The KeyBoys are back in town

02 November 2017


In our work as Threat Intelligence Analysts at PwC we spend a lot of time focused on researching targeted attacks and advanced persistent threat (APT) actors, to provide our clients with valuable intelligence. We have recently uncovered a new campaign, by a threat actor which hasn’t been observed to be very active for almost a year, and which employs some rather interesting techniques.

Advanced persistent threat actors have been around for years, and since reports of them have emerged more frequently in news outlets, their numbers have only increased, whether they’re nation-state backed groups or those with a specific motivation or intent, such as, for example, FIN7, which is a financially-motivated group.

In today’s blog post, we will be analysing the latest campaign by an attack group called KeyBoy. There have only been a few reports (Cisco, Rapid7) written about KeyBoy before, with the last known public report written by CitizenLab in November 2016. KeyBoy is believed by the industry to be a hacking group based in or operating from China, and is mainly engaged in espionage activity. In the past it has targeted organisations and individuals in Taiwan, Tibet, and the Philippines, but in its latest campaign, KeyBoy appears to have expanded its targeting, as it now appears to be going after mostly Western organisations, likely for corporate espionage purposes.

The malware that KeyBoy uses in its activity has a range of different capabilities once it has infected a device, including, but not limited to:

  • Taking screenshots;
  • Browsing and downloading files;
  • Gathering extended system information, e.g. on the operating system, disks, memory;
  • Being able to shutdown and reboot victim machines.

Discover more about KeyBoy in our report published here, which provides broader information about this particular threat actor and their latest campaign techniques, such as replacing legitimate Windows binaries with a copy of the malware. There are also more details of the persistence mechanism, as well as indicators, which you can use to search for any signs of intrusion into your systems.

PwC Threat Intelligence subscribers can refer to CTO-TIB-20171019-01A - KeyBoy's new toys published in October 2017 for further details and the wider context to this activity. Any additional queries or requests can also be made to: [email protected]  and we will be happy to assist.

The full analysis and indicators of compromise can be found here.


Bart Parys

Bart Parys | Threat Intelligence Analyst
Profile | Email


More articles by Bart Parys