BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details


Global rank
Month rank
87 infographic chevron week
Week rank

Kraken is a trojan malware with infostealing capabilities that was first spotted in May of 2023. The malware can perform a wide range of malicious activities, including logging users’ keystrokes. The data then can be sent to the attacker using several protocols. The operators behind the Kraken stealer usually distribute it via phishing emails.

1 May, 2023
First seen
7 March, 2024
Last seen
Also known as
Kraken Stealer

How to analyze KrakenKeylogger with ANY.RUN

1 May, 2023
First seen
7 March, 2024
Last seen


IP addresses
Last Seen at

Recent blog posts

post image
Analyzing Malware Protected with Themida and...
watchers 142
comments 0
post image
ANY.RUN Represented at BSides Canada and Cybe...
watchers 188
comments 0
post image
Search for Malware Mutexes in ANY.RUN Threat...
watchers 339
comments 0

What is Kraken malware?

Kraken, also known as Kraken Keylogger, is a malware written in .NET (VB) that focuses on exfiltrating sensitive information from the browsers and email clients installed on the compromised system. Some security solutions may mistakenly label it as SnakeKeylogger or MassKeylogger.

Kraken attacks are usually carried out in several stages, starting from a malicious attachment delivered to a victim’s inbox. Although not as widespread as other stealer malware, such as RedLine, Kraken poses a significant threat to users worldwide. However, there is still no information on who created Kraken malware.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of the Kraken Keylogger malicious software

KrakenKeylogger usually steals:

  • User information: KrakenKeylogger can capture passwords, usernames, and other authentication details from various applications and websites.
  • Screenshots: The malware usually records screenshots once it finishes stealing data from browsers and FTP clients.
  • Keystrokes:The malicious program can also perform keylogging, keeping track of everything typed by the user.

According to the threat analyst 0xToxin’s article, a typical attack involving KrakenKeylogger starts with a spam email, containing a malicious attachment, usually a .zip. Inside the archive, users may find an .lnk that kickstarts the infection process. Once launched, it executes a PowerShell script, which eventually leads to the download of a .NET loader. The loader then deploys a .dll that ultimately drops Kraken on the system.

KrakenKeylogger makes use of code obfuscation and encryption. The malware is also equipped with evasion mechanisms that allow it to circumvent security solutions.

Execution process of Kraken attacks

Analyzing a sample of Kraken in the ANY.RUN sandbox can help us study the entire execution chain of the malware step by step.

Kraken follows a typical execution chain for this type of malware. The main payload initiates various child processes to carry out multiple actions. In our case, the primary process, Sipariş_28.08.023.exe, initiates the Task Scheduler to perform task scheduling to establish its presence within the infected system.

Additionally, it injects into RegSvcs.exe and launches it to facilitate the primary malicious activity, which includes the theft of credentials from web browsers, personal data, and connection to the C2 server.

As some samples may be geotargeted, we can employ a set of features such as "Locale (OS Language)" and "Residential proxy" to enhance our understanding and countermeasures against the malware.

KrakenKeylogger process tree shown in ANY.RUN KrakenKeylogger`s process tree demonstrated in ANY.RUN

Distribution methods of the KrakenKeylogger malware

Phishing emails constitute the primary method of distributing Kraken. Victims usually receive seemingly legitimate messages that employ social engineering to trick them into downloading and opening malicious files attached to these emails. In most cases, criminals choose to address users on behalf of government agencies, as well as businesses.


KrakenKeylogger is a relatively unexplored threat, and the scale of its operation remains unknown. This highlights the need for individuals and organizations to practice proper measures to make sure that they stay protected against attacks. One of the key components of a comprehensive cybersecurity strategy is early detection of any malicious content received via email.

To this end, ANY.RUN can be used, as it allows you to conduct advanced analysis of any suspicious file or link and receive insights on whether it is harmful or not in seconds. The service provides thorough threat reports that contain all the essential information such as indicators of compromise (IOCs), needed for proper prevention and incident response.

Try ANY.RUN for free – request a demo!


Adwind screenshot
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy