Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

KrakenKeylogger

123
Global rank
121 infographic chevron month
Month rank
140 infographic chevron week
Week rank
0
IOCs

Kraken is a trojan malware with infostealing capabilities that was first spotted in May of 2023. The malware can perform a wide range of malicious activities, including logging users’ keystrokes. The data then can be sent to the attacker using several protocols. The operators behind the Kraken stealer usually distribute it via phishing emails.

Trojan
Type
Unknown
Origin
1 May, 2023
First seen
15 September, 2025
Last seen
Also known as
Kraken
Kraken Stealer

How to analyze KrakenKeylogger with ANY.RUN

Type
Unknown
Origin
1 May, 2023
First seen
15 September, 2025
Last seen

IOCs

Hashes
7357f1dc4cc6b7ed24845f6a68defaf560af51e19f9cf31ffc2c008eb539dd39
0b6cd05bee398bac0000e9d7032713ae2de6b85fe1455d6847578e9c5462391f
069395ba2c278a8d5fe946e6414c3b028d04e906a166055c0d88c8ef6baebacf
e92d56612dc90ee84e96acb77d7b9183d8a16843ee0c401cc685442b95780c78
b639e26a0f0354515870ee167ae46fdd9698c2f0d405ad8838e2e024eb282e39
8a6aa9e5d58784428d0b1641e99f024438b20747993039e16b8d262f3f5fd347
080731d99756d9edf59e6d72931b6e1ea342ffa8fd937b5fcefe7d22eb165fe3
4c2f188c6f7658df23a065fb7341744cf68eb1bc4124840956a81da87968030a
7e0ee0e707db426eaf25bd0924631db969bb03dd9b13addffbcc33311a3b9aa7
564154a2e3647318ca40a5ffa68d06b1bd40b606cae1d15985e3d15097b512cd
e1372f8aa31ebbe3ab60d07036ae829a19e3f837b698f38e3469ac3d5f2c4f50
c24c12afb99023a67597cb238e5767f1d410e3a18a3239384179e440f671ba3f
f274cd1d4caf4d3acb888fc435ca2ae3261a4c0634f34e43fd5d46bf8a7059f7
6c4a1f74de712ee096140aba680c37ed6b7cce8c412f1e2defaee84a556c163a
Domains
kraken.nswardh.com
vyprotb.com
onemgat.net
pnispsal.com
mpzohtore.com
pdpocatk.com
smmyuhxlt.cc
yhzjehi.com
URLs
http://ww38.blasze.tk/CN18R3
http://blasze.tk/CN18R3
Last Seen at

Recent blog posts

post image
ANY.RUN Sandbox & Microsoft Sentinel: Les...
watchers 411
comments 0
post image
Fighting Telecom Cyberattacks: Investigating...
watchers 1808
comments 0
post image
Efficient SOC: How to Detect and Solve Incide...
watchers 912
comments 0

What is Kraken malware?

Kraken, also known as Kraken Keylogger, is a malware written in .NET (VB) that focuses on exfiltrating sensitive information from the browsers and email clients installed on the compromised system. Some security solutions may mistakenly label it as SnakeKeylogger or MassKeylogger.

Kraken attacks are usually carried out in several stages, starting from a malicious attachment delivered to a victim’s inbox. Although not as widespread as other stealer malware, such as RedLine, Kraken poses a significant threat to users worldwide. However, there is still no information on who created Kraken malware.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of the Kraken Keylogger malicious software

KrakenKeylogger usually steals:

  • User information: KrakenKeylogger can capture passwords, usernames, and other authentication details from various applications and websites.
  • Screenshots: The malware usually records screenshots once it finishes stealing data from browsers and FTP clients.
  • Keystrokes:The malicious program can also perform keylogging, keeping track of everything typed by the user.

According to the threat analyst 0xToxin’s article, a typical attack involving KrakenKeylogger starts with a spam email, containing a malicious attachment, usually a .zip. Inside the archive, users may find an .lnk that kickstarts the infection process. Once launched, it executes a PowerShell script, which eventually leads to the download of a .NET loader. The loader then deploys a .dll that ultimately drops Kraken on the system.

KrakenKeylogger makes use of code obfuscation and encryption. The malware is also equipped with evasion mechanisms that allow it to circumvent security solutions.

Execution process of Kraken attacks

Analyzing a sample of Kraken in the ANY.RUN sandbox can help us study the entire execution chain of the malware step by step.

Kraken follows a typical execution chain for this type of malware. The main payload initiates various child processes to carry out multiple actions. In our case, the primary process, Sipariş_28.08.023.exe, initiates the Task Scheduler to perform task scheduling to establish its presence within the infected system.

Additionally, it injects into RegSvcs.exe and launches it to facilitate the primary malicious activity, which includes the theft of credentials from web browsers, personal data, and connection to the C2 server.

As some samples may be geotargeted, we can employ a set of features such as "Locale (OS Language)" and "Residential proxy" to enhance our understanding and countermeasures against the malware.

KrakenKeylogger process tree shown in ANY.RUN KrakenKeylogger`s process tree demonstrated in ANY.RUN

Distribution methods of the KrakenKeylogger malware

Phishing emails constitute the primary method of distributing Kraken. Victims usually receive seemingly legitimate messages that employ social engineering to trick them into downloading and opening malicious files attached to these emails. In most cases, criminals choose to address users on behalf of government agencies, as well as businesses.

Conclusion

KrakenKeylogger is a relatively unexplored threat, and the scale of its operation remains unknown. This highlights the need for individuals and organizations to practice proper measures to make sure that they stay protected against attacks. One of the key components of a comprehensive cybersecurity strategy is early detection of any malicious content received via email.

To this end, ANY.RUN can be used, as it allows you to conduct advanced analysis of any suspicious file or link and receive insights on whether it is harmful or not in seconds. The service provides thorough threat reports that contain all the essential information such as indicators of compromise (IOCs), needed for proper prevention and incident response.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

DarkVision screenshot
DarkVision
darkvision
DarkVision RAT is a low-cost, modular Remote Access Trojan that gives attackers remote control of infected Windows hosts. Initially observed around 2020 and sold in underground marketplaces, DarkVision has become notable for its full feature set (keylogging, screen capture, file theft, remote command execution and plugin support) and for being distributed via multi-stage loaders in recent campaigns.
Read More
VanHelsing Ransomware screenshot
VanHelsing is a sophisticated ransomware strain that appeared in early 2025, operating via the Ransomware-as-a-Service (RaaS) model and targeting primarily USA and France. It threatens mostly Windows systems but has variants for Linux, BSD, ARM, and ESXi, making it a multi-platform malware. It is also notable for its advanced evasion techniques, double extortion tactics, and rapid evolution.
Read More
Sality screenshot
Sality
sality
Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions.
Read More
WhiteSnake screenshot
WhiteSnake
whitesnake
WhiteSnake is a stealer with advanced remote access capabilities. The attackers using this malicious software can control infected computers and carry out different malicious activities, including stealing sensitive files and data, recording audio, and logging keystrokes. WhiteSnake is sold on underground forums and often spreads through phishing emails.
Read More
Prometei screenshot
Prometei
prometei
Prometei is a modular botnet malware family that silently infiltrates systems, hijacking their resources for illicit Monero (XMR) mining. Active since at least 2016, it combines stealth, persistence, and lateral movement capabilities. Notable for its global reach and opportunistic infection strategy, it is also used for credential theft.
Read More
Tycoon 2FA screenshot
Tycoon 2FA
tycoon
Tycoon 2FA is a phishing-as-a-service (PhaaS) platform designed to bypass multi-factor authentication (MFA) protections, particularly targeting Microsoft 365 and Gmail accounts. Its advanced evasion techniques and modular architecture make it a significant threat to organizations relying on MFA for security.
Read More