Keylogger is a C++ malware module used to record keystrokes and clipboard content. The provided content associates it with multiple campaigns attributed to the Bitter threat actor (also tracked as TA397 and other aliases), where it is described as part of the group’s espionage-oriented toolset targeting primarily government, diplomatic, and defense organizations. Separate reporting in the content also identifies a file named Keylogger.dll as a module loaded in memory by DesckVB RAT, alongside other capabilities such as antivirus detection, webcam access, remote control, and encrypted network communication over HTTPS. In that DesckVB RAT infection chain, the malware is delivered through a staged sequence beginning with an obfuscated JavaScript trojan, followed by PowerShell and in-memory .NET loaders, with payload components including ClassLibrary3.dll, ClassLibrary1.dll, Microsoft.exe, and Keylogger.dll. The content further notes that social-engineering scams may involve persuading victims to install malware such as keyloggers to silently capture sensitive information for later theft. High-confidence indicators directly mentioned in the content include the module name Keylogger.dll.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
6 distinct techniques documented for this family, organized by ATT&CK tactic.
33 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A keylogging module loaded in memory by the final payload, indicating credential or input capture capability as part of the DesckVB RAT toolset.
Keyloggers are malware that record keystrokes on infected devices, allowing attackers to steal credentials and sensitive information.
Keyloggers are malware that record keystrokes on a device, allowing attackers to steal sensitive information such as passwords and financial data.
C++ module used to record keystrokes and clipboard content for espionage purposes.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.