No malware literally logs keys typed anymore. I cannot stress that point enough. Instead they log form submissions (e.g. POST requests) which give the malware author much more useful information they can data mine in an automated way (e.g. URL, named parameters, etc). This works even on a “secure” page (e.g. HTTPS with extended certificate).