The CIA does not only depend on its in-house hackers to craft exploits for use in its spying activities. It also borrows code from malware that is in the wild, judging by the Vault 7 dump by WikiLeaks overnight.
One collection is named UMBRAGE, housing application development techniques borrowed from malware that already exists.
There are components for data collection, data destruction, persistence, stealth, privilege escalation, and others.
The goal of maintaining this repository is to provide snippets of code that can be used for building custom solutions.
{loadposition sam08}Among the snippets in the UMBRAGE collection is a DirectInput Keylogger, described as using the Microsoft DirectX API to collect keystrokes from any running application.
If you're writing about the CIA/@Wikileaks story, here's the big deal: first public evidence USG secretly paying to keep US software unsafe. pic.twitter.com/kYi0NC2mOp
— Edward Snowden (@Snowden) 7 March 2017
There is code from Microsoft itself; a Microsoft-supported method of collecting keystrokes from applications either running at the same or lower privilege levels.
Code from Shamoon, a well-known Windows malware, is present and is described as dropping "a signed driver (with an easily abused licence key) that provides raw disk access to the file system".
There is plenty more in this collection. And there are numerous collections like this.