Daily Summary
Snake Keylogger activity rose sharply on 2026-04-29, with 11 new samples detected against a 7-day average of 7 - a 48% increase. This surge is driven by a shift toward PowerShell-based delivery, breaking from the family’s typical .EXE or .VBS-dominated campaigns.
New Samples Detected
The 11 samples break down as 6 PowerShell scripts (.ps1), 4 batch files (.bat), and 1 dynamic link library (.dll). The dominance of .ps1 and .bat files is notable - Snake Keylogger historically relies on compiled executables or VBScript loaders. This suggests the threat actors are experimenting with fileless or script-based initial access, likely to evade signature-based detection.
Distribution Methods
Based on the file types, delivery appears to be via phishing emails containing script attachments. .ps1 and .bat files require user interaction to execute, indicating social engineering tactics - possibly fake invoices or security alerts. No archive files (.zip, .rar) were observed today, which contrasts with the family’s usual multi-stage dropper patterns. The single .dll may be a sideloaded component or a secondary payload stage.
Detection Rate
Current static detection for these script-based variants is likely weaker than for traditional Snake Keylogger payloads. Many AV engines rely on signatures for compiled binaries, while .ps1 and .bat files - especially obfuscated ones - can bypass heuristics. SOC teams should treat any unsolicited script attachments as high priority for dynamic analysis.
C2 Infrastructure
No new C2 servers were identified today, and no geographic patterns are available. The absence of fresh C2 domains or IPs may indicate the actor is reusing existing infrastructure or performing limited testing with these script-borne variants.
7-Day Trend
Today’s 11 samples represent a 48% increase over the 7-day average, pushing Snake Keylogger into a rising trend after a relatively steady week. This could signal the start of a larger campaign shift toward script-based delivery.
Security Analysis
The pivot to PowerShell scripts is a tactical change for Snake Keylogger, which has traditionally relied on compiled .NET payloads. This shift may be a response to improved detection of .EXE-based variants or an experiment to reduce file size and increase delivery success. Actionable recommendation: Enable PowerShell script block logging and constrain script execution via AppLocker or WDAC to block untrusted .ps1 and .bat files originating from email attachments.