Home/Glossary/Keylogger

Keylogger

Malicious software or hardware that secretly records keystrokes to capture passwords, credit card numbers, and other sensitive information typed by users.

Threat IntelligenceAlso called: "keystroke logger", "keyboard logger", "keylogging malware"

Keyloggers are a category of spyware used by attackers to harvest credentials and sensitive data by recording everything a victim types, often operating invisibly in the background.

Why it matters

  • Primary method for stealing credentials, bypassing encryption and MFA in some cases.
  • Can capture data before encryption is applied (typing into HTTPS forms).
  • Often deployed as part of larger malware campaigns or targeted attacks.
  • Hardware keyloggers can evade all software-based detection.

Key concepts

  • Software keyloggers: Malicious programs running at kernel or user level to intercept keystrokes.
  • Hardware keyloggers: Physical devices installed between keyboard and computer or within keyboards.
  • Form grabbers: Variant that captures form field data before HTTPS encryption.
  • Screen capture: Advanced variants that also record screenshots and mouse clicks.
  • Memory injection: Technique to hide keylogger code within legitimate processes.

Types of keyloggers

  • API-based: Hooks Windows keyboard APIs (SetWindowsHookEx, GetAsyncKeyState).
  • Kernel-level: Operates at driver level for deeper access and harder detection.
  • Form grabbing: Intercepts web form submissions before encryption.
  • Acoustic: Analyzes keyboard sounds to determine keystrokes (research attack).
  • Hardware: USB devices, PS/2 adapters, or embedded in keyboards.

Detection techniques

  • Endpoint detection and response (EDR) monitoring for hooking behavior.
  • Process behavior analysis for unexpected keyboard API access.
  • Physical inspection for hardware devices on workstations.
  • Network traffic analysis for exfiltration patterns.
  • Anti-keylogger software that encrypts keystrokes at the driver level.

Defense strategies

  • Deploy robust endpoint protection with behavioral analysis.
  • Use password managers with auto-fill to avoid typing credentials.
  • Implement hardware security keys for phishing-resistant MFA.
  • Conduct regular security awareness training about keylogger risks.
  • Use virtual keyboards for highly sensitive operations.
  • Physically secure workstations and audit hardware connections.

Common delivery methods

  • Phishing emails with malicious attachments.
  • Drive-by downloads from compromised websites.
  • Bundled with pirated software or fake utilities.
  • USB drop attacks with infected devices.
  • Supply chain compromise of legitimate software.

Related Tools

Related Articles

View all articles
How Often Should You Change Your Passwords? 2025 NIST Guidelines

How Often Should You Change Your Passwords? 2025 NIST Guidelines

Discover why mandatory periodic password changes are no longer recommended, when you should actually change passwords, and how modern security practices focus on breach monitoring instead of scheduled resets.

Read article →
Content Security Policy (CSP): Implementation Guide for 2025

Content Security Policy (CSP): Implementation Guide for 2025

Master Content Security Policy implementation with nonce-based and hash-based approaches, learn to prevent XSS attacks, and discover modern CSP best practices for maximum security.

Read article →
How to Remember Generated Passwords?

How to Remember Generated Passwords?

Discover why remembering generated passwords is the wrong approach, and learn best practices for managing secure passwords through password managers and secure storage.

Read article →
Keylogger Detection and Prevention: Protect Your Keystrokes

Keylogger Detection and Prevention: Protect Your Keystrokes

Learn how to detect and prevent keyloggers from capturing your passwords and sensitive data. Complete guide covering software and hardware keyloggers, detection tools, and enterprise protection strategies.

Read article →

Explore More Threat Intelligence

View all terms

Advanced Persistent Threat (APT)

A sophisticated, long-term cyberattack where an intruder gains unauthorized access and remains undetected for an extended period to steal data or cause damage.

Read more →

Credential Stuffing

An automated attack that uses stolen username/password pairs from data breaches to gain unauthorized access to user accounts on other services.

Read more →

IP Reputation

A trustworthiness score (0-100) assigned to IP addresses based on observed malicious behavior, spam activity, and threat intelligence data.

Read more →

Malware

Malicious software designed to damage, disrupt, or gain unauthorized access to computer systems and data.

Read more →

Phishing

A social engineering attack that uses fraudulent communications to trick recipients into revealing sensitive information or installing malware.

Read more →

Supply Chain Attack

A cyberattack that targets less-secure elements in an organization's supply chain—vendors, software dependencies, or service providers—to compromise the ultimate target.

Read more →
Back to glossary