New TinkyWinkey Stealthily Attacking Windows Systems With Advanced Keylogging Capabilities

Cybersecurity

Advanced Keylogger TinkyWinkey Targets Windows Systems

A sophisticated Windows-based keylogger named TinkyWinkey has been identified, emerging in underground forums in late Jun 2025. The malware targets enterprise and individual endpoints with exceptional stealth capabilities.

Technical Specifications

TinkyWinkey differentiates itself from conventional keyloggers by utilizing a dual-component structure consisting of a Windows service and an injected DLL payload. This structure allows it to remain concealed while capturing extensive contextual data.

The malware’s development indicates an advancement in threat actor techniques, integrating system profiling with low-level keyboard capture, making it a potent tool for espionage and credential theft.

Infection and Persistence

The attack vector commences with the installation of a malicious service named “Tinky.” This service is installed using SCM API calls and configured to start automatically, ensuring persistence even after system reboots.

When activated, the service initiates the primary keylogging module (winkey.exe) within the active user session by using CreateProcessAsUser on a duplicated user token.

This method avoids visible console windows and gains direct access to user-mode desktop contexts. Analysts have noted that this technique allows the malware to operate under standard user privileges while remaining undetected within system processes.

Keylogging Mechanism

Once initiated, the keylogger employs low-level hooks (WH_KEYBOARD_LL) to intercept all keystrokes, including media keys, modifier combinations, and Unicode characters. The malware maintains a continuous message loop to dispatch captured events, correlating each keystroke with the foreground window title and the current keyboard layout.

Researchers have identified that TinkyWinkey dynamically detects layout changes through HKL handles, logging events when the victim switches between languages. This ensures accurate reconstruction of multilingual inputs, a capability often missing in simpler keyloggers.

Stealth and Resilience

TinkyWinkey’s infection strategy relies on service-based persistence and stealthy DLL injection. After establishing the “Tinky” service, the loader identifies the PID of a trusted process, such as explorer.exe, using a custom routine. It then allocates memory in the target process and writes the path to keylogger.dll.

A subsequent CreateRemoteThread call, pointing at LoadLibraryW, forces the trusted process to load the malicious DLL. This remote injection method conceals the keylogging code within a legitimate process, evading many endpoint protection solutions that monitor standalone executables. A final WaitForSingleObject call ensures the injection completes cleanly, preserving system stability and further concealing the compromise from forensic analysis.

TinkyWinkey’s combination of service execution and precise DLL injection achieves a high level of stealth and resilience, challenging traditional detection and removal strategies in modern Windows environments.