Author: ShadowOpCode
Date: 2025-08-31
Status: Previously undocumented
Family: RustMe (Windows Keylogger, x64)
This repository contains the technical report, Indicators of Compromise (IoCs), and YARA detection rules for RustMe, a previously undocumented 64-bit Windows keylogger.
RustMe installs a low-level keyboard hook (SetWindowsHookExA, WH_KEYBOARD_LL) to capture keystrokes across the desktop session, normalizes them via GetKeyboardState, MapVirtualKeyA, and ToUnicode, and exfiltrates logs through Gmail SMTP using libcurl.
Persistence is achieved by dropping DebugConfig.bat and a .lnk file in the Startup folder. The malware enforces the US keyboard layout (00000409) to ensure consistent keystroke mapping.
- 64-bit Windows binary (MinGW)
- Keylogging via
WH_KEYBOARD_LLhook - Keystroke translation with
ToUnicode - Forced US keyboard layout (
00000409) - Exfiltration over Gmail SMTP (
smtp.gmail.com:587,serversreser@gmail.com) - Persistence through
DebugConfig.bat+.lnkin Startup
RustMe_Keyloggerβ high-confidence detection of RustMe samples
YARA rules are included in [yara/].
- T1056.001 β Input Capture: Keylogging
- T1547.001 β Persistence: Startup Folder
- T1048.003 β Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (SMTP)
- T1027 β Obfuscated/Encoded Files
This research is provided for educational and defensive purposes only.
Do not use any included samples, code, or IoCs for malicious activity.