S0387: KeyBoy
Analyst context for executives and security teams
KeyBoy matters because ATT&CK records it as Windows malware used in targeted campaigns, with relationships showing a broad post-compromise pattern: execution through scripting and command shells, discovery of system/network/file information, credential collection through keylogging and browser credentials, screen capture, persistence through Windows services and Winlogon helper DLLs, stealth through encoded files, timestomping, and hidden windows, plus command-and-control activity that may impersonate legitimate protocols. For leaders, the decision value is not only “do we know this malware name,” but whether Windows endpoint, identity, and network monitoring can reconstruct these behaviors if a targeted intrusion occurs.
Executive priority
Prioritize KeyBoy as a coverage-validation case for targeted Windows intrusions rather than as a standalone malware alert. The ATT&CK relationships connect it to credential access, collection, persistence, discovery, execution, stealth, and command-and-control behaviors that can affect incident scope, identity risk, and business continuity. Executives should ask whether SOC and IR teams can prove they collect the evidence needed to detect suspicious PowerShell/cmd/VB/Python execution, Windows service and Winlogon persistence, browser credential access, keylogging indicators, screen capture activity, suspicious file timestamp changes, and network traffic that blends into legitimate protocols. This is also useful audit evidence: it tests whether controls cover behavior chains, not just known indicators.
Technical view
The official object has no ATT&CK detection text, so defenders should build validation around the linked techniques and the Windows platform. Focus on behavior correlation: script or shell execution followed by discovery commands, file enumeration, credential collection activity, persistence changes, tool transfer, and suspicious outbound command-and-control patterns. Because KeyBoy is related to Protocol or Service Impersonation, network detections should not rely only on protocol labels; validate whether traffic content, destinations, timing, and process ancestry are inspected where appropriate. Relationship context also notes Tropic Trooper uses this object, but the supplied data does not justify asserting local exposure or current activity.
Likely telemetry
- Windows endpoint process creation and command-line telemetry for PowerShell, cmd, Visual Basic-related execution, and Python where present
- Script block, module, and command execution logs where enabled for PowerShell and other interpreters
- Windows service creation/modification events and related registry/file path evidence
- Registry monitoring for Winlogon-related persistence locations
- File system metadata and forensic evidence for timestomping, encoded/encrypted artifacts, new files, and directory enumeration
Detection direction
- Validate detections against the full behavior chain rather than the malware name alone, since the official ATT&CK object provides no detection guidance.
- Correlate Windows execution telemetry with subsequent discovery, credential access, collection, persistence, and outbound network activity to reduce false positives from legitimate administration.
- Tune PowerShell, cmd, VB, and Python analytics carefully; these tools may be legitimate, so process ancestry, user context, execution location, command content, and follow-on behavior are important.
- Check for Windows service and Winlogon persistence changes from unusual parent processes or user contexts.
- Review whether endpoint tools can identify or preserve evidence of timestamp manipulation and hidden-window execution, which can weaken simple file-age or user-visible activity assumptions.
Mitigation priorities
- Start with telemetry readiness on Windows endpoints: process creation, script execution, registry changes, service changes, file metadata, credential access signals, and network egress visibility.
- Harden scripting and command execution paths with least privilege, administrative control, and logging policies appropriate to the environment.
- Restrict and monitor persistence locations associated with Windows services and Winlogon helper mechanisms.
- Reduce credential exposure by strengthening browser credential handling policies, privileged access controls, and rapid credential rotation procedures during suspected compromise.
- Segment and monitor outbound network access so suspicious tool transfer and command-and-control behavior can be investigated quickly.
Analyst notes and limits
KeyBoy is described by MITRE as malware used in targeted campaigns against members of the Tibetan Parliament in 2016, with external references from Citizen Lab, PwC, Rapid7, and MITRE. ATT&CK also records a relationship where Tropic Trooper uses this object, and multiple technique relationships that describe how the malware has been observed behaving. The most defensible use of this entry for a SOC or risk program is as a Windows behavior-coverage test and incident-scoping guide.
The supplied object does not include official ATT&CK detection text, aliases, labels, or object-level tactics. It supports Windows as the platform for KeyBoy, but related techniques may list additional platforms that should not be treated as KeyBoy platform claims. This take does not assert active exploitation, current targeting, attribution beyond the supplied relationship, or guaranteed detectability. Local telemetry, asset exposure, and incident evidence are required to determine relevance in a specific environment.
KeyBoy
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1016 | System Network Configuration Discovery | KeyBoy can determine the public or WAN IP address for the system.CitationPWC KeyBoys Feb 2017 |
| Enterprise | T1082 | System Information Discovery | KeyBoy can gather extended system information, such as information about the operating system and memory.CitationPWC KeyBoys Feb 2017CitationRapid7 KeyBoy Jun 2013 |
| Enterprise | T1543.003 | Windows Service Sub-technique | KeyBoy installs a service pointing to a malicious DLL dropped to disk.CitationRapid7 KeyBoy Jun 2013 |
| Enterprise | T1059.006 | Python Sub-technique | KeyBoy uses Python scripts for installing files and performing execution.CitationCitizenLab KeyBoy Nov 2016 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | KeyBoy uses |
| Enterprise | T1001.003 | Protocol or Service Impersonation Sub-technique | KeyBoy uses custom SSL libraries to impersonate SSL in C2 traffic.CitationPWC KeyBoys Feb 2017 |
| Enterprise | T1056.001 | Keylogging Sub-technique | KeyBoy installs a keylogger for intercepting credentials and keystrokes.CitationRapid7 KeyBoy Jun 2013 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | In one version of KeyBoy, string obfuscation routines were used to hide many of the critical values referenced in the malware.CitationCitizenLab KeyBoy Nov 2016 |
| Enterprise | T1070.006 | Timestomp Sub-technique | KeyBoy time-stomped its DLL in order to evade detection.CitationPWC KeyBoys Feb 2017 |
| Enterprise | T1105 | Ingress Tool Transfer | KeyBoy has a download and upload functionality.CitationPWC KeyBoys Feb 2017CitationRapid7 KeyBoy Jun 2013 |
| Enterprise | T1083 | File and Directory Discovery | KeyBoy has a command to launch a file browser or explorer on the system.CitationPWC KeyBoys Feb 2017 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | KeyBoy uses VBS scripts for installing files and performing execution.CitationCitizenLab KeyBoy Nov 2016 |
| Enterprise | T1559.002 | Dynamic Data Exchange Sub-technique | KeyBoy uses the Dynamic Data Exchange (DDE) protocol to download remote payloads.CitationPWC KeyBoys Feb 2017 |
| Enterprise | T1059.001 | PowerShell Sub-technique | KeyBoy uses PowerShell commands to download and execute payloads.CitationPWC KeyBoys Feb 2017 |
| Enterprise | T1113 | Screen Capture | KeyBoy has a command to perform screen grabbing.CitationPWC KeyBoys Feb 2017 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | KeyBoy can launch interactive shells for communicating with the victim machine.CitationPWC KeyBoys Feb 2017CitationRapid7 KeyBoy Jun 2013 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | KeyBoy attempts to collect passwords from browsers.CitationRapid7 KeyBoy Jun 2013 |
| Enterprise | T1547.004 | Winlogon Helper DLL Sub-technique | KeyBoy issues the command |
Groups, software, and campaigns
G0081: Tropic Trooper
Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | bbbcb835d49b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CitizenLab KeyBoy Nov 2016
Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019.
Open source URL -
[2]
PWC KeyBoys Feb 2017
Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
Open source URL -
[3]
KeyBoy
(Citation: PWC KeyBoys Feb 2017)(Citation: CitizenLab KeyBoy Nov 2016)(Citation: Rapid7 KeyBoy Jun 2013)
-
[4]
Rapid7 KeyBoy Jun 2013
Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019.
Open source URL -
[5]
mitre-attack S0387Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.