A sophisticated new variant of the Snake Keylogger (detected as Autolt/Injector.GTY!tr) has emerged as a critical threat to Windows users.
It leverages advanced evasion techniques to steal sensitive data from Chrome, Edge, and Firefox browsers.
FortiGuard Labs reports over 280 million blocked infection attempts since January 2025, with concentrated attacks in China, Turkey, Indonesia, Taiwan, and Spain.
.png
)
The malware employs AutoIt scripting, process hollowing, and multi-channel exfiltration to bypass traditional defenses, making it one of the most persistent keyloggers observed this year.
Infection Vector and Evasion Tactics
The campaign begins with phishing emails distributing malicious attachments or links.
Upon execution, Snake Keylogger deploys an AutoIt-compiled binary (ageless.exe) to the %Local_AppData%\supergroup directory, hiding its presence through hidden attributes.
AutoIt’s flexibility allows the malware to embed encrypted payloads:-
LOCAL GOKLGORRY= -"% STRIMGLEN(SFSXRNSO
MEXI
global sphtiwuzwso
2556184065275618406526561840 " This obfuscation complicates static analysis, while dynamic behavior mimics benign automation tools.
To ensure persistence, Snake Keylogger drops a VBScript (ageless.vbs) into the %Startup% folder:-
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run "C:\Users\Administrator\AppData\Local\supergroup\ageless.exe", 1
Set WshShell = Nothing This script ensures automatic execution upon system reboot, exploiting Windows’ Startup folder’s low-privilege requirements.
The malware injects its payload into RegSvcs.exe, a legitimate .NET process, using process hollowing.
By suspending the process, unmapping its memory, and loading malicious code, Snake Keylogger evades signature-based detection.
.webp)
Once active, it deploys a global keyboard hook via SetWindowsHookEx(13, ...) to capture keystrokes, including banking credentials and passwords.
Stolen data—ranging from browser autofill details to clipboard content—is exfiltrated through SMTP and Telegram bots.
Here the below image reveals code targeting credit card information:-
csharp if (Operators.CompareString(Class6.string_25, "True", false) == 0) string text = string.Concat(new string[] { "PW | ", Environment.UserName, ... });
Snake Keylogger’s attempt to steal the victim’s credit card information (Source – Fortinet)
The malware also contacts checkip.dyndns.org to geolocate victims, enhancing attacker reconnaissance.
FortiSandbox v5.0’s PAIX engine detected the threat through behavioral analysis and static heuristics, identifying embedded APIs and network anomalies.
.webp)
Organizations are urged to:-
- Deploy advanced sandboxing to analyze scripts and binaries.
- Block connections to C2 servers like
http://51[.]38[.]247[.]67:8081. - Educate users on phishing risks via security platforms.
Indicators of Compromise (IOCs) include file hashes f8410bcd14256d6d355d7076a78c074f (ageless.exe) and 77f8db41b320c0ba463c1b9b259cfd1b (ageless.vbs).
With Snake Keylogger’s evolving tactics, layered defenses integrating AI and threat intelligence remain critical to safeguarding sensitive data.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting – Register Here
