article featured image


A keylogger is a software or hardware component that records everything typed on your computer’s keyboard.

The term ‘keylogger’ comes from ‘keystroke logging’, the act of recording (logging) the keys that are pressed on a keyboard, usually without the user knowing that their actions are being watched. But first, let’s dive into the difference between hardware-based and software-based keyloggers.

Keylogger Types: Hardware vs Software-based

Hardware-based Keyloggers

A hardware-based keylogger is a tiny device, a physical component that connects to the computer via the keyboard. The device usually looks like a standard keyboard PS/2 connector, computer cabling, or a USB adaptor, making it relatively simple to conceal the device for someone who wants to keep an eye on a user’s behavior.

Software-based Keyloggers

A software-based keylogger is a computer program that can be installed without having direct access to the user’s computer. It can be downloaded on purpose by someone who wants to monitor a computer, or it can be downloaded without the user’s knowledge and run as part of a rootkit or a remote administration Trojan (RAT).

Keyloggers: A Brief History

It may come as no surprise that keyloggers have been used for spying on people since the beginning of computers. According to Wikipedia, keyloggers were used for many different purposes in the 1970s and early 1980s, including secret government operations.

One of the most famous early events happened in the middle of the 1970s when Soviet spies made a very smart hardware keylogger that they used to spy on IBM Selectric typewriters in the US Embassy and Consulate buildings in Moscow and St. Petersburg. Once they were in place, the keyloggers measured the slight changes in each typewriter’s magnetic field that could barely be seen as the print head turned and moved to type each letter. In the meantime, Soviet embassies chose to type classified information on manual typewriters instead of electric ones.

The middle to late 1990s represents another turning point in the history of keyloggers because that is when a lot of people started producing and using commercial keyloggers. During that time, a lot of different products came out quickly on the market. Since then, the number of commercial keyloggers has exploded, which brings us to the present, with a huge variety of products, target groups, and languages in which they are available.

What Are Keyloggers Used for?

Now, this is where it gets complicated. The morality, legality, and consequences of using a keylogger are determined by different factors such as consent, goals, intent, and possession of the monitored product. The legality of using a keylogger also depends in part on local regulations. However, from an ethical point of view, keyloggers can be split into three main categories: legitimate, illegitimate, and ‘grey area’.

Legitimate Keyloggers

For a keylogger to be used legally, the person or organization using it must follow a few rules, such as: not use the data in an illegal way, be the owner of the product, its manufacturer, or the legal guardian of a child who owns the product. The keylogger also must be used according to the laws of their location. It is important to mention that ‘consent’ is not mandatory. Therefore, here are some examples of keyloggers that can be used legitimately:

  • Monitoring business server – to keep an eye out for unapproved user activity on web applications.
  • Product development – to collect user feedback to enhance the computer’s performance.
  • IT assessment – to acquire information about user issues and effectively address them.
  • Employee surveillance – to monitor the safe usage of corporate property at all times.
  • Law enforcement investigation – when investigating criminal conduct, law enforcement agencies may use keyloggers if they have the warrant to do so.

‘Grey Area’ Keyloggers

A person who uses a keylogger can check on computers they own or made. They can even legally check on the devices their kids use. But they can’t monitor devices that don’t belong to them. This is the grey area of keylogger usage. Examples include:

  • Parental monitoring: a measure to ensure a child’s safety in virtual and interpersonal interactions.
  • Marital surveillance: collecting data on a partner’s online behavior using a device that belongs to the user to prove that the partner is cheating.
  • Monitoring productivity: keeping tabs on how workers use their time on the clock.

Illegitimate Keyloggers

Unlike the previously mentioned, illegal keylogger use entirely disregards consent, laws, and product ownership. This is the use case cybersecurity professionals typically refer to. Therefore, keyloggers are labeled as malware when they cross the line into criminal territory.

When employed to perform an attack, cybercriminals often use keyloggers as spyware to steal personally identifiable information, passwords, financial information (card numbers, PIN codes), and sensitive data from businesses. This data is usually sent to third parties for criminal use.

A few examples of illegitimate keylogger uses are:

  • Intercepting and stealing personal information such as credit card numbers and other sensitive information;
  • Stealing a spouse’s online login credentials to monitor their social media;
  • Stalk an ex-spouse, friend, or other non-consenting people.

How Do Keyloggers Work?

In the case of hardware-based keyloggers, they can be inserted either into the back of the computer or inside the keyboard itself. The keylogger saves each keystroke as text on its own hard drive, which could be equipped with several gigabytes of memory. The person who installed it must return and remove the keylogger to access the collected data.

Software-based keyloggers, on the other hand, are easier to install, so they’re more common. Software keyloggers don’t damage the computers they infect. They simply sniff out keystrokes, in the background, while the computer continues to run normally.

A typical software-based keylogger contains two files that are installed in the same directory: a dynamic-link library (DLL) file that performs the recording and an executable file that installs and activates the DLL file. The keylogger program records every keystroke the user makes and periodically uploads the information to the person who installed the program via the internet. Hackers can create keyloggers that use keyboard application program interfaces (APIs) to send information to another application, run malicious scripts, or access memory.

Depending on their access to system resources, software-based keyloggers can also be split into two main categories: user mode and kernel mode.

User-Mode Keyloggers

A user-mode keylogger intercepts keyboard and mouse movements using a Windows application programming interface (API). User mode keyloggers are the quickest to create, but they are also the easiest to detect because the functions that they use to intercept data are well-known within the Win32 API.

Kernel-Mode Keyloggers

A kernel-mode keylogger is more advanced and difficult to implement. It requires higher privileges to operate and may be more difficult to track down within a system. Kernel mode keyloggers use filter drivers that can intercept keystrokes, and they also have the ability to change the internal dynamics of Windows by using the kernel.

Examples of situations that could lead to a keylogger’s dissemination include:

How Can You Spot a Keylogger?

Keyloggers have the same warning signs as other types of malware. If you think you might have a keystroke logger on your machine, look for the following:

  • Unusual redirects. If you’re routed to an unexpected search engine or sites that don’t look right, it might be a malicious redirect.
  • Crashing and Freezing. All processing power required for recording might cause other applications to crash and freeze more frequently than usual.
  • Poor Performance. Your overall computer performance will suffer if your machine starts sending your keystrokes back to a hacker.
  • Sudden changes in settings. If you notice a change in your browser’s homepage, toolbars, or icons, it might be an indication of malicious software, such as a keylogger.

5 Tips to Prevent Keyloggers

Prevention is always the best remedy, so make sure you follow 5 simple steps that might help you avoid a keylogger attack:

  1. Never disclose credentials via email. Legitimate businesses will not contact you and request your password or other personal information. This kind of email could likely be phishing attacks, in which hackers seek to get access to your data using social engineering techniques.
  2. Pay attention to attachments. Be cautious before clicking if a contact sends you an attachment you weren’t expecting. They might have been compromised, and clicking on the attachment could launch malware.
  3. Install updates as soon as they become available. Updates include, among other things, bug fixes and security updates.
  4. Get ad-blocking software and don’t click on pop-ups. Malware can sometimes be hidden in ads, but it’s best to use an ad – blocker just in case.
  5. Use a powerful antivirus software. The best way to protect yourself from all kinds of malicious software is to install a strong antivirus.

How Can Heimdal® Help?

With the right tools, keyloggers can be detected even if they are especially designed to run in the background and stay hidden. The most effective approach would be to use a strong antivirus solution such as Heimdal® Next Gen Antivirus and block keyloggers before they get a chance to infect your computer or the computers of your organization.

The innovative intelligence behind Heimdal®’s four levels of precise detection allows it to identify and neutralize even the most sophisticated threats, including ransomware attacks, rootkits, brute-force attacks and undetectable malware such as keyloggers.

Heimdal Official Logo
Antivirus is no longer enough to keep an organization’s systems secure.

Heimdal® DNS Security Solution

Is our next gen proactive DNS-Layer security that stops unknown threats before they reach your endpoints.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Wrapping Up

Hardware or software-based, when used illegally, keyloggers represent a significant threat to the security of your data and are among the most destructive types of malware. With access to your credentials, the sky is the limit for a threat actor. Their next step could be impersonation, financial fraud, selling private data on the dark web, and ransomware attempts, just to name a few.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Madalina Popovici

Digital PR Specialist

linkedin icon

Madalina, a seasoned digital content creator at Heimdal®, blends her passion for cybersecurity with an 8-year background in PR & CSR consultancy. Skilled in making complex cyber topics accessible, she bridges the gap between cyber experts and the wider audience with finesse.

Leave a Reply

Your email address will not be published. Required fields are marked *