Snake Keylogger - How to Remove

Last updated: 2026-04-01

Incident Response Guide: Snake Keylogger

Incident Triage Steps

Within the first 30 minutes of a suspected Snake Keylogger incident, perform the following steps to assess scope and impact.

  1. Confirm the Infection: Immediately isolate the initially reported workstation from the network. On this system, check for the presence of a process with a seemingly benign name (e.g., svchost.exe, explorer.exe) that has an unusual parent process or is running from a non-standard directory like %AppData%, %LocalAppData%, or %Temp%. Snake Keylogger often uses process hollowing or injection, so the malicious code may be running under a legitimate process name.

  2. Identify Affected Systems:

    • Query your EDR solution or SIEM platform for outbound network connections to known or suspected Snake Keylogger Command and Control (C2) servers. Common ports include 443 (HTTPS) and 8080, often using SSL/TLS to blend in.
    • Search for recent, suspicious scheduled tasks or services created on endpoints. Snake Keylogger commonly establishes persistence via scheduled tasks with random or obfuscated names.
    • Check for anomalous process creation events, particularly instances where a legitimate Windows process spawns a child process that makes network connections.

  3. Determine Data Exfiltration:

    • Review proxy logs, DNS logs, and network flow data (NetFlow) from the last 7-14 days for the isolated host and any other identified systems. Look for repeated, periodic connections to external IP addresses or domains, especially following user login sessions or periods of high keyboard activity.
    • Examine outbound packet captures or SSL/TLS inspection logs, if available, for patterns of small, periodic data uploads containing encoded or encrypted data, which is typical for keylogger exfiltration.
    • The primary goal is to determine if keystroke logs, screenshots, or stolen credentials have been sent to an attacker-controlled server.

Evidence Collection

Before initiating containment or eradication, collect the following forensic evidence to support analysis and legal requirements.

  • Volatile Memory: Acquire a full memory dump from live, infected systems using a trusted memory forensic tool. This is critical for extracting encryption keys, captured keystrokes in memory, and the unpacked malware code.
  • Disk Forensics: Create forensic images or, at minimum, collect critical files:
    • The malware binary from its installation path (commonly in user profile folders).
    • Prefetch files (C:\Windows\Prefetch\) for execution history.
    • Scheduled Task XML files from C:\Windows\System32\Tasks\.
    • Registry hives: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, and HKLM\SYSTEM\CurrentControlSet\Services\.
    • The %AppData% and %LocalAppData% folders for log files and configuration data.
  • Network Evidence: Preserve full packet captures (PCAPs) from border and internal sensors, along with relevant firewall, proxy, and DNS logs corresponding to the identified C2 communication periods.
  • Logs: Export Windows Event Logs (especially Security, System, and PowerShell/Windows Defender Operational), and any relevant logs from your EDR and antivirus solutions.

Containment Procedures

Contain the threat to prevent further data loss and lateral movement.

  1. Network Segmentation: Immediately quarantine identified infected hosts by moving them to an isolated VLAN with no internet or internal network access. If host-based isolation via EDR is available, use it. Update network access control lists (ACLs) and firewall rules to block all inbound and outbound traffic from the IP addresses of compromised systems, except for management traffic from your incident response jump host.
  2. Credential Reset: Determine the scope of credential exposure. Assume any credentials typed on an infected machine during the infection window are compromised. Prioritize resetting:
    • Local administrator accounts used on the machine.
    • Domain user accounts that were active on the machine.
    • Any service accounts that may have been used.
    • Privileged accounts (Domain Admins, Enterprise Admins) if they were used on any compromised endpoint.
    • Enforce multi-factor authentication (MFA) where possible after the reset.
  3. C2 Blocking: Using indicators from your investigation, update border and internal firewalls, web proxies, and DNS security solutions to block all communication with identified Snake Keylogger C2 domains and IP addresses. Implement these blocks at the network level to protect any not-yet-identified infected hosts.

Eradication and Recovery

Follow a systematic process to remove the malware and restore operations.

  1. Complete Removal: Use the detailed, step-by-step instructions in the dedicated Snake Keylogger Removal Guide for each affected endpoint. This guide covers terminating malicious processes, deleting persistent artifacts (files, scheduled tasks, registry entries), and validating removal.
  2. Restore from Clean Backups: For critically infected systems or where you cannot guarantee eradication, rebuild the operating system from known-clean, recent backups. Ensure the backup image predates the earliest evidence of infection. Do not restore user data or profiles from infected systems without first scanning them with updated antivirus and antimalware tools.
  3. Verify Clean State: Before returning a system to production:
    • Re-scan the entire system with an updated antivirus and a dedicated anti-malware scanner.
    • Validate that all persistence mechanisms identified in the removal guide are absent.
    • Monitor for any residual outbound network calls to previously identified C2 infrastructure for a 24-48 hour period in a controlled, monitored environment.

Lessons Learned Checklist

After containment and eradication, conduct a post-incident review to improve defenses.

  • Initial Infection Vector: How did Snake Keylogger gain entry? Was it via a malicious email attachment, drive-by download, compromised software, or another method? Analyze email gateway logs, web filter logs, and endpoint detection alerts from the time of initial compromise.
  • Control Failures: Which security controls failed to prevent or detect the incident?
    • Was antivirus/EDR signature-based detection evaded?
    • Were network-based controls (firewalls, proxies) configured to detect the C2 traffic?
    • Were application allow-listing or script-blocking policies in place and effective?
  • Detection Gaps: Could earlier detection have been achieved?
    • Were there SIEM alerts for the creation of suspicious scheduled tasks or services that went uninvestigated?
    • Were there correlations between outbound SSL traffic to new domains and user login events?
    • Does current logging capture sufficient detail for forensic timeline reconstruction?
  • Improvement Actions:
    • Update email and web filtering rules to block the identified initial attack vector.
    • Implement or tighten application control policies to prevent execution from user writable directories (%AppData%, %Temp%).
    • Enhance network monitoring to detect periodic, low-volume data exfiltration over SSL/TLS.
    • Review and test incident response playbooks for keylogger and data exfiltration malware.
    • Conduct user awareness training focused on the identified initial infection method.

For proactive measures, refer to the Snake Keylogger Detection Guide. For general information about this threat, see the Snake Keylogger Overview.

Related

← Snake Keylogger Overview Removal Guide How to Detect Protection Guide IOCs Samples All Families