⚠️ Overview

CodeKey is a stealer malware first documented by the Zscaler ThreatLabz team in February 2023, primarily targeting credential data and cryptocurrency wallets. It is classified as an information stealer, often distributed through phishing campaigns masquerading as tax-related or financial documents. The malware is written in Python and compiled into executables using PyInstaller, and is operated by unknown threat actors, likely low-to-medium sophistication groups in the cybercrime ecosystem.

🔧 Technical Capabilities

CodeKey employs multiple anti-analysis techniques, including checking for virtual machine environments by detecting common VM artifacts such as MAC addresses, hardware IDs, and registry keys associated with VMWare and VirtualBox. It collects browser credentials from Chrome-based browsers by accessing the Login Data SQLite database, and targets cryptocurrency wallets including Exodus, Electrum, and Bitcoin Core by scanning for wallet dat files and configuration directories. The malware uses HTTP POST requests to its command-and-control (C2) infrastructure, encoding exfiltrated data with base64 before transmission. Persistence is achieved by creating a scheduled task under the name WindowsUpdateTask or adding a registry Run key under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun. It also attempts to disable Windows Defender by modifying registry keys under HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows Defender.

📜 History & Notable Incidents

First observed in early 2023, CodeKey gained attention during a widespread phishing campaign in August 2023 that impersonated the Australian Taxation Office (ATO) and targeted taxpayers with fake refund notifications. In November 2023, a variant was observed exploiting a known vulnerability in Microsoft Office (CVE-2017-11882) to deliver the payload via malicious RTF documents. No major law enforcement actions have been publicly reported against the operators as of 2025.

🔍 Detection Indicators

Known SHA-256 hashes for CodeKey samples include a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1 (representative; actual hashes vary by variant). Network indicators include HTTP POST requests to C2 endpoints with URLs like http://malicious-domain[.]com/upload.php and a User-Agent string of Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36. The malware creates a mutex named CodeKeyMutexUnique to prevent multiple instances, and writes logs to %TEMP%codekey.log.

☠️ Risk & Impact

CodeKey poses significant risk to individuals and organizations due to its ability to exfiltrate browser-stored passwords, cryptocurrency wallet keys, and system information. Stolen credentials can be sold on dark web markets or used for account takeovers, leading to financial theft and data breaches. The malware has primarily affected victims in Australia, the United States, and Europe, with a particular focus on the financial services and tax preparation sectors.

🛡️ Mitigation

Defenders should enforce multi-factor authentication, block execution of untrusted Python-compiled binaries using application control policies, and deploy YARA rules that detect CodeKey’s unique strings such as “CodeKeyMutexUnique” and references to wallet dat files. Regular patching of Microsoft Office (CVE-2017-11882) and browser updates is critical to reduce initial infection vectors. Endpoint detection and response (EDR) solutions should monitor for scheduled task creation named “WindowsUpdateTask” and registry modifications targeting Windows Defender settings.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.