Keyloggers are tools designed to capture what a user types or clicks on a device. While many people think of them only as malicious software installed through phishing or infected downloads, keyloggers can also exist as physical hardware placed between a keyboard and a computer. In more advanced campaigns, attackers have even used browser-based scripts to log input activity without installing traditional malware. This shows that credential harvesting has evolved beyond obvious infections and can occur within systems users already trust.
A recent example of this shift involved the ScanBox reconnaissance framework, which has been used in watering-hole attacks attributed to the threat group TA423, also known as Red Ladon. In these campaigns, victims were directed to spoofed or compromised news websites where malicious JavaScript executed inside the browser. The script gathered system information and could log typed input on the page without writing files to disk. This technique highlights how modern threat actors leverage normal web functionality to collect intelligence and prepare for future intrusions (Source: Threatpost, “Watering Hole Attacks Push ScanBox Keylogger,” 2022).
Defending against keyloggers requires layered security and awareness. Endpoint protection and browser hardening reduce risk, but strong authentication is critical. Hardware-based multi-factor authentication, such as a YubiKey, helps prevent account takeover because a captured password alone is not enough to gain access. As keylogging techniques continue to evolve across software, hardware, and browser-based methods, understanding how these attacks work is essential for maintaining secure systems.
Think Positive Cyber 
Leave a comment