APT39 has utilized tools to capture mouse movements.^[1]

APT42 has used credential harvesting websites.^[2]

Chaes has a module to perform any API hooking it desires.^[3]

FlawedAmmyy can collect mouse events.^[4]

InvisibleFerret has collected mouse and keyboard events using "pyWinhook".^[5]

Kobalos has used a compromised SSH client to capture the hostname, port, username and password used to establish an SSH connection from the compromised host.^[6][7]

Leviathan captured submitted multfactor authentication codes and other technical artifacts related to remote access sessions duringLeviathan Australian Intrusions.^[8]

Mafalda can conduct mouse event logging.^[9]

metaMain can log mouse events.^[9]

NPPSPY captures user input into the Winlogon process by redirecting RPC traffic from legitimate listening DLLs within the operating system to a newly registered malicious item that allows for recording logon information in cleartext.^[10]

Storm-1811 has used a PowerShell script to capture user credentials after prompting a user to authenticate to run a malicious script masquerading as a legitimate update item.^[11]

Versa Director Zero Day Exploitation intercepted and harvested credentials from user logins to compromised devices.^[12]

Monitors for abnormal process behavior and API calls like SetWindowsHookEx, GetAsyncKeyState, or device input polling commonly used for keystroke logging.

Detects use of tools/scripts accessing input devices like /dev/input/* or evdev via suspicious processes lacking GUI context.

Monitors for TCC-bypassing or unauthorized access to input services like IOHIDSystem or Quartz Event Services used in keylogging or screen monitoring.

Detects web-based credential phishing by analyzing traffic to suspicious URLs that mimic login portals and POST credential content.