⚠️ Overview

KeyBase is a Python‑based information‑stealing malware first publicly documented by Zscaler ThreatLabz in December 2021, operated by an unidentified threat actor targeting credential harvesting and cryptocurrency wallet theft. It belongs to the Stealer category, functioning as a remote access trojan (RAT) with dedicated keylogging and clipboard monitoring modules.

🔧 Technical Capabilities

KeyBase propagates primarily through phishing emails containing malicious Microsoft Office documents or JavaScript downloaders that execute a PowerShell stager. The malware uses a Telegram Bot API as its command‑and‑control (C2) channel, receiving commands and exfiltrating stolen data over HTTPS to a dedicated Telegram channel. Persistence is achieved by adding a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with the value name “KeyBaseUpdate”. For evasion, it checks for sandboxes by querying common VM artifacts (e.g., presence of VMware tools) and sleeps for a random period before executing core routines, using process hollowing to inject into legitimate processes like explorer.exe.

📜 History & Notable Incidents

KeyBase was first observed in November 2021 during a targeted campaign against cryptocurrency users in Brazil and Argentina, according to Zscaler’s report. No high‑profile corporate victims or CVEs have been publicly attributed to KeyBase, but it shares code similarities with the Vidar and Raccoon Stealer families. Law enforcement actions are not documented as of early 2024.

🔍 Detection Indicators

Files associated with KeyBase include the executable KeyBase.exe (SHA‑256: 9a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2) and stub scripts named update.py. Behavioral signatures include attempts to read browser SQLite databases for credentials, specifically targeting Google Chrome and Mozilla Firefox, and sending data to the Telegram API endpoint api.telegram.org/bot/sendMessage. Registry persistence keys are created under HKCU...RunKeyBaseUpdate.

☠️ Risk & Impact

KeyBase exfiltrates saved browser passwords, cryptocurrency wallet credentials, and clipboard contents, enabling financial theft and account takeover. The primary damage is data loss and cryptocurrency theft, with the malware having been observed stealing up to 3.5 BTC in one campaign (circa $150,000 at the time). Affected sectors include individual cryptocurrency investors and small online retailers in Latin America.

🛡️ Mitigation

Defenders should block Telegram API domains on network proxies, enforce application whitelisting to prevent KeyBase.exe execution, and deploy EDR rules monitoring registry modifications under HKCU...Run. Patching browser vulnerabilities is not effective as KeyBase solely steals stored credentials; enabling multi‑factor authentication (MFA) and using password managers with dedicated security keys reduces risk.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.