This new keylogger uses Microsoft PowerShell scripts to quietly steal sensitive information — here’s how to protect your data

Keylogger leverages native Windows tools and advanced evasion techniques

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A recent report byCYFIRMAhas revealed the emergence of a new keylogger operating via a PowerShell script, a task automation and configuration management framework fromMicrosoft.

A keylogger is a type of malicious software that captures every keystroke on an infected system. By recording keyboard inputs, keyloggers can gather sensitive information such aslogin credentials, credit card numbers, and personal communications, and are often used to steal financial data or spy on individuals and organizations.

The keylogger analyzed in CYFIRMA’s research uses Microsoft’s PowerShell script to capture keystrokes stealthily. PowerShell’s native integration with Windows, combined with its powerful scripting capabilities, makes it an attractive target for attackers seeking to execute commands without direct user interaction.

PowerShell based keylogger

The researchers note this PowerShell keylogger showcases several advanced features that enhance its stealth and effectiveness in capturing sensitive information.

This includes its command and scripting interpreter, which enables the keylogger to execute commands through PowerShell without requiring user interaction, significantly complicating detection efforts.

The keylogger also performs system discovery, gathering critical information such as user profile directories, volume details, and cryptographic settings.

Furthermore, the keylogger establishes Command-and-Control (C2) communication through both acloud serverand an Onion server on the Tor network. This dual-channel communication not only maintains anonymity for the attackers but also complicates tracing efforts back to their source. It also incorporates a screen capture feature, allowing attackers to obtain visual data from the infected system in addition to logging keystrokes.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

To evade detection, the keylogger employs encoded command execution, transmitting commands using Base64 encoding. This technique obscures the commands from traditional security measures.

It also makes persistent connection attempts via a SOCKSproxy, ensuring that even if initial connection attempts fail, the keylogger will continue trying to establish communication. While the current version of the keylogger lacks a fully developed persistence mechanism, the incomplete code indicates that future updates may enhance its ability to maintain a foothold on infected systems.

Given the advanced nature of this PowerShell-based keylogger, CYFIRMA notes organizations should implement robust cybersecurity measures to defend against such threats, including:

More from TechRadar Pro

Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master’s and a PhD in sciences, which provided him with a solid foundation in analytical thinking. Efosa developed a keen interest in technology policy, specifically exploring the intersection of privacy, security, and politics. His research delves into how technological advancements influence regulatory frameworks and societal norms, particularly concerning data protection and cybersecurity. Upon joining TechRadar Pro, in addition to privacy and technology policy, he is also focused on B2B security products.

Turns out most of us really don’t mind data centers

How Agentic AI will revolutionize business operations – are you ready?

The iPhone 18 series could include a variable aperture, ‘significantly enhancing’ the camera