s webcam. It saves the snapshot in\r\n%TEMP% folder with the prefix “snapshot” with the .PNG extension. It can then uploads the snapshot to\r\n“http://uploads.im/api?upload” (a legitimate image hosting website). It logs the URL path of uploaded snapshot\r\nand uploads the log’s data on a C\u0026C server using the configured method.\r\nSimilarly, iSpy takes screen shots using .NET API CopyFromScreen and saves them to a file with the name\r\n“img.png” under the %TEMP% folder. Saved images are uploaded to the website mentioned above and a log of\r\nURL paths of uploaded files is sent to attacker.\r\nOther features of iSpy:\r\nWebsite blocking (based on host file modification)\r\nFile downloading\r\nBot killer\r\nFake message (it displays this message every time malware starts execution)\r\nDisabler (Taskmgr, Regedit, CMD)\r\nRunescape PinLogger(RuneScape is a fantasy MMORPG developed and published by Jagex, A Bank PIN\r\nis a security feature provided in game that players can use to protect their, virtual in game, banks.)\r\nRun Bind file (file to run along with malware)\r\nWeb panel interface\r\nThe current version of iSpy has a web panel where the attacker can monitor the infected system.\r\nhttps://www.zscaler.com/blogs/research/ispy-keylogger\r\nPage 9 of 11\n\nFigure 8: iSpy web panel\r\nConclusion\r\nCommercial keyloggers are general-purpose data stealing tools used by criminals to collect as much data as\r\npossible about a victim. There are many commercially available keyloggers in the underground market and,\r\nunfortunately, using them is fairly easy, requiring little technical knowledge. In spite of the increased use of\r\nspecialized tools, the keylogger remains a common, and quite potentially damaging, tool. Zscaler ThreatLabZ will\r\ncontinue to monitor keyloggers and provide coverage for customers who may be targeted.\r\nIndicators of compromise:\r\nURL serving iSpy sample- gratja[.]top/gff/trf.exe\r\nMD5 - ca66771aaaf3e6b4be57f09d9cfabcc1\r\nTable 2: Other iSpy Samples seen in the wild\r\nMD5 Packer Upload Method\r\n3f0b2fead12d62bcd7d8ca3b2673ed7f VB6(Native) SMTP\r\n7a9af64a04cf9577bfc76865ae190349 .NET Crypter FTP\r\n08abb6dc71fe3076f9f149c849de737a AutoIT FTP\r\nhttps://www.zscaler.com/blogs/research/ispy-keylogger\r\nPage 10 of 11\n\n9373eb008dd45458d424ce928b8d4475 .NET Crypter HTTP\r\n51981d91472c00a78a6358cc2d5ff47f .NET Crypter HTTP\r\n931512db9f969726a051737ce8579497 VB6(Native) FTP\r\n153185846e8fb4edb9e9ec9c3ea73e75 AutoIT SMTP\r\nc17dad76326700c24daef882e8550be4 AutoIT FTP\r\nca66771aaaf3e6b4be57f09d9cfabcc1 VB6(Native) FTP\r\ncb077968a96f497a994010b55771be2e AutoIT FTP\r\nb99491b53faabb559adf42d6156d9dad .NET Crypter SMTP\r\nc8dabc7680e8b7ed344994eb39599296 VB6(P-Code) FTP\r\nBlog by: Atinderpal Singh, Nirmal Singh\r\nSource: https://www.zscaler.com/blogs/research/ispy-keylogger\r\nhttps://www.zscaler.com/blogs/research/ispy-keylogger\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/research/ispy-keylogger"
	],
	"report_names": [
		"ispy-keylogger"
	],
	"threat_actors": [],
	"ts_created_at": 1775434650,
	"ts_updated_at": 1775791284,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3a31bbeb00a15851c554c67f910a46a083901639.pdf",
		"text": "https://archive.orkl.eu/3a31bbeb00a15851c554c67f910a46a083901639.txt",
		"img": "https://archive.orkl.eu/3a31bbeb00a15851c554c67f910a46a083901639.jpg"
	}
}