Overview
Snake Keylogger, also tracked as 404 Keylogger, is a credential-stealing malware written in .NET that emerged in late 2020 on underground cybercrime forums. Despite its name emphasizing keylogging, Snake is a full-featured information stealer capable of extracting data through multiple channels. It gained rapid popularity due to its affordable pricing (as low as $25 for a monthly subscription), ease of use through a builder GUI, and regular updates from its developer. By 2022, Snake Keylogger had climbed into the top ten most prevalent malware families tracked by Check Point and other vendors. Its relatively simple architecture belies its effectiveness, as it consistently bypasses basic security controls through obfuscation layers and process injection techniques.
Capabilities
Snake Keylogger captures a comprehensive range of sensitive data from infected systems. Its keystroke logging module records all keyboard input with window title context. It harvests saved credentials from over 50 applications, including Chrome, Firefox, Edge, Outlook, Thunderbird, FileZilla, and Discord. Additional capabilities include clipboard monitoring for cryptocurrency wallet addresses, screenshot capture at configurable intervals, WiFi password extraction, and system fingerprinting. What distinguishes Snake is its flexible exfiltration: operators can configure data delivery via SMTP email, FTP upload, Telegram bot API, or Pastebin posts, with support for using multiple channels simultaneously. The malware also features a basic anti-detection module that attempts to disable Windows Defender and terminate analysis tools.
Distribution Methods
Snake Keylogger reaches victims primarily through phishing campaigns. Common delivery methods include malicious Office documents with embedded macros or exploiting vulnerabilities like CVE-2017-11882, PDF attachments with download links, and archive files containing obfuscated .NET executables. The initial payload is frequently packed or obfuscated using tools like ConfuserEx, Eazfuscator, or custom .NET crypters. Multi-stage delivery chains are common, where a VBS or PowerShell script downloads the Snake payload from compromised websites or cloud storage services. In recent campaigns, threat actors have used HTML smuggling techniques to deliver the initial dropper past email security gateways.
Notable Campaigns
In early 2022, Snake Keylogger was the subject of a coordinated takedown effort, though its developer quickly resumed operations. Throughout 2023-2024, it appeared in targeted campaigns against financial institutions in Southeast Asia and the Middle East, using fake banking correspondence as lures. A notable 2024 campaign targeted automotive manufacturers with purchase order-themed phishing emails delivering Snake through heavily obfuscated .NET loaders. In 2025, updated variants incorporated additional browser support and improved evasion against cloud-based email security solutions, maintaining Snake’s relevance in the commodity malware ecosystem.
Detection & Mitigation
Detection approaches for Snake Keylogger include monitoring for .NET process injection patterns (particularly into RegAsm.exe, InstallUtil.exe, or AppLaunch.exe), identifying outbound SMTP or FTP connections from non-standard processes, and flagging Telegram API calls from desktop applications. YARA rules targeting Snake’s characteristic .NET string patterns and resource structures are effective for static detection. Behavioral indicators include rapid sequential access to browser credential stores and registry keys associated with WiFi profiles. Mitigation strategies include deploying application control to restrict .NET execution from temporary directories, implementing email security with attachment sandboxing, monitoring for unauthorized credential store access, and maintaining updated endpoint protection with behavioral detection capabilities.