Built-in Keylogger in MantisTek GK2 Keyboards

One of the most popular Keyboards in the gaming industry, 104-key Mantistek GK2 Mechanical Gaming Keyboard send data back to China.

A wrong keyboard could represent an entry point for any organization. One of the most popular Keyboards in the gaming industry, 104-key Mantistek GK2 Mechanical Gaming Keyboard seems to include a built-in Keylogger.

A number of gamers discovered that the keyboard, that costs around €49.66, allegedly includes a component that silently records everything the user type on the keyboard and sends them to a server maintained by the Alibaba Group.

A number of owners reported their discovery on an online forum to share this issue.

“GK2 owner here. everytime you open the “MANTISTEK Cloud Driver” it sends information to 47.90.52.88 which is tied to Alibaba.com LLC. when you open the page in browser it shows login page with moonrunes that translate to “Cloud mouse platform background management system”. reported an anonymous owner.

Data collected by the MantisTek keyboard software sends the collected data to the following destinations:

/cms/json/putkeyusedata.php

/cms/json/putuserevent.php

One of the owners shared the following screenshot that shows how all your plain-text keystrokes collected by the keyboard are being uploaded to a Chinese server located at IP address: 47.90.52.88.

At the time, it is not clear if the cloud service is owned by Alibaba or is used by one of its customers who paid for the service.

Opening the IP address in in the web browser it is displayed a Chinese login page, which translates to “Cloud mouse platform background management system” that is maintained by Shenzhen Cytec Technology Co., Ltd.

Mantistek GK2 keyboards

According to Tom’s Hardware, MantisTek keyboards utilize ‘Cloud Driver’ software, the software doesn’t send key presses to the server as initially thought but only the number of times a key was pressed.

“An earlier version of the article stated that the keyboard’s software was sending key presses. However, in a closer look, it seems that the Cloud Driver software doesn’t send the key presses to the Alibaba server but only how many times each key has been pressed.” reported Tom’s Hardware.

Tom’s Hardware provided instructions to stop MantisTek keyboards from sending data to the server, it suggested to check the MantisTek Cloud Driver software is not running in the background, and block the CMS.exe executable in your firewall, users can do it by adding a new firewall rule for the MantisTek Cloud Driver in the “Windows Defender Firewall With Advanced Security.”

“The first way to stop the keyboard from sending your key presses to the Alibaba server is to ensure the MantisTek Cloud Driver software isn’t running in the background.” suggested Tom’s Hardware.

“The second method to stop the data collection is to block the CMS.exe executable in your firewall. You could do this by adding a new firewall rule for the MantisTek Cloud Driver in the “Windows Defender Firewall With Advanced Security.”

Tushar Shinde

Certified Ethical Hacker,Technical Writer,

Leave a Reply

Your email address will not be published. Required fields are marked *