{
	"id": "26b9ba77-93f4-4ec1-86de-23a4e9f25831",
	"created_at": "2026-04-06T00:14:33.187372Z",
	"updated_at": "2026-04-10T03:21:51.072876Z",
	"deleted_at": null,
	"sha1_hash": "d5052c727fc5d2d47ad3378c2bba214a98da6b6d",
	"title": "New Keylogger on the Block",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2708245,
	"plain_text": "New Keylogger on the Block\r\nArchived: 2026-04-05 16:05:14 UTC\r\nGabor Szappanos\r\nSophos, Hungary\r\nCopyright © 2016 Virus Bulletin\r\nIntroduction\r\nKeyBase is a trending payload in several of today's malware groups. In fact, we have seen evidence that all of the\r\nOffice exploit kits (MWI, AK-1, AK-2, DL-1 and DL-2) have been used to distribute it. A detailed description of\r\nthese Office kits can be found in [1].\r\nOne of the incidents related to the KeyBase trojan was described in [2], while a very detailed and extensive listing\r\nof incidents was published in [3]. Its significance is being recognized, and recently Team Cymru started tracking\r\nKeyBase C\u0026C activity [4].\r\nIn this paper we provide an overview of KeyBase, both the keylogger itself and the server-side management\r\ncomponent. Additionally, we will look at an example of when this trojan was used.\r\nKeyBase Builder\r\nKeyBase is a commercial product (i.e. it is sold for money, which does not necessarily means that it is legitimate).\r\nThe original homepage of the product was http://www.keybase.in/ (note that, despite the fact that the URL differs\r\nonly by one character, it is not related in any way to the popular public key store keybase.io).\r\nHowever, the project has been shut down due to its increased use by criminals.\r\nhttps://www.virusbulletin.com/virusbulletin/2016/07/new-keylogger-block/\r\nPage 1 of 15\n\nFigure 1: The project has been shut down.\r\nThis move hasn't stopped the criminals from using the keylogger in their campaigns though. Even now (at the time\r\nof writing: June 2016) we are seeing new instances being distributed.\r\nThe Wayback Machine web archive stores earlier versions of the site, which give us some hints about the\r\ncapabilities of the tool [5].\r\nKeyBase is more than just a simple keylogger, it is a complete credential stealing suite. Aside from stealing\r\ncredentials from all popular web browsers and email clients, KeyBase is also capable of storing keystrokes and\r\nclipboard content, and screenshots can also be created with it.\r\nPasswords are stolen from a long list of applications which include the most popular web browsers and email\r\nclients.\r\nhttps://www.virusbulletin.com/virusbulletin/2016/07/new-keylogger-block/\r\nPage 2 of 15\n\nFigure 2: Passwords are stolen from a long list of applications.\r\nPassword stealing is not an original development in the product. This functionality is outsourced using the\r\nMailPassView and WebBrowserPassView utilities from Nirsoft [6] – as in most other contemporary credential\r\nstealers (e.g. Predator Pain, Hawkeye, iSpy).\r\nThe Nirsoft utilities are stored in encrypted form (using the AES algorithm) and extracted and executed on the fly\r\nwhen needed, as shown in Figure 3. \r\nhttps://www.virusbulletin.com/virusbulletin/2016/07/new-keylogger-block/\r\nPage 3 of 15\n\nFigure 3: The Nirsoft utilities are stored in encrypted form and extracted and executed on the fly.\r\nIn this example the email stealer is stored as a resource called 'Recovermail'. Figure 4 shows the version\r\ninformation of the embedded utilities. \r\nFigure 4: Version information of the embedded utilities.\r\nScreenshots are taken periodically and uploaded to the server. It is even possible, using the InstaLogging feature,\r\nto specify which applications trigger the screenshot (see Figure 5). \r\nhttps://www.virusbulletin.com/virusbulletin/2016/07/new-keylogger-block/\r\nPage 4 of 15\n\nFigure 5: The InstaLogging feature specifies which\r\napplications trigger the screenshot.\r\nIn most cases the screenshot feature is turned off, which is probably to save disk space on the server side –\r\nKeyBase can easily create thousands of screenshots, which consume several gigabytes of disk space.\r\nAs shown in Figure 6, the uploading of clipboard content is configurable, and a self-destruct date can even be\r\nspecified for time-limited operations (see Figure 7). \r\nhttps://www.virusbulletin.com/virusbulletin/2016/07/new-keylogger-block/\r\nPage 5 of 15\n\nFigure 6: Clipboard\r\ncontent uploading. \r\nFigure 7: A self-destruction date can be specified for time‑limited operations.\r\nMost of the keyloggers we see today support multiple submission methods for stolen data; these are usually email,\r\nFTP and web upload. KeyBase supports only one of these, web upload.\r\nhttps://www.virusbulletin.com/virusbulletin/2016/07/new-keylogger-block/\r\nPage 6 of 15\n\nOnce the installation of the trojan is complete, it sends back a notification to the server (as an HTTP GET request\r\nsent to the server side PHP script) (see Figure 8). \r\nFigure 8: Once the installation of the trojan is complete it sends back a notification.\r\nThen it periodically sends the collected keystrokes and other information in the same way (Figure 9).\r\nFigure 9: Periodically it sends the collected keystrokes and other information.\r\nInterestingly, even though most of the strings are encrypted in the source of the trojan (using a slightly modified\r\nVigenere cypher), and are thus hidden from simple analysis tools, the web panel URL is stored in plain text. \r\nFigure 10: The web panel URL is stored in plain text.\r\nAn interesting feature is that the password for encrypting the string variables is not specified in plain text (which\r\nwould make it relatively easy to guess/crack), but instead is derived from a bitmap when generating the trojan\r\nwith the builder. Clicking within the map sets the password.\r\nhttps://www.virusbulletin.com/virusbulletin/2016/07/new-keylogger-block/\r\nPage 7 of 15\n\nFigure 11: The password for encrypting the string variables is derived from a bitmap.\r\nKeyBase Server Side\r\nAlthough it falls short compared with other common keyloggers in terms of submission features, one clear\r\nadvantage of KeyBase is a user-friendly server-side interface, Keypanel, which starts with a login page, as shown\r\nin Figure 12. \r\nFigure 12: KeyBase login.\r\nA successful login leads to a dashboard (Figure 13), which summarizes the information collected from the infected\r\nvictims, listing separately the infected computers, collected passwords, logged keystrokes and uploaded\r\nscreenshots. \r\nhttps://www.virusbulletin.com/virusbulletin/2016/07/new-keylogger-block/\r\nPage 8 of 15\n\nFigure 13: A dashboard summarizes the available information collected from the infected victims.\r\nFrom here it is possible to access the uploaded clipboard content (Figure 14) and the stolen passwords (Figure 15),\r\nor browse the screenshots (Figure 16). \r\nFigure 14: The uploaded clipboard content can be accessed. \r\nhttps://www.virusbulletin.com/virusbulletin/2016/07/new-keylogger-block/\r\nPage 9 of 15\n\nFigure 15: The stolen passwords can be accessed. \r\nhttps://www.virusbulletin.com/virusbulletin/2016/07/new-keylogger-block/\r\nPage 10 of 15\n\nFigure 16: The screenshots can be browsed.\r\nHaving access to all of this data is just the beginning, the real activities start when the criminals begin to use the\r\nstolen information in their schemes.\r\nThe stolen data is typically used in supply chain hijacking attacks, similar to the one described in [7], which\r\nfeatures a different keylogger, Hawkeye.\r\nKeyBase Campaign\r\nAs examples we take a series of KeyBase trojan variants that sent stolen data to the jobme.eu server.\r\nThese trojans were distributed in email messages like the one shown in Figure 17. \r\nhttps://www.virusbulletin.com/virusbulletin/2016/07/new-keylogger-block/\r\nPage 11 of 15\n\nFigure 17: KeyBase trojan distribution email.\r\nThe trojan was attached to the email as a Windows executable packed in a ZIP archive. In this case Office exploits\r\nwere not used in the distribution, instead the criminals relied on traditional social engineering.\r\nIn another case we couldn't recover the original email, but we know that the trojan was distributed by email, once\r\nagain in an archive. This time the archive was named 'enquiry_shipsrv_047pdf.gz' (even though the file extension\r\nsuggests it was a gzip archive, it was really a renamed ZIP file).\r\nVirusTotal data suggests that the original email had the following text:\r\nFrom: PT Indofuels Limited\r\nSent: Monday, 19 October, 2015 4:08 PM\r\n*Blank out*\r\nSubject: Request for Quotation\r\nHello sir,\r\nWe just sent you our Request for Quotation via ShipServ.\r\nAttached please find additional data, as announced in our ShipServ inquiry.\r\nWe are looking forward to receiving your quotation.\r\nhttps://www.virusbulletin.com/virusbulletin/2016/07/new-keylogger-block/\r\nPage 12 of 15\n\nBest regards\r\nMr Tse Lenora\r\nDirector\r\nPT Indofuels Limited\r\nTel : +852 31889879\r\nEmail : indoship@indofuels.com\r\nWebsite : http://www.indofuels.com\r\n======================================================\r\nNotice:\r\n(1) It is not SPAM/Junk Mail but only regular e-mail of shipping \u0026 chartering business;\r\n(2) If you are not interested in these biz areas and do not want to receive our mail again, please in\r\n(3) Please consider the environment before printing this e-mail.\r\nWhen the victim opens and executes the attachment, the trojan activates and installs itself on the computer, then\r\ncreates a link in the user's %STARTUP% directory. This way, the keylogger will execute every time the computer\r\nis turned on.\r\nOn the server we found multiple installations of the server‑side panel.\r\nFigure 18: Multiple installations of the server-side panel.\r\nHere, each of the subfolders (except for cgi-bin and tmp) contained a separate control panel. A possible reason for\r\nthis is to separate different malware distribution campaigns. We were able to identify a couple of samples that\r\nconnected to some of the panels.\r\nSHA1 Drop folder/panel\r\nhttps://www.virusbulletin.com/virusbulletin/2016/07/new-keylogger-block/\r\nPage 13 of 15\n\n2243661696ef0a519c6583ac1ab2e14088fe476f roko\r\nf73dc85a3506a11e4dbbeda5e4e69109bd9a2ffe\r\n6d6d2002f8841fa605fc51f749bacb6bd50b7678\r\nocha\r\nThe majority of the panels were empty – either the campaign didn't start or the logs had already been deleted.\r\nFigure 19: The majority of the panels were empty.\r\nEven though a typical campaign in this operation affected only a few dozen computers, the criminals managed to\r\ncollect a lot of password and keystrokes (and skipped the screenshots, possibly to spare server storage).\r\nFigure 20: The criminals managed to collect a lot of password and keystrokes.\r\nhttps://www.virusbulletin.com/virusbulletin/2016/07/new-keylogger-block/\r\nPage 14 of 15\n\nIt is generally observable with KeyBase (and other keylogger) campaigns that the criminals keep the number of\r\ninfected hosts low – in the dozens. This gives them a manageable amount of data and number of victims, for when\r\nthey (usually) engage in invoice hijacking actions.\r\nThe target distribution of the KeyBase campaigns tied to the jobmen.eu domain is illustrated in Figure 21. The\r\nmain targets were in Asia, India, Indonesia, Bangladesh and Djibouti. \r\nFigure 21: The main targets were in Asia, India, Indonesia, Bangladesh and Djibouti.\r\nWe don't have information on the actual use of the credentials, but it is likely that the criminals were engaged in a\r\nsupply chain hijacking operation, much like that described in [7].\r\nReferences\r\n[1] https://blogs.sophos.com/2016/04/20/sophoslabs-investigates-the-most-popular-microsoft-office-exploit-kits/.\r\n[2] http://th3l4b.blogspot.ie/2015/10/keybase-loggerclipboardcredsstealer.html.\r\n[3] http://researchcenter.paloaltonetworks.com/2016/02/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/.\r\n[4] https://blog.team-cymru.org/2016/02/keybase-malware-family-added-to-team-cymru-botnet-analysis-and-reporting-service-bars/.\r\n[5] https://web.archive.org/web/20150623002553/http://www.keybase.in/.\r\n[6] http://www.nirsoft.net/utils/index.html#password_utils.\r\n[7] https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/.\r\nSource: https://www.virusbulletin.com/virusbulletin/2016/07/new-keylogger-block/\r\nhttps://www.virusbulletin.com/virusbulletin/2016/07/new-keylogger-block/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.virusbulletin.com/virusbulletin/2016/07/new-keylogger-block/"
	],
	"report_names": [
		"new-keylogger-block"
	],
	"threat_actors": [],
	"ts_created_at": 1775434473,
	"ts_updated_at": 1775791311,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d5052c727fc5d2d47ad3378c2bba214a98da6b6d.pdf",
		"text": "https://archive.orkl.eu/d5052c727fc5d2d47ad3378c2bba214a98da6b6d.txt",
		"img": "https://archive.orkl.eu/d5052c727fc5d2d47ad3378c2bba214a98da6b6d.jpg"
	}
}