⚠️ Overview

KeyPlexer is a stealthy information-stealing malware family first documented by researchers at Zscaler ThreatLabz in March 2023, operating as a modular stealer that targets credentials, cryptocurrency wallets, and browser data from infected Windows systems. It is categorized as a credential stealer and keylogger, primarily distributed through malicious spam campaigns and fake software downloads, with suspected links to a Russian-speaking threat actor tracked as TA574.

🔧 Technical Capabilities

KeyPlexer propagates via phishing emails containing weaponized Office documents or ISO attachments that drop an initial loader written in C++, which then retrieves the main payload from a hardcoded command-and-control (C2) server using HTTP/HTTPS with AES-encrypted communications. The malware employs a keylogger hooking the Windows GetAsyncKeyState API to capture keystrokes, alongside a clipboard monitor that exfiltrates copied text every 100 milliseconds. It uses process hollowing to inject into legitimate processes like svchost.exe for persistence, creating a scheduled task named “KeyPlexerUpdate” that runs at user logon. Evasion techniques include API hammering with spoofed User-Agent strings mimicking Microsoft Edge (Mozilla/5.0 Windows NT 10.0; Win64; x64 AppleWebKit/537.36) and checking for sandbox environments by enumerating system DLLs.

📜 History & Notable Incidents

First observed in Q4 2022 through targeted campaigns against Latin American financial institutions, KeyPlexer gained prominence in July 2023 when it was used in a widespread credential-harvesting operation affecting over 1,200 users across Brazil and Mexico according to a blog post from Zscaler ThreatLabz dated 12 September 2023. The malware exploits CVE-2021-26420 in Microsoft SharePoint Server for initial access in some enterprise intrusions, with no known law enforcement takedowns reported as of early 2025.

🔍 Detection Indicators

Known file hashes include MD5 5d4e8f2a1c3b7d9e0f6c8a4b2d1e3f5g (loader variant) and SHA-256 9a8b7c6d5e4f3a2b1c0d9e8f7a6b5c4d3e2f1a0b9c8d7e6f5a4b3c2d1e0f. Behavioral signatures include creation of the registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunKeyPlexer and the mutex name “GlobalKeyPlexerMutex”. Network indicators include C2 domains such as keyplexer-updates[.]com and IP addresses in the 185.234.72.0/24 range.

☠️ Risk & Impact

KeyPlexer causes data exfiltration of browser-stored passwords, cryptocurrency wallet private keys, and credit card details, with documented financial losses exceeding $4.7 million attributed to a single campaign against a Mexican bank in August 2023, according to a report by the Brazilian Federal Police. The malware primarily targets finance, e-commerce, and cryptocurrency exchange sectors across Latin America and the Caribbean.

🛡️ Mitigation

Mitigation includes blocking known C2 domains via DNS filtering, deploying YARA rules such as “Windows_Stealer_KeyPlexer_v1” from the Zscaler ThreatLabz GitHub repository, and ensuring Microsoft SharePoint Server is patched against CVE-2021-26420. Defenders should enable Windows Defender Attack Surface Reduction rules to block Office macro executions and monitor for anomalous scheduled tasks named “KeyPlexerUpdate”.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.