Malware

SnakeKeylogger

SnakeKeylogger, also known as 404 Keylogger, is a .NET infostealer/keylogger active since at least late 2020 and described as overlapping functionally with AgentTesla. The content also states that VIPKeylogger is a direct variant or rebrand of SnakeKeylogger. Reported capabilities include keystroke logging, credential theft, clipboard capture, and screenshot capture. SnakeKeylogger v4.4 is specifically described as stealing credentials from more than 40 Chromium- and Gecko-based browsers, as well as targeting Outlook, Foxmail, Thunderbird, Postbox, FileZilla, Discord tokens, Chromium credit card data, and WiFi passwords. It also performs keylogging via SetWindowsHookExA and supports exfiltration over HTTP POST, FTP STOR, Telegram Bot API, Discord webhooks, and in some variant reporting, SMTP and Telegram simultaneously. The malware has been observed delivered through multiple phishing-driven chains, including large obfuscated PowerShell, VBScript, JavaScript, and VBE droppers, as well as staged payloads hosted on compromised websites, Internet Archive, and Cloudinary. Several analyzed chains used reflective loading of a .NET loader named DEV.dll with entry point DEV.DOWN.SHOOT, followed by process hollowing into legitimate .NET binaries including Aspnet_compiler.exe, RegAsm.exe, and in VIPKeylogger reporting, Caspol.exe. Persistence observed in related chains included scheduled tasks, Run keys, Startup-folder VBS/LNK artifacts, and use of C:\Users\Public\Downloads\ or C:\Temp\ as staging paths. High-confidence infrastructure and indicators directly mentioned in the content include SHA-256 hashes 580208dc3ab732da63205c34e6b98e11810f5d17d6b602ff9d1029873d418474 for a SnakeKeylogger v4.4 payload, 1c5c15bbed9b6056298187a2fe7d808d8ecc38db0b17c6b18250f9e521028f74 and ff24355a2670aa64b6633a6a154682f42e3a0ec9137c575327967f4baa9bd2df for DEV.dll loaders used in SnakeKeylogger-classified chains, and infrastructure including varders[.]kozow[.]com, aborters[.]duckdns[.]org, anotherarmy[.]dns[.]army, 51[.]38[.]247[.]67:8081, 176[.]61[.]151[.]122, 192[.]210[.]186[.]208/web/ENCRYPT.Ps1, 144[.]172[.]105[.]88, and SMTP host mail.miniorangeman.com:587. The content associates SnakeKeylogger activity with phishing campaigns using purchase-order, invoice, trade, and DHL-themed lures, and notes targeting of procurement, shipping, accounts receivable, and organizations in Germany in specific observed campaigns.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

33 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1608.001Upload MalwareEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation Resource Development Upload Malware T1608.001 Internet Archive and ByetHost payload staging

Initial Access

1 technique

T1566.001Spearphishing AttachmentEvidence2

The initial delivery vector is a DHL-themed phishing email carrying a VBScript attachment.

Execution

5 techniques

T1047Windows Management InstrumentationEvidence2

Execution is handled through WMI rather than direct process creation ... infare.Get("Win32_Process").Create(avaram, Null, circumsail, mayas)

T1053.005Scheduled TaskEvidence1

Kill Chain Summary ... Persist: VBS startup + Scheduled Task

T1059.001PowerShellEvidence3

The VBScript dropper ... launches PowerShell invisibly via WMI's Win32_Process.Create with ShowWindow=0

T1059.005Visual BasicEvidence3

Stage 1: VBScript Dropper ... The actual payload is encoded using a hex-nibble scheme where individual hex characters are separated by the Unicode string ⩝Ɽ◮ڧᕒ

T1204.002Malicious FileEvidence1

Execution User Execution: Malicious File T1204.002 User must open/run the .vbe file

Persistence

3 techniques

T1053.005Scheduled TaskEvidence1

Kill Chain Summary ... Persist: VBS startup + Scheduled Task

T1112Modify RegistryEvidence1

Defense Evasion Modify Registry T1112 Assessed: stage 3 persistence via registry

T1547.001Registry Run Keys / Startup FolderEvidence1

Persistence Boot or Logon Autostart Execution: Registry Run Keys T1547.001 Assessed: stage 3 persistence

Privilege Escalation

3 techniques

T1053.005Scheduled TaskEvidence1

Kill Chain Summary ... Persist: VBS startup + Scheduled Task

T1055.012Process HollowingEvidence3

"It performs process hollowing into Aspnet_compiler.exe -- a legitimate .NET Framework tool"

T1547.001Registry Run Keys / Startup FolderEvidence1

Persistence Boot or Logon Autostart Execution: Registry Run Keys T1547.001 Assessed: stage 3 persistence

Stealth

9 techniques

T1027Obfuscated Files or InformationEvidence3

MITRE ATT&CK Mapping Tactic Technique ID Implementation Defense Evasion Obfuscated Files or Information T1027 Rotational XOR, Unicode padding, hex encoding

T1027.002Software PackingEvidence1

The extracted assembly ... includes anti-analysis checks ... An encrypted configuration blob in the User Strings heap contains the Telegram bot token and SMTP credentials -- protected by Babel's obfuscation layer

T1027.003SteganographyEvidence1

The decoded PowerShell downloads a JPEG image from Cloudinary CDN ... with 1.55 MB of Base64-encoded .NET assembly appended after the image data.

T1027.010Command ObfuscationEvidence1

Defense Evasion Obfuscated Files or Information: Command Obfuscation T1027.010 Character-by-character URL concatenation

T1036MasqueradingEvidence2

Defense Evasion Masquerading T1036 Payloads disguised as PNG image files

T1055.012Process HollowingEvidence3

"It performs process hollowing into Aspnet_compiler.exe -- a legitimate .NET Framework tool"

T1480Execution GuardrailsEvidence1

Defense Evasion Execution Guardrails T1480 Timer ensures sandbox timeout before payload

T1620Reflective Code LoadingEvidence1

The output is a .NET assembly loaded via AppDomain.CurrentDomain.Load() -- no file touches disk.

T1622Debugger EvasionEvidence1

It includes anti-analysis checks for dnspy, vsdbg, de4dot, plus CheckRemoteDebuggerPresent, IsDebuggerPresent, and NtQueryInformationProcess.

Defense Impairment

1 technique

T1112Modify RegistryEvidence1

Defense Evasion Modify Registry T1112 Assessed: stage 3 persistence via registry

Credential Access

5 techniques

T1056.001KeyloggingEvidence2

Collection Input Capture: Keylogging T1056.001 Keystroke capture

T1528Steal Application Access TokenEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation Credential Access Steal Application Access Token T1528 Discord token extraction from LevelDB

T1555Credentials from Password StoresEvidence1

Credential Access Credentials from Password Stores T1555 Browser/email credential harvesting

T1555.003Credentials from Web BrowsersEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation Credential Access Browser Credentials T1555.003 40+ browser Login Data / Cookie / Web Data extraction

T1555.005Password ManagersEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation Credential Access Email Credentials T1555.005 Outlook, Foxmail, Thunderbird credential theft

Discovery

2 techniques

T1614System Location DiscoveryEvidence1

Discovery System Location Discovery T1614 Country via reallyfreegeoip.org

T1622Debugger EvasionEvidence1

It includes anti-analysis checks for dnspy, vsdbg, de4dot, plus CheckRemoteDebuggerPresent, IsDebuggerPresent, and NtQueryInformationProcess.

Collection

3 techniques

T1056.001KeyloggingEvidence2

Collection Input Capture: Keylogging T1056.001 Keystroke capture

T1113Screen CaptureEvidence2

MITRE ATT&CK Mapping Tactic Technique ID Implementation Collection Screen Capture T1113 Periodic screenshot module (PNG output)

T1115Clipboard DataEvidence3

Collection Clipboard Data T1115 AgentTesla/SnakeKeylogger capability

Command and Control

4 techniques

T1071.001Web ProtocolsEvidence2

Command and Control Application Layer Protocol: Web Protocols T1071.001 HTTP GET to C2 on port 80

T1102Web ServiceEvidence1

Command and Control Web Service T1102 Cloudinary/Internet Archive for staging

T1105Ingress Tool TransferEvidence1

Command and Control Ingress Tool Transfer T1105 Downloads ENCRYPT.Ps1 from C2

T1568.002Domain Generation AlgorithmsEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation Command and Control Dynamic Resolution: DNS T1568.002 DuckDNS, Dynu, DNS.Army DDNS

Exfiltration

3 techniques

T1041Exfiltration Over C2 ChannelEvidence2

Exfiltration Exfiltration Over C2 Channel T1041 SMTP/HTTP exfiltration

T1048Exfiltration Over Alternative ProtocolEvidence1

Exfiltration Exfiltration Over Alternative Protocol T1048 SMTP exfil to miniorangeman.com:587

T1567Exfiltration Over Web ServiceEvidence1

Exfiltration Exfiltration Over Web Service T1567 Telegram bot API

INDICATORS OF COMPROMISE

IOCs tracked for this family

46 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

21 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

18 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

7 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app27 days ago

uri●●●●●●●●●●●●View more in app27 days ago

domain●●●●●●●●●●●●View more in app3 months ago

hash.sha256●●●●●●●●●●●●View more in app3 months ago

ACTIVITY FEED

Recent activity

14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

14 SOURCESView more in app

breakglass intelNews

Mar 15, 2026

Competent Malware, Incompetent Infrastructure: A VIPKeylogger Operator Builds a Steganographic Kill Chain, Leaves XAMPP Dashboard Open, and Leaks Their Own SMTP Credentials - Breakglass Intelligence - Breakglass Intelligence

A keylogger family also known as 404 Keylogger. In this content it is described as the parent family/variant lineage for VIPKeylogger, with VIPKeylogger adding dual-channel SMTP and Telegram exfiltration.

AgentTesla/SnakeKeylogger - Multi-Layer VBScript Dropper (PO_20981.vbe) - Breakglass Intelligence - Breakglass Intelligence

A .NET stealer/keylogger assessed as the stage 3 payload in this chain. It is described as capable of keylogging, credential harvesting from browsers, email and FTP clients, screenshot capture, clipboard monitoring, SMTP exfiltration, and persistence.

breakglass intelNews

Mar 12, 2026

PhantomStealer Hijacks a Lisbon Theater to Steal Your Credentials - Breakglass Intelligence - Breakglass Intelligence

Credential stealer and keylogger used as the final injected payload, employing RSA+AES encryption for configuration and communications.

+10 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching46

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping33

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.