New TinkyWinkey Stealthily Attacking Windows Systems With Advanced Keylogging Capabilities

A sophisticated Windows-based keylogger known as TinkyWinkey began surfacing on underground forums in late June 2025, targeting enterprise and individual endpoints with unprecedented stealth.

Unlike traditional keylogging tools that rely on simple hooks or user-mode processes, TinkyWinkey leverages dual components—a Windows service and an injected DLL payload—to remain hidden while harvesting rich contextual data.

The malware’s emergence underscores a troubling evolution in threat actor tactics, blending deep system profiling with low-level keyboard capture to deliver a highly attractive target for espionage and credential theft.

TinkyWinkey’s attack vector typically begins with the installation of a malicious service named “Tinky.” Installed via SCM API calls, the service is configured for automatic startup, ensuring persistence even across system reboots.

Upon activation, the service worker thread spawns the primary keylogging module (winkey.exe) within the active user session by invoking CreateProcessAsUser on a duplicated user token.

This approach not only avoids visible console windows but also gains direct access to user-mode desktop contexts. Cyfirma analysts noted that this technique allows the malware to run seamlessly under standard user privileges while maintaining stealth within system processes.

Once loaded, the keylogger component employs low-level hooks (WH_KEYBOARD_LL) to intercept every keystroke, including media keys, modifier combinations, and Unicode characters.

The malware maintains a continuous message loop to dispatch captured events, correlating each keystroke with the foreground window title and the current keyboard layout.

Cyfirma researchers identified that TinkyWinkey dynamically detects layout changes through HKL handles, logging events whenever the victim switches between languages.

This ensures that attackers can accurately reconstruct multilingual inputs, a feature often overlooked by simpler keyloggers.

typedef LONG (WINAPI *RtlGetVersionPtr)(PRTL_OSVERSIONINFOW);
void log_windows_version() {
    HMODULE hMod = LoadLibraryW(L"ntdll.dll");
    if (hMod) {
        RtlGetVersionPtr fn = (RtlGetVersionPtr)GetProcAddress(hMod, "RtlGetVersion");
        RTL_OSVERSIONINFOW rovi = { sizeof(rovi) };
        if (fn(&rovi) == 0) {
            char buffer[128];
            snprintf(buffer, sizeof(buffer),
                     "Windows version: %ld.%ld (build %ld)n",
                     rovi.dwMajorVersion, rovi.dwMinorVersion, rovi.dwBuildNumber);
            write_to_file(buffer);
        }
    }
}

Infection Mechanism and Persistence Tactics

TinkyWinkey’s infection mechanism hinges on its service-based persistence and stealthy DLL injection. After establishing the “Tinky” service, the loader resolves the PID of a trusted process—most commonly explorer.exe—using a custom FindTargetPID routine.

Upon obtaining a handle with PROCESS_ALL_ACCESS, it allocates memory in the target process via VirtualAllocEx and writes the full path to keylogger.dll.

A subsequent CreateRemoteThread call, pointing at LoadLibraryW, forces the trusted process to load the malicious DLL.

This remote injection method not only conceals the keylogging code within a legitimate process but also evades many endpoint protection solutions that monitor standalone executables.

A final WaitForSingleObject call ensures the injection completes cleanly before handles are closed, preserving system stability and further masking the compromise from forensic analysis.

Through its combined service execution and precise DLL injection, TinkyWinkey achieves a level of stealth and resilience rarely seen in commodity malware, rendering traditional detection and removal strategies insufficient for defending modern Windows environments.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.