TinkyWinkey: A Stealthy New Keylogger Is Hunting for Credentials on Windows

Researchers at CYFIRMA have released an in-depth analysis of a newly observed Windows malware family dubbed the TinkyWinkey Keylogger, first detected on June 24–25, 2025. This malware demonstrates advanced keylogging and system profiling capabilities, leveraging low-level Windows APIs and stealthy persistence mechanisms to evade detection.

The malware is composed of two main modules:

• Tinky Service – a Windows service that manages the lifecycle of the malware, ensuring persistence across reboots.
• Winkey Keylogger – the core keylogging payload, capable of running as an executable or via DLL injection into trusted processes.

According to the report, “TinkyWinkey operates stealthily as both a service and an executable, capturing extensive system data including CPU specifications, memory, OS version, and network details, while continuously monitoring active windows and keyboard layouts.”

One of TinkyWinkey’s strengths is its detailed system reconnaissance. Using undocumented and low-level APIs, it collects:

• OS fingerprints via direct calls to RtlGetVersion.
• CPU details using the __cpuid intrinsic and GetSystemInfo().
• Network identity through Winsock functions (gethostname, getaddrinfo).
• RAM size with GlobalMemoryStatusEx().

CYFIRMA notes, “The get_cpu_info() function collects detailed processor information through a combination of low-level instructions and Windows API calls… reconstructing the full CPU brand name.”

This level of profiling provides attackers with contextual intelligence, making stolen credentials and keystrokes more actionable.

TinkyWinkey installs a low-level keyboard hook (WH_KEYBOARD_LL) to intercept all keystrokes, including special keys (Enter, ESC, Backspace), media keys, and Unicode characters across multiple languages.

It further enhances keylogging by tracking the active foreground window, allowing attackers to map credentials to specific applications, such as browsers, email clients, or banking portals. The report explains: “A WinEventHook on EVENT_SYSTEM_FOREGROUND is set to detect whenever the user switches active applications, enhancing the value of stolen credentials.”

The malware’s loader uses DLL injection into trusted processes like explorer.exe, ensuring stealth and persistence. This involves:

• Allocating remote memory in the target process.
• Writing the malicious DLL path.
• Spawning a remote thread via LoadLibraryW.

Persistence is achieved by registering a malicious Windows service named “Tinky”, set to start automatically on boot. CYFIRMA highlights: “The service is configured with an automatic startup type, enabling the malware to achieve persistence by ensuring that the service is invoked every time the system boots.”

Captured keystrokes and system details are written to a UTF-8 encoded log file (logs_tw.txt) in the system’s temporary directory. This structured approach allows attackers to exfiltrate credentials, chat logs, and other sensitive information with high accuracy.

As the report concludes, “TinkyWinkey represents a highly capable and stealthy Windows-based keylogger that combines persistent service execution, low-level keyboard hooks, and comprehensive system profiling to gather sensitive information.”

Related Posts:

• Snake Keylogger Exploits Geopolitical Tensions with Oil-Themed Spearphishing Campaign
• Silver Fox APT Targets Philips DICOM Viewers in Healthcare Espionage Campaign
• AmateraStealer (ACRStealer) Evolves: New Version Uses Low-Level NTAPIs & Heaven’s Gate for Evasion
• Google removes hundreds of Android apps that infected with Windows executable files