Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

KLogExe (Infostealer) – Malware

March 2, 2025
Reading Time: 3 mins read
in Malware
KLogExe (Infostealer) – Malware

KLogExe

Type of Malware

Infostealer

Country of Origin

North Korea

Targeted Countries

South Korea
Japan
United States

Date of Initial Activity

2024

Associated Groups

APT43

Motivation

Data Theft

Type of Information Stolen

Login Credentials
System Information
Communication Data

Attack Vectors

Phishing

Targeted Systems

Windows

Overview

KLogEXE is a sophisticated piece of malware discovered as part of a broader cyber espionage campaign attributed to the North Korean APT group, Sparkling Pisces (also known as Kimsuky). This keylogger, while undocumented prior to its discovery, represents an evolution of Sparkling Pisces’s cyberattack capabilities, demonstrating the group’s ability to innovate and adapt their tactics. The malware is designed to quietly infiltrate targeted systems, collect sensitive data, and exfiltrate it to the attacker’s command and control (C2) infrastructure. KLogEXE’s primary function is to record keystrokes, mouse clicks, and monitor running applications, making it a powerful tool for gathering intelligence from compromised machines. The malware operates by saving the collected data into a local file before exfiltrating it in a highly controlled manner. Once the file reaches a size threshold, KLogEXE compresses and sends the data to the attacker’s C2 server via an HTTP POST request. This exfiltration process is executed through a unique URI, which is indicative of the malware’s custom-built infrastructure. KLogEXE’s C++ codebase, coupled with its stealthy operation, enables it to operate unnoticed on compromised systems, highlighting the group’s continued investment in developing sophisticated, hard-to-detect malware tools.

Targets

Educational sercvices Public Administration Information Manufacturing

How they operate

Once deployed, KLogEXE silently records the user’s interactions with the system. Using the Windows API, the malware tracks keystrokes by utilizing the GetAsyncKeyState method. This method monitors key presses at a low level, allowing the malware to capture every keystroke made on the compromised system. Additionally, KLogEXE records mouse events, specifically monitoring mouse clicks and identifying which buttons are pressed. These actions are stored locally in an INI file, typically located in the directory C:\Users\user\AppData\Roaming\Microsoft\desktops.ini. The INI file serves as the storage location for the captured data, where keystrokes, mouse clicks, and application data are saved. To prevent detection and to manage the sheer volume of captured data, KLogEXE implements a method to handle data exfiltration. When the data file reaches a specific size limit, the malware appends a date to the file name and generates a random boundary to obscure the data. The newly created file is then exfiltrated to the attacker’s command and control (C2) server over HTTP, using a POST request. The data is sent to a server through a unique URI path: /wp-content/include.php?_sys_=7. This custom URI pattern ensures that KLogEXE’s traffic is difficult to distinguish from legitimate web traffic, providing an additional layer of stealth to the exfiltration process. In terms of infrastructure, KLogEXE communicates with a specific C2 server, which is configured to accept incoming connections and process the stolen data. The malware sends the stolen data in a structured format, making it easy for the attackers to parse and utilize the information. This functionality is consistent with Sparkling Pisces’s typical tactics, where data is often exfiltrated in stages to avoid detection by network monitoring tools. The ability to compress and split data before exfiltration ensures that KLogEXE remains undetected for longer periods, even in environments with active security monitoring. The technical sophistication of KLogEXE highlights its role in Sparkling Pisces’s larger cyber espionage campaigns. By integrating advanced data collection and exfiltration techniques, KLogEXE serves as a powerful tool for gathering intelligence from targeted organizations. Its use of custom-built infrastructure, stealthy operation, and data management strategies makes it a highly effective piece of malware for its operators. As Sparkling Pisces continues to evolve its tools and tactics, understanding the technical underpinnings of KLogEXE provides valuable insight for organizations aiming to defend against this persistent and sophisticated threat actor.  
References
  • Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy
Tags: APTAPT43GetAsyncKeyStateinfostealerInfostealersJapanKeyloggerkimsukyKLogExeMalwareNorth KoreaPhishingSouth KoreaSparkling PiscesUnited StatesWindows
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

New ZeroCrumb Malware Steals Browser Cookies

TikTok Videos Spread Vidar StealC Malware

CISA Commvault ZeroDay Flaw Risks Secrets

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Subscribe to our newsletter

    Latest Incidents

    Cetus Crypto Exchange Hacked For $223M

    MCP Data Breach Hits 235K NC Lab Patients

    UFCW Data Breach Risks Social Security Data

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial