Introduction
The Snake Keylogger [1] [2] [3] [4] [5] [6] [7] [8], also known as the 404 Keylogger and designated AutoIt/InjectorGTY!tr, represents a significant cybersecurity threat. Detected by FortiGuard Labs, this sophisticated variant has been responsible for over 280 million blocked infection attempts globally. It primarily targets Windows users in Asia and Europe, with notable concentrations in countries such as China, Turkey [1] [2] [3] [4] [7], Indonesia [1] [2] [3] [4] [7], Taiwan [1] [2] [3] [4] [7], and Spain [1] [2] [3] [4] [7]. The malware is distributed through phishing campaigns, posing a severe risk to users’ sensitive information.
Description
A sophisticated variant of the Snake Keylogger [1] [2] [3] [7] [8], also known as the 404 Keylogger and designated AutoIt/InjectorGTY!tr, has been detected by FortiGuard Labs, successfully blocking over 280 million infection attempts globally [1] [3] [8]. This credential-stealing malware poses a significant threat to cybersecurity, primarily targeting Windows users in regions such as Asia and Europe, including countries like China, Turkey [1] [2] [3] [4] [7], Indonesia [1] [2] [3] [4] [7], Taiwan [1] [2] [3] [4] [7], and Spain [1] [2] [3] [4] [7], where the highest concentrations of infections have been reported [1] [3]. The Snake Keylogger has been distributed through various campaigns themed around “Ordine,” “Documenti,” and “Delivery,” utilizing phishing emails with ZIP and GZ attachments to spread the malware [5]. Notably, it has been involved in five out of nine identified malware families targeting Italy, with specific phishing attempts aimed at INPS users [5].
The malware infiltrates systems through these phishing emails [4], with its primary function being the theft of sensitive user data, including usernames [3] [8], passwords [4] [6], credit card details [4] [6], and browser information [1]. The Snake Keylogger operates through a three-step process: first [3], it distributes itself via phishing emails; second, it collects data by capturing keystrokes [8], monitoring clipboard activity [1] [3], and extracting saved passwords from popular web browsers like Chrome, Edge [2] [4] [7], and Firefox; and finally, it transmits the stolen data to remote servers using encrypted channels [3], including SMTP [2], Telegram bots [2] [3] [4] [6] [7], and HTTP POST requests [6]. To evade detection [1] [2] [6] [7] [8], the malware employs advanced evasion tactics [4], utilizing obfuscation tools and the AutoIt scripting language for Windows automation, complicating static analysis and allowing for dynamic behavior that mimics benign automation tools [6]. The executable file of this variant is an AutoIt-compiled binary that unpacks and runs the keylogger upon execution [6]. Techniques such as process hollowing are used to inject malicious code into legitimate Windows processes [1], specifically targeting RegSvcs.exe [2] [6].
To ensure persistence [4] [6] [7], the Snake Keylogger places scripts, such as “ageless.vbs,” in the Windows Startup folder [3], enabling it to run automatically upon system reboot [4]. This script utilizes WScript.Shell() to execute “ageless.exe,” which is dropped in the %Local_AppData%\supergroup folder upon execution. Once embedded [1], it actively monitors browser data [4], accessing folders that store saved credentials and autofill information [4]. Key findings also highlight the use of the SetWindowsHookEx API with a low-level keyboard hook for keystroke logging, as well as the ability to determine the victim’s public IP address for geolocation purposes.
The FortiSandbox research team emphasizes the importance of both static and dynamic analysis in detecting this advanced threat, with the PAIX engine’s machine learning technology enabling the identification of previously unknown threats [2]. FortiGuard Antivirus specifically recognizes the malware as AutoIt/InjectorGTY!tr [2], which is integrated into FortiGate, FortiMail [2], FortiClient [2], and FortiEDR solutions [2]. The resurgence of the Snake Keylogger underscores the increasing sophistication of credential-stealing malware [4], posing a significant risk to Windows users [4], particularly those who frequently interact with emails from unknown sources [4].
Conclusion
The resurgence of the Snake Keylogger highlights the growing sophistication of credential-stealing malware [4], posing a significant risk to Windows users [4]. To mitigate these risks [8], users should exercise caution with email attachments or links from unknown sources, enable multi-factor authentication (MFA) [4], and monitor system startup folders and running processes for unusual activity [4]. Regular updates to Windows and security software are essential. Education on the risks associated with unsolicited email attachments and suspicious links is crucial for individual users [3]. Proactive defense strategies [3], including behavior-based detection systems [3], are vital for identifying unusual activities indicative of keylogger infections [3]. The evolving landscape of cyber threats necessitates a dynamic approach to malware detection and neutralization [3].
References
[1] https://www.infosecurity-magazine.com/news/snake-keylogger-targets-windows/
[2] https://www.fortinet.com/blog/threat-research/fortisandbox-detects-evolving-snake-keylogger-variant
[3] https://undercodenews.com/new-snake-keylogger-variant-poses-a-global-threat-a-deep-dive-into-the-malwares-operations/
[4] https://cyberinsider.com/new-snake-keylogger-variant-launches-280-million-attacks/
[5] https://www.securityinfo.it/2025/02/17/cert-agid-08-14-febbraio-goldenleaks-combolist-di-90-000-account-italiani/
[6] https://londontribune.co.uk/snake-keylogger-slithers-into-windows-evades-detection-with-autoit-compiled-payload/
[7] https://cyber1defense.com/2025/02/18/snake-keylogger-variant-hits-windows-and-steals-data/
[8] https://www.newsminimalist.com/articles/new-snake-keylogger-variant-targets-windows-users-and-blocks-280-million-infection-attempts-90c4704c
