MC Keylogger is a Windows surveillance module within the OkoBot malware framework. It is designed to capture user input and related activity from compromised endpoints, recording keystrokes, clipboard contents, connected USB device information, and periodic screenshots. The module stores collected artifacts locally before they are exfiltrated by other components of the framework, after which the data may be deleted to reduce forensic visibility.
MC Keylogger has been observed as a payload delivered after initial compromise by OkoBot’s multi-stage infection chain. That broader framework has used ClickFix lures and trojanized software masquerading as legitimate applications to gain initial access, followed by a PowerShell downloader, SSH-based remote access, and plugin-based deployment of additional implants. Within this ecosystem, MC Keylogger functions as a spyware and collection component supporting credential theft, cryptocurrency theft, and broader victim monitoring.
The malware targets Windows systems and has been associated with campaigns affecting users in more than 25 countries, with notable victim concentrations in Brazil, Vietnam, Canada, Mexico, and Türkiye. OkoBot activity has focused heavily on cryptocurrency users, including wallet users and owners of hardware wallets, and also deployed other modules for browser theft, wallet seed-phrase phishing, and targeted recording of wallet and password-manager windows. Attribution to a specific actor is not confirmed, though reporting has noted overlap with Russian-speaking cybercriminal tradecraft and ecosystem elements.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
5 distinct techniques documented for this family, organized by ATT&CK tactic.
OkoSpyware watches for 100-plus executables... It films the matching window to MP4 with a bundled FFmpeg and logs keystrokes into it. MC Keylogger covers input, clipboard, USB devices
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A monitoring component that captures keyboard input, clipboard contents, USB device activity, and periodic screenshots.
A keylogger module that records keystrokes, clipboard contents, connected USB devices, and periodic screenshots, storing artifacts for later exfiltration.
A keylogger module that records keystrokes, clipboard contents, connected USB devices, and periodic screenshots, storing artifacts for later exfiltration.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.