Keyloggers remain a major threat in 2025, widely used by attackers to silently capture passwords, inputs, and system activity, and by security teams to assess defense gaps during ethical red team engagements. Keyloggers can operate below traditional detection layers, enabling them to be a highly effective and dangerous credential harvesting technique. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured (MITRE ATT&CK 1 & 3, 2025).

Additionally, they can serve as powerful assets in ethical security testing. Keyloggers are capable of silently capturing everything from passwords to command-line commands with little chance of detection. This guide explains what keyloggers are, how attackers use them, and most importantly, how to detect, and defend your systems against them.

A keylogger is software or hardware that secretly records keystrokes pressed on a keyboard, or otherwise every keystroke stored in a keyboard buffer. Often used maliciously, keyloggers store or send captured data to hackers, who analyze it to steal credentials and access secure systems, usually without the victim knowing (Fortinet, 2025).

As you can see in the image below, some of the keylogger’s goals are to steal credentials, monitor commands/behaviors, and enable lateral movement.

However, InfoSec professionals also employ keyloggers responsibly during penetration tests and red team operations to expose vulnerabilities. Keyloggers function at various system layers: application, operating system, kernel, and hardware — each progressively more difficult to detect. Regardless of type, their core goal is to quietly capture your keystrokes.

1. Software-Based Keyloggers

Software keyloggers are malicious programs that are installed directly on the target system to capture keystrokes and send or store this data for attackers. They are among the most prevalent methods attackers use to intercept user input (Fortinet, 2025).

Software-Based Keylogger types include:

• Application-Level: Captures input via APIs and keyboard event hooks.
• Kernel-Level: Intercepts keystrokes before system processing.
• Form-Grabbing: Captures data from web forms prior to encryption.
• Memory-Injecting: Injects malicious code into running processes.
• Cross-Site Scripting (XSS): Embeds malicious JavaScript to capture typed input.

2. Hardware-Based Keyloggers

Hardware-based keyloggers are physically inserted between a keyboard and the computer (via USB or PS/2 ports). Often disguised as adapters, hardware-based keyloggers operate on the hardware level, making them hard to detect with antivirus tools. They store keystroke data locally for later attacker retrieval (SentinelOne, 2025).

Hardware-Based Keylogger Types Include:

• Traditional: Physical devices intercepting keystrokes.
• Wireless: Transmitting captured keystrokes remotely.
• Acoustic: Analyzing typing sounds to reconstruct input.

Preventing unauthorized physical access is critical to mitigating hardware keylogger threats. Establish rigorous organizational BYOD policies and otherwise strong controls to restrict physical access to devices and ports (SentinelOne, 2025).

Modern Hardware-Based Keylogger Examples:

Key Croc: A smart USB keylogger developed by Hak5, equipped with penetration testing tools, remote access, and payload capabilities that trigger multi-vector keylogging attacks. It emulates trusted USB devices such as keyboards, storage, and Ethernet adapters to avoid detection and can be controlled remotely through a web interface, making it a powerful tool for cyber attackers and penetration testers alike (Hak5).

O.MG Elite Cable: A covert USB cable masquerading as a standard charger or data cable, embedding an advanced keylogging implant within. It offers features like Wi-Fi control, encrypted command-and-control communication, geo-fencing, and self-destruct mechanisms, providing attackers with stealthy control and data exfiltration options (Hak5).

By understanding these devices and their sophisticated functions, organizations can better recognize the threat landscape and reinforce physical security measures to protect sensitive input data.

Chat With Our Cybersecurity Team   Our Cybersecurity Solutions

Disclaimer
This blog post is intended for educational and informational purposes only. The techniques, tools, and references discussed, particularly those related to keylogger development, detection, or testing, are shared to improve awareness and strengthen cybersecurity defenses. Any attempt to replicate, deploy, or experiment with these tools should only be done within explicitly authorized environments for ethical testing, research, or red team operations.

Unauthorized use of keyloggers or malware violates legal and ethical standards and may result in severe consequences, including criminal charges. DataYard disclaims all responsibility for misuse of the information provided. Always consult with qualified security professionals before applying these practices to your environment.

References

• Bhardwaj, Akashdeep & Goundar, Sam. (2020). Keyloggers: silent cyber security weapons. Network Security. 2020. 14-19. 10.1016/S1353-4858(20)30021-0. https://www.researchgate.net/publication/339371911_Keyloggers_silent_cyber_security_weapons
• Fortinet. (2025). What Is A Keylogger? Definition And Types. https://www.fortinet.com/resources/cyberglossary/what-is-keyloggers
  Hak5. (2025). Key Croc. https://shop.hak5.org/products/key-croc?srsltid=AfmBOorLb7dgIOM0NSZcpRYJaGMycKb6Cf6ZFF_T2VwM-Sn7U5lQagNI
• Hak5. (2025.). O.MG cable. https://shop.hrak5.og/collections/home1/products/omg-cable
• Messham, A. (2025). Rust malware development – Linux keylogger: An exploration of low-level Linux input monitoring with evdev and Rust [Unpublished manuscript].
• MITRE ATT&CK 1. (2025, April 15). Input capture: Keylogging. Input Capture: Keylogging, Sub-technique T1056.001 – Enterprise | MITRE ATT&CK®. https://attack.mitre.org/techniques/T1056/001/
• MITRE ATT&CK 2. (2025, April 15). Masquerading. Masquerading, Technique T1036 – Enterprise | MITRE ATT&CK®. https://attack.mitre.org/techniques/T1036/
• MITRE ATT&CK 3. (2025). OS Credential Dumping. MITRE ATT&CK®. https://attack.mitre.org/techniques/T1003/
• SentinelOne. (2025, May 26). What is a Keylogger? Guide to Protecting Your Enterprise. https://www.sentinelone.com/cybersecurity-101/endpoint-security/keylogger/#how-to-detect-a-keylogger-on-your-device