{
	"id": "10751c0c-f94f-4206-a2c4-3649187e7c8b",
	"created_at": "2026-04-06T00:09:32.428188Z",
	"updated_at": "2026-04-10T03:21:47.500182Z",
	"deleted_at": null,
	"sha1_hash": "c38a7784d09b1432c8779dd82da97a5955366b18",
	"title": "Matiex on Sale Underground",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 925612,
	"plain_text": "Matiex on Sale Underground\r\nPublished: 2020-08-13 · Archived: 2026-04-05 14:29:47 UTC\r\nCriminal activities using the Internet’s underworld as a source have increased manifold during recent times and\r\nhave therefore garnered a lot of attention too. Cybercriminals use underground forums on  the Dark Web to\r\noperate anonymously thereby not only posing a major threat to organizations and users alike but also equally to\r\nmake it difficult to trace them. In this blog, we will be getting into the nuances of “Matiex”, a Keylogger which is\r\nbeing sold in the underground forums for the buyers to use it for their own advantage.\r\nFigure 1: Matiex Keylogger in underground forums\r\nApart from recording everything typed on the keyboard and recovering passwords like any other Keylogger,\r\nMatiex also has other features like 4 Delivery, Unicode keystroke, Startup \u0026 Installation, +60 Password\r\nRecoveries, Self Destruction \u0026 Remote, Multi Binder and more as shown in Figure 2, making it different from the\r\nother Keyloggers.\r\nhttps://labs.k7computing.com/index.php/matiex-on-sale-underground/\r\nPage 1 of 8\n\nFigure 2: Matiex features\r\nLet’s look into few of the features mentioned above\r\n4 Delivery\r\nThe Keylogger offers 4 delivery methods – FTP, SMTP, Telegram or Discord, using which the logged data can be\r\nretrieved by the threat actors.\r\nUnicode keystroke\r\nUnlike ASCII which represents English characters, Unicodes are meant to support characters from different\r\nlanguages around the world. The Matiex Keylogger supports Unicode characters which makes it possible to record\r\nkeystrokes that include characters from other languages.   \r\nSelf Destruction \u0026 Remote\r\nAnother very important feature is Self Destruction \u0026 Remote.  Keylogger has capabilities to upload information to\r\na remote server from which confidential data can be retrieved anytime. Once the job is done and the threat actor’s\r\ngoal is accomplished, the Keylogger can automatically uninstall itself with no clue left behind and the users will\r\nhave no idea that their system has actually been monitored by a Keylogger.\r\n+60 Password Recoveries\r\nThis feature helps to recover confidential information like passwords and other sensitive information from more\r\nthan 60 browsers that are supported as given in Figure 3.\r\nhttps://labs.k7computing.com/index.php/matiex-on-sale-underground/\r\nPage 2 of 8\n\nFigure 3: Browsers from which credentials are recovered\r\nStartup \u0026 Installation\r\nAuthors give threat actors the freedom to choose the installation process and startup. In other words, this is where\r\nthis Keylogger can be customized for the convenience of each threat actor using it.\r\nMulti Binder\r\nWith this feature, the threat actor has the ability to bind Matiex Keylogger with multiple files so that the\r\nKeylogger will run every time those files are opened without the user being aware of its presence. In this way this\r\nKeylogger can monitor the system for multiple documents.\r\nAuthors of the Keylogger also have their own Terms of service (TOS) and packages that provide limited voucher\r\ncopies as shown in Figure 4.\r\nFigure 4: TOS and Limited Voucher Copies\r\nThey allow their buyers, “threat actors”, to contact them through Skype with the contact details given below.\r\nhttps://labs.k7computing.com/index.php/matiex-on-sale-underground/\r\nPage 3 of 8\n\nFigure 5: Skype Contact Details\r\nDelivery\r\nOn further analysis, we found that the Indicators of Compromise (IoCs) were mostly  .NET files. The mode of\r\ndelivery is through spam emails where users will be easily tricked to open the attachment which delivers the\r\npayload. Now let’s reverse a .NET file which was extracted from a legitimate looking zip file “window-defender-update.zip” with dnSpy to see some of the prominent features that this Matiex Keylogger promises to offer which\r\nattracts the threat actors towards it. \r\nThe people involved in distributing this malware have included the “MATIEX” string in it as shown in Figure 6.\r\nFigure 6: Matiex string\r\nKeyboardLoggerTimer\r\nhttps://labs.k7computing.com/index.php/matiex-on-sale-underground/\r\nPage 4 of 8\n\nFigure 7: KeyboardLoggerTimer feature\r\nThis KeyboardLoggerTimer is the basic feature that all the Keyloggers have. This is used by the malware to record\r\nany interaction with the keyboard without the victim’s knowledge.\r\nScreenshotLoggerTimer\r\nFigure 8: ScreenshotLoggerTimer feature\r\nAnother important feature is the ScreenshotLoggerTimer which can take screenshots of your system automatically\r\nat specified time intervals. The screenshots are stored as low resolution images so that they  consume less storage\r\nat rest and less bandwidth during transmission. In Matiex Keylogger, the frequency of screenshots can be adjusted\r\nby the attacker to one photo per minute or a time interval more than that. \r\nClipboardLoggerTimer\r\nFigure 9: ClipboardLoggerTimer feature\r\nThe Clipboard is a buffer which is used to store any changes made during a cut, copy and paste operation in the\r\nsystem. The ClipboardLoggerTimer in Matiex Keylogger is one of the key features as important pieces of\r\nhttps://labs.k7computing.com/index.php/matiex-on-sale-underground/\r\nPage 5 of 8\n\ninformation such as complex login credentials are copied and pasted in registration forms, login pages  and using\r\nthis feature confidential information can be retrieved from the victim’s system.\r\nVoiceRecordLogger\r\nFigure 10: VoiceRecordLogger feature\r\nVoiceRecordLogger is another very important feature of Matiex Keylogger as it can record conversations via the\r\ncomputer’s microphone.\r\nThePSWDSenders\r\nFigure 11: ThePSWDSenders feature\r\nKeyloggers will usually save information like username, passwords, bank credentials, applications opened and\r\nwebsites visited. All these data will be encrypted and uploaded to the remote, attacker controlled servers via FTP,\r\nHTTP or Email. ThePSWDSenders feature is used to send all this information to the threat actors.\r\nAddToStartup\r\nhttps://labs.k7computing.com/index.php/matiex-on-sale-underground/\r\nPage 6 of 8\n\nFigure 12: AddToStartup feature\r\nThis Keylogger also has the feature of adding itself to the Windows Startup  to maintain persistence and keep\r\ndoing its job even after reboot. This is done using the AddToStartup feature.\r\ntelegramsender\r\nFigure 13: telegramsender feature\r\nThis Keylogger has another feature of stealing information through Telegram. Telegram being a popular chat\r\napplication, threat actors can use its legitimacy to steal information with ease.\r\nIPLogger\r\nhttps://labs.k7computing.com/index.php/matiex-on-sale-underground/\r\nPage 7 of 8\n\nFigure 14: IPLogger feature\r\nUsing the IPLogger feature, the threat actors obtain the victim’s IP.\r\nConclusion\r\nMatiex Keylogger is being sold in the underground forums, due to their gained popularity, and can also be used as\r\nMaaS (Malware-as-a-service) because of their ease of use, competitive pricing and immediate response from\r\nsupport. We at K7 Labs keep monitoring underground forums as well and give early detection to protect customers\r\nfrom being victims to the attackers.\r\nIndicators of Compromise (IoCs)\r\nHash Filename\r\nK7 Detection\r\nName\r\n5521B99B3FDDFD85D4E3DEECD76CA528(file\r\nanalyzed)\r\nQ.exe\r\nSpyware (\r\n004bf6371 )\r\n376944ae1de8e4181797668fb81022da\r\nwindow-defender-update.zipSpyware (\r\n004bf6371 )\r\n6186934D6EBCBD2761413698113233CF iOpEx.exe\r\nTrojan (\r\n0056ae001 )\r\nBD6F2EF0D491D749705CFE12CD8BABE6 BwJzCRNDwH.exe\r\nTrojan (\r\n0056af741 )\r\nSource: https://labs.k7computing.com/index.php/matiex-on-sale-underground/\r\nhttps://labs.k7computing.com/index.php/matiex-on-sale-underground/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.k7computing.com/index.php/matiex-on-sale-underground/"
	],
	"report_names": [
		"matiex-on-sale-underground"
	],
	"threat_actors": [],
	"ts_created_at": 1775434172,
	"ts_updated_at": 1775791307,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c38a7784d09b1432c8779dd82da97a5955366b18.pdf",
		"text": "https://archive.orkl.eu/c38a7784d09b1432c8779dd82da97a5955366b18.txt",
		"img": "https://archive.orkl.eu/c38a7784d09b1432c8779dd82da97a5955366b18.jpg"
	}
}