A new variant of the Snake Keylogger malware is actively targeting Windows users in several countries, including China, Turkey, Indonesia, Taiwan, and Spain. Fortinet’s FortiGuard Labs has reported over 280 million blocked infection attempts worldwide since the start of the year.
The malware is typically delivered through phishing emails with malicious attachments or links, which steal sensitive information from popular web browsers like Chrome, Edge, and Firefox. It also exfiltrates stolen data to an attacker-controlled server using Simple Mail Transfer Protocol (SMTP) and Telegram bots.
What’s notable about this latest set of attacks is the use of AutoIt scripting language to deliver and execute the main payload, allowing it to bypass traditional detection mechanisms. Once launched, Snake Keylogger drops a copy of itself in the “ageless.exe” file and another in the Windows Startup folder, ensuring persistence even if the associated process gets terminated.
The malware uses process hollowing to inject its payload into a legitimate .NET process like “regsvcs.exe,” concealing its presence within a trusted process. It also logs keystrokes using the SetWindowsHookEx API with the WH_KEYBOARD_LL flag, allowing it to capture sensitive input such as banking credentials.
Meanwhile, another campaign by CloudSEK is exploiting compromised infrastructure associated with educational institutions to distribute malicious LNK files disguised as PDF documents, ultimately deploying the Lumma Stealer malware. This multi-stage attack sequence targets industries like finance, healthcare, technology, and media, resulting in password theft, browser data exfiltration, and cryptocurrency wallet exploitation.
Overall, these attacks highlight the need for improved cybersecurity measures to prevent such threats from targeting Windows users worldwide.
Source: https://thehackernews.com/2025/02/new-snake-keylogger-variant-leverages.html