I have recently analysed a sample of what appears to be a newer version of Keybase.
Having been delivered as an executable inside a zip, the malware has the usual key logging capabilities as most trojans, utilising native API calls to hook keyboard processes and using HTTP to upload images of the desktop, the victims in this instance are being uploaded to a server which isn't as tightly managed as usual.
Here is the web panel
Here are the uploaded screenshots, appended with date and times.
Here are some screenshots of applications in use on the victims machines.
Someone about to do some online banking, which will capture keystrokes as well as the capability to take screenshots.
Someone placing an order for some materials via Outlook.com
We can see encoded in the HTTP stream the inclusions of specific keywords including, notepad which i launched and keystrokes included in the request to the C&C uploading the screenshots.