{ "id": "e42a75fe-f4ae-429a-a18e-59e44292d99a", "created_at": "2026-04-06T00:11:44.424407Z", "updated_at": "2026-04-10T13:12:41.304046Z", "deleted_at": null, "sha1_hash": "a6d45e0c5c2c3a3aa237056eee57a01429fd4067", "title": "MassLogger: An Emerging Spyware and Keylogger", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 640575, "plain_text": "MassLogger: An Emerging Spyware and Keylogger\r\nBy Aniruddha Dolas\r\nPublished: 2020-07-31 · Archived: 2026-04-05 17:42:44 UTC\r\nSummary:\r\nWe have been dealing with a new spyware for the past two months, named MassLogger. This advanced keylogger\r\nand spyware are distributed via MalSpam attachments and has more features than other present keylogger tools. It\r\nhas been observed that this campaign is using several different file types as malicious attachments as an initial\r\ninfection vector. Also, the dynamic behaviour of this camping is not constant across multiple samples. It comes\r\nwith several functionalities like keylogger, Windows Defender exclusion, taking Screenshots, spreading via USB,\r\nclipboard stealing, VM detection, etc.\r\n Technical Details:\r\nHere are different file types used as spam attachments in this campaign:\r\nzip\r\nrar\r\ngz\r\n7z\r\nimg\r\niso\r\ndoc\r\narj\r\nxz\r\nace\r\ndocm\r\nz\r\nxlsm\r\ncab\r\n After looking at the above list, we can see two major categories of attachment— first is archive file and second is\r\na document file. In the case of archive files, there is .NET masslogger payload after extraction, while in the case of\r\ndocument file it contains VBA macro and exploit which downloads masslogger payload from a remote server.\r\nPolymorphic Process Chain:\r\nWe have seen different variants of dynamic behaviour across multiple samples in this campaign. Below are\r\nsnapshots of a few process chains:\r\nhttps://www.seqrite.com/blog/masslogger-an-emerging-spyware-and-keylogger/\r\nPage 1 of 11\n\nFig 1: Process Chain. Ref. https://app.any.run/\r\nFig 2: Process Chain. Ref. https://app.any.run/\r\nhttps://www.seqrite.com/blog/masslogger-an-emerging-spyware-and-keylogger/\r\nPage 2 of 11\n\nFig 3: Process Chain. Ref. https://app.any.run/\r\nFig 4: Process Chain. Ref. https://app.any.run/\r\nDocument analysis:\r\nIn some cases, threat actors have used office document file as initial infection vector with VBA macro and\r\nequation editor exploit. The following figure shows the extraction of Excel document having embedded OLE\r\nstorage containing 2 VBScripts and 1 file of CVE-2017-11882 exploit and VBA Project stream containing VBA\r\nmacros.\r\nFig 5: OLE Streams and Storages\r\nThe following figure shows multiple OLE streams each containing different data.\r\nFig 6: Ole Embeddings\r\nThe first stream oleObject1.bin is a VB script file contains renamer code and after which it executes VBS file\r\nusing Wscript.\r\nhttps://www.seqrite.com/blog/masslogger-an-emerging-spyware-and-keylogger/\r\nPage 3 of 11\n\nFig 7: VBS Job\r\nOleObject2.bin stream is also a VB script which is highly obfuscated and having code to download a payload\r\nfrom C2 server.\r\nFig 8: VBS downloader\r\nThe excel sheet containing stack-based buffer overflow editor exploit of the equation editor renames and executes\r\nVB Scripts using WinExec api (0x00430C12) post-exploitation.\r\nFig 9: Shellcode\r\n“1C00” is the header of Equation Editor, in the right side, the shellcode is present containing cmd.exe initially\r\nrenames the VB script and passes it to Wscript to execute that VB Script. After overflow occurs, this whole data is\r\npassed to WinExec function which does the further activity. For more info related to CVE-2017-1182 exploit,\r\nplease refer our blog post.\r\nTo increase to chances of payload delivery, the attacker uses both exploit and VBA macros. When exploit fails on\r\na patched system, another component, VBA macros are also present in the document file. The similar VBS code is\r\nhttps://www.seqrite.com/blog/masslogger-an-emerging-spyware-and-keylogger/\r\nPage 4 of 11\n\npresent in VBA macros and macro code has the responsibility of dropping the VBS file in “C:\\programdata\\”\r\nfolder and execute it as VBS Job which does further similar activity as that of the Equation Native exploit.\r\nPayload Analysis:\r\nThe payload is downloaded from different initial attack vectors as discussed above when it executes and goes in\r\nsleep for a few seconds. There is a lot of sleep code present in this binary. There are a total of 4 components\r\npresent with 2 layers of the packed file.\r\nStage 1 layer:\r\nIn the 1st layer, when it gets executed it has a simple code hidden in a Form() component. This code is responsible\r\nto extract a dll file from resource directory in present in reverse data in Base64 format which further gets resolved\r\nand dumps a dll with name AndroidStudio.dll.\r\nFig 10: Fetch data from resources\r\nAndroidStudio.dll have a responsibility to decompress and decrypt a buffer which passes to it.\r\nFig 11: Android Studio code\r\nhttps://www.seqrite.com/blog/masslogger-an-emerging-spyware-and-keylogger/\r\nPage 5 of 11\n\nGZip decompression method is used to decompress the buffer passed from the resource directory. This dll is used\r\nto dump another PE file which is responsible for further activity.\r\nStage 2 Layer: Lazarus.exe\r\nThe Lazarus.exe gets dumped which is highly obfuscated .NET file which is now unpacked from the parent file.\r\nWe have decoded this file using de4dot tool successfully. In execution, it goes in sleep for a few seconds, it checks\r\nif it’s own copy is present at “%appdata%” location. If not, it drops a self-copy at “%appdata%” location. After\r\nthat, to stay persistent in the system, it creates an entry in task scheduler. For this, it creates and drops a.XML\r\nconfig file at “%temp%” location which is the input for creating task scheduler. The metadata for XML file is\r\nhardcoded and stored in PE resource. All data gets replaced at runtime.\r\nFig 12: Task Scheduler XML\r\nThe name of starts with string “Update\\” followed by file name dropped at %appdata% location.\r\nFollowing command gets executed to add an entry in task scheduler.\r\n“C:\\Windows\\System32\\schtasks.exe” /Create /TN “Updates\\\u003cfilename\u003e” /XML “C:\\Users\\\r\n\u003cusername\u003e\\AppData\\Local\\Temp\\tmp\u003cUSERID\u003e.tmp”\r\nNow time to move to the final payload which is MassloggerBin.exe. Using Process Hollowing technique, it injects\r\ncode into its own process. Following image shows the use of the self-hollowing technique to do its further activity.\r\nhttps://www.seqrite.com/blog/masslogger-an-emerging-spyware-and-keylogger/\r\nPage 6 of 11\n\nFig 13: Process Hollowing\r\nWhen it successfully writes and creates a new process, the parent process gets terminated and code injected\r\nprocess runs as an orphan. The code of this process is also highly obfuscated. All function and class names are\r\nmodified to random/obfuscated string.\r\nStage 3 layer: MassLoggerBin.exe\r\nWith the start, it extracts a dll file having name “Ionic.Zip.Reduced.dll” from its resources. The\r\nIonic.Zip.Reduced.dll is a DotNetZip free fast class library used for manipulating zip files. The code used by the\r\nattacker in Masslogger is available on this site. The main motive of using this dll is to create a zip file containing a\r\ncompressed package of files like snapshots, keyloggers, user info etc.\r\nThe internal config-based functionality is used by MassLogger to fetch the required accordingly which is then\r\nassigned to a specific variable.\r\nFollowing are the variables that fetch data stored in its internal config fig — by going to particular offset is the\r\nfirst parameter and the config array from where data gets fetched is the second parameter\r\nFig 14: Retrieves Config data\r\nhttps://www.seqrite.com/blog/masslogger-an-emerging-spyware-and-keylogger/\r\nPage 7 of 11\n\nFig 15: Config Data\r\nIt starts collecting system information like name of the system, Windows version, CPU, GPU, AV installed, Public\r\nIP which it gets from URL: “hxxp[:]//api[.]ipify[.]org”, also gets running process information.\r\nFig 16: Running Processes\r\nMassLogger also stores a running process windows name in its log file.\r\n MassLogger Functionality:\r\n1. Application Data Stealer:\r\nFollowing are some list of applications where it tries to steal user data and which further sends to its C2 server.\r\nBy checking data from hardcoded path stored in this binary, it checks for particular data and installation of these\r\napplications, if it does not find any details, it creates an entry in the following format,\r\n\u003c|| Application-name ||\u003e\r\nNot Installed\r\nThe following modules are present in MassLogger binary. Following is the list of that:\r\nhttps://www.seqrite.com/blog/masslogger-an-emerging-spyware-and-keylogger/\r\nPage 8 of 11\n\n2. Windows Defender Exclusion\r\nIt has a module named as “WD Exclusion” which is a Windows Defender Exclusion. Using command “Add-MpPreference –ExclusionPath \u003cpath\u003e“, it exclude it-self from Windows Defender Anti-Virus.\r\n3. USB Spread\r\nAnother module, USB Spread, it uses an open-source code of LimeUSB available on GitHub. It is used to infect\r\nfiles stored on the USB drive. When files on USB gets executed, it executes its own code as well as infected code.\r\nFig 17: USB Spread Module\r\n4. Keylogger and Clipboard\r\nIt has a key log capture module, using “SetWindowHookEx” api it captures all keyboard keys and logs it.\r\nFig 18: Keyboard Hooking\r\n5. Anti VM\r\nhttps://www.seqrite.com/blog/masslogger-an-emerging-spyware-and-keylogger/\r\nPage 9 of 11\n\nIt also has Anti-VM techniques by checking for Video_Controller adapter using WMI “Select * from\r\nWin32_VideoController” which retrieves which information related to the graphics card. If the process is\r\nexecuting on Virtual Box then it returns “Virtual Box Graphics Adapter”.\r\nFig 19: Video Adapter\r\n6. Search And Upload\r\nAs per config file, it searches for some file which it wants to send to the C2 server that stores in\r\n“SearchAndUpload.zip” archive.\r\nAll data is stored and retrieved from its config file. Following is the view of MassLogger config file.\r\nFig 20: Config File\r\nOnce all data collection is done, it creates a log file containing all data like when Masslogger Process is started\r\nand ended and other collected details. After that, it compresses using ZIP and gets stored at the location “C:\\Users\\\r\n\u003cUSERNAME\u003e\\AppData\\Local”.\r\nFollowing is an image showing MassLogger log file.\r\nhttps://www.seqrite.com/blog/masslogger-an-emerging-spyware-and-keylogger/\r\nPage 10 of 11\n\nFig 21: MassLogger log file\r\nConclusion:\r\nMasslogger is a highly configurable and modular keylogger and spyware. The author behind Masslogger tried to\r\nmake it more sophisticated in features than other keyloggers, these features make it hard to detect this advanced\r\nmalware.\r\nIoCs:\r\n4A199C1BA7226165799095C2C2A90017 (XLSM)\r\nD1FFF0C0782D08ED17387297369797E0 (XLSM)\r\n31B65A54940B164D502754B09E3E9B63 (PE)\r\n37958546CB6DC41F505FDCB3430CEE3B (PE)\r\nSubject Matter Experts:\r\nAniruddha Dolas\r\nPawan Chaudhari\r\nSource: https://www.seqrite.com/blog/masslogger-an-emerging-spyware-and-keylogger/\r\nhttps://www.seqrite.com/blog/masslogger-an-emerging-spyware-and-keylogger/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.seqrite.com/blog/masslogger-an-emerging-spyware-and-keylogger/" ], "report_names": [ "masslogger-an-emerging-spyware-and-keylogger" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434304, "ts_updated_at": 1775826761, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a6d45e0c5c2c3a3aa237056eee57a01429fd4067.pdf", "text": "https://archive.orkl.eu/a6d45e0c5c2c3a3aa237056eee57a01429fd4067.txt", "img": "https://archive.orkl.eu/a6d45e0c5c2c3a3aa237056eee57a01429fd4067.jpg" } }