Definition and history of keyloggers
Keyloggers eavesdrop on keyboard inputs, recording anything typed into devices by users. This data can include passwords, banking details, messages, and other confidential information. Inputs can also include things like biometrics and mouse or touchscreen inputs.
In the past, attackers used physical bugs to eavesdrop on the keystrokes of physical typewriters, but today it is more common to find software-based keyloggers in the wild. That said, today’s keyloggers are typically incorporated as a one of the features or tools available in infostealer packages – which operate predominantly as Malware as a Service (MaaS).
Keylogging remains popular in cybercrime, espionage, but also regulatory compliance, law enforcement, employee and child monitoring.
The use of keyloggers pre-dates desktop computing. In the 1970s, Soviet spies installed listening devices in IBM Selectric electric typewriters used in the US Embassy in Moscow and the US Consulate in Leningrad. The bugs – physical devices hidden inside the structure of the typewriters themselves – sent radio signals to a nearby listening post.
Nowadays, keyloggers are used primarily to steal sensitive financial data and passwords, and they’re just as likely to be found stealing data from smartphones as they are on PCs. Personal communications and private messages are also a popular target for thieves and spies, as they can be used for blackmail or insight into personal or corporate activities that are usually confidential. Attackers use the information they steal using keyloggers for identity theft, committing financial fraud, executing corporate espionage, blackmail, and further cyberattacks.
Often, users are tricked into downloading a malicious file from the internet or clicking on a bogus attachment in a message, which then installs malware, including a keylogger.
Why are keyloggers a big threat to everyone?
Put simply: if an attacker can use legitimate credentials to get access to sensitive data, it saves them a bunch of time and effort. A 2025 report by SpyCloud identified nearly 80% of data breaches in 2024 involved stolen user credentials. According to data from IBM, infostealing malware use jumped 266% in 2023 over the previous year.
Second point: our devices are used to access all kinds of sensitive information: bank accounts, intellectual property, personal information and so on.
High profile keylogger cases
Keyloggers have been used in a number of high-profile and high impact malware campaigns, including DarkHotel, which targeted business executives over hotel WiFi networks, installing a keylogger to steal passwords, personal data, and intellectual property.
Other examples detailed by MITRE in its ATT&CK technique list include the group Snake Stealer; for many malicious actors, Keyloggers are an important ingredient in their tactics and tools.
Keyloggers explained: Hardware- and Software-based keyloggers
Modern keyloggers are more sophisticated and less likely to involve a hardware compromise or elaborate measures, but they’re just as invasive and harmful to users. They fall into two groups: Those that physically intercept keyboard and other input connections, and software-based applications that intercept data from the input devices as it moves through the device.
Hardware-based keyloggers
Hardware keyloggers still exist and are still used by both attackers and legitimate users, such as schools, financial institutions, and other workplaces. In legitimate use, they often take the form of a dongle. This is a small device similar in appearance to a USB thumb drive, which sits between a USB port on a computer and the USB plug on a keyboard. Wireless keyboards are not immune, by the way – keyboard sniffers scan for and decrypt wireless communications between keyboards and computers.
Two things to know about hardware keyloggers: firstly, as they don’t interfere with the operating system of the device they’re attached to, but instead intercept traffic between it and an input device, they can be hard to detect. On the other hand, because they need to be physically attached to the computer, they can be easy to spot with a visual inspection of the physical USB ports. Bear in mind - a keylogger that sniffs wireless keyboard signals doesn’t need to be plugged into your PC, either. Sneakier and stealthier hardware keyloggers are more difficult to install without arousing suspicion, making them a very unlikely attack vector in most situations. That doesn’t mean a determined and motivated adversary with the right resources won’t take this route – as described at the beginning of this article.
Software keyloggers
Software keyloggers are far less visible. There’s no need for an attacker to have physical access to a device to install it, and with effective distribution, they can be installed en masse. As a result of these factors, software based keyloggers are far more numerous and widespread. They’re also on pretty much every platform. Windows is, of course, popular as a target for keylogging attacks, as it has a massive user base. But macOS, Linux, iOS, and Android are also all affected. One reason for this is that the attackers behind banking malware and infostealers are looking for sensitive information – such as banking logins – that is present (or rather, input) into all of these operating systems.
There are several different types of software-based keylogger, and it’s worth detailing them to understand how they work, and how your PC or mobile phone may be vulnerable – it’s often not as straightforward as clicking on the wrong attachment in an email.
Evolution of keyloggers
Keyloggers have been key tools for both criminals and spies for years, but today have mostly been merged with infostealer tools that harvest all kinds of information including screen grabs, clipboard data and more. Form-grabbing keyloggers intercept the information users put into or extract from web forms, and were popular in the early 2000s before becoming largely outmoded. The Zeus banking trojan is an example of malware that uses this particular Man In The Middle (MITM) or Man In The Browser (MITB) approach, which injects the malicious payload into the web browser’s memory directly. Other examples of malware that uses form-grabbing keyloggers include Dyre and Tinba, also known as Zusy or Tiny Banking Trojan on account of its tiny (20kb) file size.
API-based keyloggers collect keystrokes directly from the application you happen to be using at the time, hooking into system APIs to capture keystrokes. Snake Stealer, a Remote Access Trojan (RAT), used this technique to steal information when triggered on a Windows computer. Previous API-based examples include the now-defunct but still actively distributed AgentTesla Remote Access Trojan (RAT).
Kernel-level keyloggers operate at the level of the operating system (OS) kernel – the core software that acts as the connector between the hardware in a computer and the software that runs on it, including the OS itself. One example of this sophisticated – and now fairly ancient – form of keylogging is its use as a feature in the Alureon trojan. Also known as Win32/Olmarik, TDS and TDL, the Alureon family of data stealing trojans targeted 64-bit versions of Windows PCs starting with Windows Vista in 2010, but was first spotted in the wild three years before. One saving grace of this form of keylogger, alongside API-based keyloggers, is that they tend not to spread across operating systems easily, as APIs and OS Kernels are not uniform.
The current state of keyloggers
As mentioned earlier, keyloggers are now most often found as added functionality embedded in more complex malware as a service (MaaS) infostealers. These are malware suites provided as outsourced services to criminals in much the same way as law-abiding people use office suites, email services, and companies use more complex enterprise services delivered over the internet.
Criminals subscribe to MaaS services in much the same way, enjoying access to all kinds of different tools and capabilities, from keyloggers to password stealers, and broader services including command execution, botnet creation and operation and so on.
In this context, keyloggers are part of a comprehensive criminal toolset, and as the source code for these tools frequently leaks, new infostealers arrive regularly.
Future Keylogger developments
A final, and thankfully very rare, form of software-based keylogger is those that operate at the Hypervisor level. Hypervisor-level keyloggers emerged as a theoretical attack in 2006, with a proof of concept (PoC) described by Joanna Rutkowska following earlier work by researchers at Microsoft into using virtual machines in malware execution. This approach inserts a hypervisor underneath the target device’s operating system, virtualising the OS and intercepting all traffic in and out of it. The result is an effectively invisible piece of malware that can harvest all kinds of sensitive information. It’s worth noting that, despite the concept being proven, live examples of this approach have yet to be found in the wild.
Mobile devices: the perfect platform for keyloggers
The advent of touchscreens for mobile devices, coupled with the fact that a physical keylogger is, to say the least, a lot more visible in a handheld device, has meant that smartphones and tablets have been targeted almost exclusively by software keyloggers.
These devices are a dream for attackers; they’re self-contained, increasingly powerful, and continuously connected. Smishing also allows attackers to compromise devices with payloads hidden behind innocuous-looking links. While both Android and iOS devices can be compromised with keyloggers, it’s worth noting that compromises are more likely if you have jailbroken your device, as both iOS and Android devices employ app stores rather than running random applications downloaded from the internet. That doesn’t mean that malware, including keyloggers, doesn’t sneak in, but it is a more difficult task for attackers.
On Android, ESET Mobile Security helps protect users by detecting and blocking malicious links and phishing attempts, reducing the risk of malware - including keyloggers - being installed.
Legitimate uses for keyloggers
Employers, schools, and parents all have reason to use keyloggers to monitor and protect users. Banks and other financial institutions often use keyloggers for what is termed Regulatory Compliance; to obey banking, fraud, and money laundering laws, they need to record how, when and why employees do certain things, both legal and illicit.
Schools and other academic bodies also use keyloggers to identify and prevent misuse, and they’re also used by tech-savvy parents for parental control and monitoring of their children’s devices.
Believe it or not, cybersecurity companies and professionals also use keyloggers in testing to try and uncover vulnerabilities in the environments and devices they are hoping to protect. This use is similar to how cybersecurity testers use other tools, techniques, and procedures developed and sued by attackers to better understand how to defeat them.
Finally, keyloggers are used to conduct legitimate research into how children develop writing and development skills, and in how people learn and develop proficiency in second languages. Examples of legitimate tools for research include Inputlog, Scriptlog, and Translog, as well as GGXlog and FlexKeyLogger.
Highly visible examples of legitimate use of keylogging software and hardware are, however, outnumbered by illegal uses, primarily crime and espionage.
Legal and ethical considerations for legitimate keylogger users
Whether the use of keyloggers in the situations we’ve described is ethical or legal depends entirely on the circumstances, but typically it should happen with the informed consent of everyone involved. It’s also worth bearing in mind that the collected data may be personal in nature – an employee’s banking credentials, or information about their family, for example.
In some countries, it is entirely legal for an employer to monitor their employee’s keystrokes and other inputs without their being aware of it. However, such monitoring (including the use of keyloggers) must be proportionate, and it’s important to consider a number of concerns. Keyloggers represent a privacy and security risk, are a point of collection for all kinds of sensitive data, and therefore a robust, ethical and legal approach is a must. The intricacies and issues around this are outside the scope of this article, and employers should take advice from their Human Resources and Legal teams, as well as consulting with Unions or other employee advocacy groups before beginning.
In the US, a number of national and state laws govern workplace monitoring, including the Electronic Communications Privacy Act (ECPA) and National Labor Relations Act (NLRA) that apply at a national level, while state laws, such as the California Privacy Rights Act add another layer of complexity for businesses and rights for employees.
In the EU, employer use of keyloggers and screen capture software is legal – with the consent of employees. It also has to comply with GDPR. Aside from EU-wide laws such as GDPR and the European Convention on Human Rights (ECHR), individual countries have their own legislation regarding privacy in the workplace.
Then there’s the issue of whether using such technology on employees and pupils is wise from an ethical and social perspective. People don’t like being spied on. A 2023 survey by the UK’s Information Commissioner’s Office found that 70% of the people it surveyed would find employers monitoring their activities intrusive – and 19% also believed that they were being monitored by their employer in some way. On top of this, 57% said they would feel uncomfortable taking a new job if they knew their employer would be monitoring them.
How to spot keyloggers on your devices
Organizations use endpoint protection to identify keyloggers across their IT environment. For smaller organizations without dedicated IT teams, ESET Small Business Security provides AI-driven protection that can detect and block keylogging malware.
Mid-sized or larger organizations typically deploy more advanced capabilities. Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) platforms, such as ESET PROTECT, help security teams detect sophisticated attack chains used by advanced persistent threats (APTs) and organized cyber‑criminal groups. Behavioral analytics can highlight suspicious activity, while network monitoring helps identify anomalous outbound traffic that may indicate stolen keystroke data being exfiltrated.
Individuals may not have access to the same range of security tools, but they also typically protect far fewer devices. ESET uses many of the same detection technologies across its home and business products, giving consumers enterprise-grade protection against keyloggers and other malware. ESET HOME Security is designed to detect, alert on, and remove keyloggers on PCs, Macs, and smartphones.
Detecting, defeating and removing keyloggers
One of the most effective ways to reduce the impact of keyloggers is to use Multifactor Authentication (MFA) for applications and web services such as online banking. MFA relies on time-limited, one-time codes generated by authenticator apps, meaning that even if an attacker captures keystrokes or screen data, the window to misuse a code is extremely small. In business environments, MFA solutions such as ESET Secure Authentication add this extra layer of protection to corporate systems.
The next important tool for defeating keyloggers is regularly updated and used antivirus and anti-malware applications. Configured correctly, these will scan for signs of keyloggers in use and alert the user.
Coupled to this is regularly updating and patching the OS on your devices; another approach for mobile users that is regarded as good practice is to switch the device off for five or more minutes once a week – or even once a day. This practice helps clear malicious files that are running in the device’s volatile memory, as well as bringing a host of other benefits.
Finally, minimizing manual credential entry helps reduce the effectiveness of keyloggers which rely on capturing keystrokes. Repeatedly typing usernames and passwords increases the risk of interception. Using strong, unique passwords for every account is therefore critical. ESET supports this best practice by offering a free Password Generator, allowing users to easily create long, randomized passwords and avoid reusing weak or predictable credentials — one of the most common causes of account compromise.
