Cyber Threats #keylogger#spyware#endpoint security

Keyloggers: Types, Detection, and Prevention Guide

Keyloggers silently capture everything you type — passwords and financial data. Learn about keylogger types, how to detect them, and stop them.

7 min read

A keylogger records every keystroke made on a device and forwards that data to whoever deployed it. In the hands of an attacker, a single keylogger infection can yield banking credentials, email passwords, corporate VPN credentials, social security numbers, and private messages — without the victim ever knowing. Keyloggers are used by cybercriminals, stalkers, corporate espionage actors, and nation-state intelligence agencies.

Types of Keyloggers

Keyloggers fall into two broad categories: software-based and hardware-based.

Software Keyloggers

Kernel-level keyloggers operate at the OS kernel level, hooking into the keyboard driver. Because they run below the application layer, they can capture keystrokes even from applications running in elevated or isolated contexts. They are difficult to detect because most security tools operate at a higher privilege level. Rootkit-based keyloggers (like components of older ZeuS banking trojans) use this technique.

API-level keyloggers hook Windows API functions like SetWindowsHookEx with the WH_KEYBOARD_LL parameter. This is the most common implementation in commodity malware because it is easy to code and does not require kernel drivers. The hook function is called every time a key is pressed, anywhere on the system.

// The basic API hook looks like this in concept:
HHOOK hHook = SetWindowsHookEx(WH_KEYBOARD_LL, KeyboardProc, NULL, 0);

Form grabbers take a different approach. Instead of capturing keystrokes, they hook browser functions that handle form submission, capturing data before it is encrypted and sent to the web server. This was the primary technique of the ZeuS and SpyEye banking trojans and is why HTTPS alone does not protect you from keyloggers.

Browser-based keyloggers are JavaScript snippets injected into websites (via XSS attacks or compromised third-party scripts) that capture keystrokes in specific form fields. The Magecart group perfected this technique against e-commerce checkout pages, stealing card numbers as they were typed.

Memory-scraping keyloggers monitor specific memory regions used by target applications (browsers, password managers) to extract credentials after they are decrypted.

Hardware Keyloggers

USB keyloggers plug between the keyboard and the USB port on the computer. They look like small dongles or adapters and are completely invisible to the operating system — no driver is installed, no process runs. They store keystrokes in internal memory (typically 2–16 GB) that is retrieved by the attacker later.

Wireless keyboard sniffers capture the radio frequency transmissions of wireless keyboards. Older 27 MHz keyboards transmit keystrokes in the clear. Devices like the KeySweeper (built from a cheap Arduino and disguised as a phone charger) silently capture and forward keystrokes.

BIOS/firmware keyloggers intercept keystrokes at the firmware level, before the OS even loads. These are nation-state tools (documented in NSA ANT catalog leaks) and not typically seen in commercial threat landscapes.

Acoustic keyloggers use machine learning to analyze the distinct sound of different keys being pressed. Research has shown up to 95% accuracy in recovering typed text from the audio of keystrokes captured via a compromised microphone or nearby smartphone.

How Keyloggers Are Deployed

Software keyloggers are typically deployed via:

  • Phishing emails with malicious attachments (macro-enabled Office documents, PDF exploits)
  • Drive-by downloads — compromised websites that exploit browser or plugin vulnerabilities
  • Trojanized software — pirated software or fake “crack” files
  • Remote access trojans (RATs) — keylogging is a standard module in RATs like njRAT, AsyncRAT, and DarkComet
  • Stalkerware — commercially sold apps for device monitoring, often disguised as parental control tools

Hardware keyloggers require physical access to the target machine.

Detecting Keyloggers

Windows: Check for Suspicious Keyboard Hooks

You can enumerate active Windows hooks using tools like Autoruns from Sysinternals or write a script to check:

# List all processes with a WH_KEYBOARD_LL hook (simplified approach)
# In practice, use Autoruns > Everything tab and check for unexpected entries

# Check for suspicious processes:
Get-Process | Where-Object { $_.MainWindowTitle -eq "" } | Select-Object Name, Id, Path | Sort-Object Name

Process Explorer (Sysinternals) shows detailed information about each process, including loaded DLLs. Legitimate system processes have known DLL sets — unexpected DLLs injected into explorer.exe or your browser are a red flag.

Detect API Hooks with Process Monitor

Process Monitor from Sysinternals can show every call made to Windows API functions. Filter for SetWindowsHookEx calls from unexpected processes:

Filter: Operation is "CreateFile" and Path contains "keyboard"

Network Monitoring for Exfiltration

Keyloggers must transmit their data somewhere. Use Wireshark or NetworkMiner to capture traffic and look for:

  • Periodic small outbound connections (keyloggers often batch and send every few minutes)
  • Connections to unusual destinations from browser processes
  • DNS queries to newly registered or suspicious domains
# On Linux, monitor outbound connections from suspicious processes
ss -tp | grep <suspicious_pid>

# Or use netstat
netstat -anp | grep ESTABLISHED

Anti-Rootkit Scanners

For kernel-level keyloggers, use dedicated anti-rootkit tools:

  • GMER — scans for hidden processes, drivers, services, and SSDT hooks
  • Malwarebytes Anti-Rootkit — standalone rootkit scanner
  • RootkitRevealer (Sysinternals) — detects discrepancies between OS-reported and raw disk contents

Behavioral Detection

Modern EDR platforms like CrowdStrike Falcon, Microsoft Defender for Endpoint, and SentinelOne detect keylogging behavior through:

  • Processes that hook keyboard input without being a legitimate accessibility tool
  • Processes that create suspicious files (keylog dumps) and attempt to upload them
  • Injection of code into browser processes

Preventing Keylogger Infections

Keep Systems Patched

The majority of drive-by keylogger installations exploit known vulnerabilities in browsers, Office, and PDF readers. Patch aggressively:

  • Enable Windows Update automatic updates
  • Keep browsers (Chrome, Firefox, Edge) updated — they update silently by default
  • Uninstall plugins and extensions you do not use (Flash is dead, Java browser plugin is gone, but PDF plugins persist)

Use a Password Manager with Auto-Fill

Password managers like Bitwarden, 1Password, and KeePass auto-fill credentials without typing them character by character. Most API-level keyloggers capture individual keystrokes — if you auto-fill, there is nothing to capture.

Note: Form grabbers can still intercept auto-filled passwords, so a password manager is a partial mitigation, not a complete one.

Enable Multi-Factor Authentication

Even if an attacker captures your password via a keylogger, MFA prevents them from logging in without the second factor. Use authenticator apps (Authy, Google Authenticator, Microsoft Authenticator) or hardware keys (YubiKey) rather than SMS codes.

Use Virtual Keyboards for Critical Logins

Banking websites and financial platforms often offer an on-screen virtual keyboard precisely to defeat keyloggers. Clicking characters with the mouse avoids keyboard hooks entirely.

Hardware Security Controls

  • Inspect USB ports before plugging in your keyboard — any unexpected dongle between keyboard and computer is suspicious
  • Use Bluetooth keyboards paired with strong encryption in secure environments (harder to skim than RF)
  • For high-security environments, use keyboards with built-in hardware encryption

AppLocker and Execution Controls

Prevent unauthorized software from running in the first place. AppLocker or WDAC policies that only allow signed, known-good applications prevent commodity keylogger malware from executing.

Scan with Multiple Tools

No single scanner catches everything. Use:

  • Malwarebytes (free version) for on-demand scanning
  • Microsoft Defender as the baseline AV
  • HitmanPro for a second-opinion cloud-based scan
  • GMER or RKill if you suspect a rootkit component

Responding to a Confirmed Keylogger Infection

  1. Disconnect from the network immediately to prevent further exfiltration
  2. Change all passwords from a clean device — assume everything typed on the infected machine is compromised
  3. Enable MFA on all accounts if not already enabled
  4. Review recent account activity — bank accounts, email, cloud services for unauthorized access
  5. Wipe and reinstall the operating system — for keyloggers with rootkit components, removal tools cannot guarantee complete cleanup
  6. Notify affected services — your bank, IT department, or any service where you entered credentials

Conclusion

Keyloggers are among the most effective credential theft tools because they operate silently, require no special interaction from the victim, and capture authentication data that no amount of encryption in transit can protect. Defense requires both prevention (patching, application control, MFA) and detection (behavioral monitoring, network analysis, anti-rootkit scanning). For any high-value account — banking, email, corporate VPN — treat keylogger compromise as a baseline assumption and use MFA and auto-fill to minimize the impact even if a keylogger is present.

#malware detection #endpoint security #spyware #keylogger

// related articles

cyber-threats Keylogger Detection and Removal Guide 7 min read cyber-threats Fileless Malware Attacks Explained: Detection and Defense 7 min read cyber-threats Living off the Land Attacks and LOLBins Explained 7 min read