The sub-techniques beta is now live! Read the release blog post for more info.


KeyBoy is malware that has been used in targeted campaigns against members of the Tibetan Parliament in 2016.[1][2]

ID: S0387
Platforms: Windows
Contributors: Bart Parys
Version: 1.1
Created: 14 June 2019
Last Modified: 11 October 2019

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

KeyBoy can launch interactive shells for communicating with the victim machine.[2][3]

Enterprise T1043 Commonly Used Port

KeyBoy calls back to the C2 server over ports 53, 80, and 443.[2][3]

Enterprise T1503 Credentials from Web Browsers

KeyBoy attempts to collect passwords from browsers.[3]

Enterprise T1024 Custom Cryptographic Protocol

KeyBoy uses custom SSL libraries for C2 traffic.[2]

Enterprise T1173 Dynamic Data Exchange

KeyBoy uses the Dynamic Data Exchange (DDE) protocol to download remote payloads.[2]

Enterprise T1203 Exploitation for Client Execution

KeyBoy exploits the vulnerability CVE-2012-0158 for execution.[3]

Enterprise T1083 File and Directory Discovery

KeyBoy has a command to launch a file browser or explorer on the system.[2]

Enterprise T1143 Hidden Window

KeyBoy uses -w Hidden to conceal a PowerShell window that downloads a payload.[2]

Enterprise T1056 Input Capture

KeyBoy installs a keylogger for intercepting credentials and keystrokes.[3]

Enterprise T1050 New Service

KeyBoy installs a service pointing to a malicious DLL dropped to disk.[3]

Enterprise T1027 Obfuscated Files or Information

In one version of KeyBoy, string obfuscation routines were used to hide many of the critical values referenced in the malware.[1]

Enterprise T1086 PowerShell

KeyBoy uses PowerShell commands to download and execute payloads.[2]

Enterprise T1105 Remote File Copy

KeyBoy has a download and upload functionality.[2][3]

Enterprise T1113 Screen Capture

KeyBoy has a command to perform screen grabbing.[2]

Enterprise T1064 Scripting

KeyBoy uses Python and VBS scripts for installing files and performing execution.[1]

Enterprise T1082 System Information Discovery

KeyBoy can gather extended system information, such as information about the operating system, disks, and memory.[2][3]

Enterprise T1016 System Network Configuration Discovery

KeyBoy can determine the public or WAN IP address for the system.[2]

Enterprise T1099 Timestomp

KeyBoy time-stomped its DLL in order to evade detection.[2]

Enterprise T1004 Winlogon Helper DLL

KeyBoy issues the command reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" to achieve persistence.[2][1]

Groups That Use This Software

ID Name References
G0081 Tropic Trooper [4] [5]