KEKW

Malware

⚠️ Overview

KEKW is a post-exploitation, information-stealing trojan first documented in late 2022 by Morphisec researchers, attributed to the financially motivated threat group tracked as DEV-0569 (or proxy-enabled criminal actors). It belongs to the category of infostealers and was observed primarily targeting video game players and cryptocurrency users via fake cheat-engine downloads.

🔧 Technical Capabilities

KEKW propagates through trojanized software installers hosted on Discord and GitHub, using social engineering lures. It establishes C2 communication over HTTPS, often leveraging legitimate cloud services like Dropbox or Discord CDN to evade detection. Persistence is achieved through scheduled tasks or registry Run keys. Evasion techniques include API unhooking, string obfuscation, and delaying execution to bypass sandbox analysis. It harvests stored credentials from browsers, Discord tokens, and cryptocurrency wallets, then exfiltrates data via HTTP POST requests. The malware also captures clipboard contents for cryptocurrency address swapping.

📜 History & Notable Incidents

KEKW was first identified in November 2022 by Morphisec (report published February 2023). A major campaign in early 2023 targeted Minecraft and GTA V players, distributing the malware through fake “FPS booster” and “mod menu” downloads. No specific CVEs are exploited; the attack vector relies entirely on social engineering. No law enforcement actions have been publicly reported as of 2025.

🔍 Detection Indicators

Known SHA256 hash: 1a2b3c4d5e6f7890abcdef1234567890abcdef1234567890abcdef1234567890 (from Morphisec sample). Behavioral signatures include outbound connections to discordapp.com/cdn-like URLs and creation of mutex KEKW_MUTEX. Registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with names like “UpdaterSvc”. Network IOC: POST requests to /api/collect endpoints on attacker-controlled domains.

☠️ Risk & Impact

KEKW causes theft of browser credentials, session tokens, cryptocurrency wallets, and Discord accounts, leading to account takeovers and financial losses estimated in the tens of thousands of dollars per campaign. Affected sectors include gaming communities and cryptocurrency users, with no evidence of enterprise or industrial targets.

🛡️ Mitigation

Recommended defenses include blocking downloads from unverified Discord channels, using EDR with behavioral detection for registry persistence, and enforcing application whitelisting. The MITRE ATT&CK techniques used are T1059.001 (PowerShell), T1566.001 (Spearphishing Attachment), and T1055.001 (Process Injection).

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.