Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Technique Screen Capture
RU
Риски
Каталоги
MITRE ATT&CK
Техника
Screen Capture
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Screen Capture

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)

ID: T1113
Tactic(s): Collection
Platforms: Linux, Windows, macOS
Data Sources: Command: Command Execution, Process: OS API Execution
Version: 1.1
Created: 31 May 2017
Last Modified: 15 Apr 2025

Procedure Examples
Name Description
RCSession

RCSession can capture screenshots from a compromised host.(Citation: Profero APT27 December 2020)
RemoteUtilities

RemoteUtilities can take screenshots on a compromised host.(Citation: Trend Micro Muddy Water March 2021)
QuietSieve

QuietSieve has taken screenshots every five minutes and saved them to the user's local Application Data folder under `Temp\SymbolSourceSymbols\icons` or `Temp\ModeAuto\icons`.(Citation: Microsoft Actinium February 2022)
GRIFFON

GRIFFON has used a screenshot module that can be used to take a screenshot of the remote system.(Citation: SecureList Griffon May 2019)
yty

yty collects screenshots of the victim machine.(Citation: ASERT Donot March 2018)
DOGCALL

DOGCALL is capable of capturing screenshots of the victim's machine.(Citation: FireEye APT37 Feb 2018)(Citation: Unit 42 Nokki Oct 2018)
POWRUNER

POWRUNER can capture a screenshot from a victim.(Citation: FireEye APT34 Dec 2017)
SharpStage

SharpStage has the ability to capture the victim's screen.(Citation: Cybereason Molerats Dec 2020)(Citation: BleepingComputer Molerats Dec 2020)
HALFBAKED

HALFBAKED can obtain screenshots from the victim.(Citation: FireEye FIN7 April 2017)
KEYMARBLE

KEYMARBLE can capture screenshots of the victim’s machine.(Citation: US-CERT KEYMARBLE Aug 2018)
Sliver

Sliver can take screenshots of the victim’s active display.(Citation: GitHub Sliver Screen)
SILENTTRINITY

SILENTTRINITY can take a screenshot of the current desktop.(Citation: GitHub SILENTTRINITY Modules July 2019)
PowerSploit

PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)
Ursnif

Ursnif has used hooked APIs to take screenshots.(Citation: TrendMicro Ursnif Mar 2015)(Citation: TrendMicro BKDR_URSNIF.SM)
ZLib

ZLib has the ability to obtain screenshots of the compromised system.(Citation: Cylance Dust Storm)
RedLeaves

RedLeaves can capture screenshots.(Citation: FireEye APT10 April 2017)(Citation: Accenture Hogfish April 2018)
Zeus Panda

Zeus Panda can take screenshots of the victim’s machine.(Citation: GDATA Zeus Panda June 2017)
Matryoshka

Matryoshka is capable of performing screen captures.(Citation: ClearSky Wilted Tulip July 2017)(Citation: CopyKittens Nov 2015)
Janicab

Janicab captured screenshots and sent them out to a C2 server.(Citation: f-secure janicab)(Citation: Janicab)
Kasidet

Kasidet has the ability to initiate keylogging and screen captures.(Citation: Zscaler Kasidet)
RainyDay

RainyDay has the ability to capture screenshots.(Citation: Bitdefender Naikon April 2021)
AppleSeed

AppleSeed can take screenshots on a compromised host by calling a series of APIs.(Citation: Malwarebytes Kimsuky June 2021)(Citation: KISA Operation Muzabi)
NETWIRE

NETWIRE can capture the victim's screen.(Citation: McAfee Netwire Mar 2015)(Citation: FireEye NETWIRE March 2019)(Citation: Red Canary NETWIRE January 2020)(Citation: Proofpoint NETWIRE December 2020)
CosmicDuke

CosmicDuke takes periodic screenshots and exfiltrates them.(Citation: F-Secure Cosmicduke)
EvilGrab

EvilGrab has the capability to capture screenshots.(Citation: PWC Cloud Hopper Technical Annex April 2017)
Aria-body

Aria-body has the ability to capture screenshots on compromised hosts.(Citation: CheckPoint Naikon May 2020)
Crimson

Crimson contains a command to perform screen captures.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022)
DUSTTRAP

DUSTTRAP can capture screenshots.(Citation: Google Cloud APT41 2024)
Empire

Empire is capable of capturing screenshots on Windows and macOS systems.(Citation: Github PowerShell Empire)
Turian

Turian has the ability to take screenshots.(Citation: ESET BackdoorDiplomacy Jun 2021)
BADHATCH

BADHATCH can take screenshots and send them to an actor-controlled C2 server.(Citation: BitDefender BADHATCH Mar 2021)
Machete

Machete captures screenshots.(Citation: ESET Machete July 2019)(Citation: Securelist Machete Aug 2014)(Citation: Cylance Machete Mar 2017)(Citation: 360 Machete Sep 2020)
Prikormka

Prikormka contains a module that captures screenshots of the victim's desktop.(Citation: ESET Operation Groundbait)
PcShare

PcShare can take screen shots of a compromised machine.(Citation: Bitdefender FunnyDream Campaign November 2020)
Woody RAT

Woody RAT has the ability to take a screenshot of the infected host desktop using Windows GDI+.(Citation: MalwareBytes WoodyRAT Aug 2022)

Mafalda

Mafalda can take a screenshot of the target machine and save it to a file.(Citation: SentinelLabs Metador Sept 2022)
SHUTTERSPEED

SHUTTERSPEED can capture screenshots.(Citation: FireEye APT37 Feb 2018)
FlawedAmmyy

FlawedAmmyy can capture screenshots.(Citation: Korean FSI TA505 2020)
Cuckoo Stealer

Cuckoo Stealer can run `screencapture` to collect screenshots from compromised hosts. (Citation: Kandji Cuckoo April 2024)
InvisiMole

InvisiMole can capture screenshots of not only the entire screen, but of each separate window open, in case they are overlapping.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)
FruitFly

FruitFly takes screenshots of the user's desktop.(Citation: objsee mac malware 2017)
RDAT

RDAT can take a screenshot on the infected system.(Citation: Unit42 RDAT July 2020)

TRANSLATEXT

TRANSLATEXT has the ability to capture screenshots of new browser tabs, based on the presence of the `Capture` flag.(Citation: Zscaler Kimsuky TRANSLATEXT)

Mispadu

Mispadu has the ability to capture screenshots on compromised hosts.(Citation: SCILabs Malteiro 2021)(Citation: SCILabs URSA/Mispadu Evolution 2023)(Citation: ESET Security Mispadu Facebook Ads 2019)(Citation: Metabase Q Mispadu Trojan 2023)

VERMIN

VERMIN can perform screen captures of the victim’s machine.(Citation: Unit 42 VERMIN Jan 2018)
MarkiRAT

MarkiRAT can capture screenshots that are initially saved as ‘scr.jpg’.(Citation: Kaspersky Ferocious Kitten Jun 2021)
Kazuar

Kazuar captures screenshots of the victim’s screen.(Citation: Unit 42 Kazuar May 2017)
POORAIM

POORAIM can perform screen capturing.(Citation: FireEye APT37 Feb 2018)
CHIMNEYSWEEP

CHIMNEYSWEEP can capture screenshots on targeted systems using a timer and either upload them or store them to disk.(Citation: Mandiant ROADSWEEP August 2022)
BlackEnergy

BlackEnergy is capable of taking screenshots.(Citation: Securelist BlackEnergy Nov 2014)
Chrommme

Chrommme has the ability to capture screenshots.(Citation: ESET Gelsemium June 2021)
ObliqueRAT

ObliqueRAT can capture a screenshot of the current screen.(Citation: Talos Oblique RAT March 2021)

XAgentOSX

XAgentOSX contains the takeScreenShot (along with startTakeScreenShot and stopTakeScreenShot) functions to take screenshots using the CGGetActiveDisplayList, CGDisplayCreateImage, and NSImage:initWithCGImage methods.(Citation: XAgentOSX 2017)
LightSpy

LightSpy uses Apple's built-in AVFoundation Framework library to access the user's camera and screen. It uses the `AVCaptureStillImage` to take a picture using the user's camera and the `AVCaptureScreen` to take a screenshot or record the user's screen for a specified period of time.(Citation: Huntress LightSpy macOS 2024)
KeyBoy

KeyBoy has a command to perform screen grabbing.(Citation: PWC KeyBoys Feb 2017)
HyperBro

HyperBro has the ability to take screenshots.(Citation: Unit42 Emissary Panda May 2019)
Pteranodon

Pteranodon can capture screenshots at a configurable interval.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: Unit 42 Gamaredon February 2022)
ROKRAT

ROKRAT can capture screenshots of the infected system using the `gdi32` library.(Citation: Talos ROKRAT)(Citation: Talos ROKRAT 2)(Citation: Securelist ScarCruft May 2019)(Citation: NCCGroup RokRat Nov 2018)(Citation: Malwarebytes RokRAT VBA January 2021)
PlugX

PlugX allows the operator to capture screenshots.(Citation: CIRCL PlugX March 2013)
Lumma Stealer

Lumma Stealer has taken screenshots of victim machines.(Citation: Cybereason LumaStealer Undated)
DustySky

DustySky captures PNG screenshots of the main screen.(Citation: Kaspersky MoleRATs April 2019)
AsyncRAT

AsyncRAT has the ability to view the screen on compromised hosts.(Citation: AsyncRAT GitHub)
Rover

Rover takes screenshots of the compromised system's desktop and saves them to C:\system\screenshot.bmp for exfiltration every 60 minutes.(Citation: Palo Alto Rover)
Peppy

Peppy can take screenshots on targeted systems.(Citation: Proofpoint Operation Transparent Tribe March 2016)
Clambling

Clambling has the ability to capture screenshots.(Citation: Trend Micro DRBControl February 2020)
Agent Tesla

Agent Tesla can capture screenshots of the victim’s desktop.(Citation: Talos Agent Tesla Oct 2018)(Citation: DigiTrust Agent Tesla Jan 2017)(Citation: Fortinet Agent Tesla April 2018)(Citation: Fortinet Agent Tesla June 2017)(Citation: Bitdefender Agent Tesla April 2020)
SVCReady

SVCReady can take a screenshot from an infected host.(Citation: HP SVCReady Jun 2022)
Carbanak

Carbanak performs desktop video recording and captures screenshots of the desktop and sends it to the C2 server.(Citation: FireEye CARBANAK June 2017)
Hydraq

Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop of an infected host.(Citation: Symantec Hydraq Jan 2010)
Brute Ratel C4

Brute Ratel C4 can take screenshots on compromised hosts.(Citation: Palo Alto Brute Ratel July 2022)
Chaes

Chaes can capture screenshots of the infected machine.(Citation: Cybereason Chaes Nov 2020)
CharmPower

CharmPower has the ability to capture screenshots.(Citation: Check Point APT35 CharmPower January 2022)
Remcos

Remcos takes automated screenshots of the infected machine.(Citation: Riskiq Remcos Jan 2018)
SMOKEDHAM

SMOKEDHAM can capture screenshots of the victim’s desktop.(Citation: FireEye Shining A Light on DARKSIDE May 2021)(Citation: FireEye SMOKEDHAM June 2021)
Metamorfo

Metamorfo can collect screenshots of the victim’s machine.(Citation: FireEye Metamorfo Apr 2018)(Citation: ESET Casbaneiro Oct 2019)

Trojan.Karagany

Trojan.Karagany can take a desktop screenshot and save the file into \ProgramData\Mail\MailAg\shot.png.(Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019)
Bandook

Bandook is capable of taking an image of and uploading the current desktop.(Citation: Lookout Dark Caracal Jan 2018)(Citation: CheckPoint Bandook Nov 2020)
ConnectWise

ConnectWise can take screenshots on remote hosts.(Citation: Anomali Static Kitten February 2021)
KONNI

KONNI can take screenshots of the victim’s machine.(Citation: Talos Konni May 2017)
T9000

T9000 can take screenshots of the desktop and target application windows, saving them to user directories as one byte XOR encrypted .dat files.(Citation: Palo Alto T9000 Feb 2016)
gh0st RAT

gh0st RAT can capture the victim’s screen remotely.(Citation: Nccgroup Gh0st April 2018)
JHUHUGIT

A JHUHUGIT variant takes screenshots by simulating the user pressing the "Take Screenshot" key (VK_SCREENSHOT), accessing the screenshot saved in the clipboard, and converting it to a JPG image.(Citation: Unit 42 Playbook Dec 2017)(Citation: Talos Seduploader Oct 2017)
BLUELIGHT

BLUELIGHT has captured a screenshot of the display every 30 seconds for the first 5 minutes after initiating a C2 loop, and then once every five minutes thereafter.(Citation: Volexity InkySquid BLUELIGHT August 2021)
Micropsia

Micropsia takes screenshots every 90 seconds by calling the Gdi32.BitBlt API.(Citation: Radware Micropsia July 2018)
Catchamas

Catchamas captures screenshots based on specific keywords in the window’s title.(Citation: Symantec Catchamas April 2018)
StoneDrill

StoneDrill can take screenshots.(Citation: Kaspersky StoneDrill 2017)

RogueRobin

RogueRobin has a command named $screenshot that may be responsible for taking screenshots of the victim machine.(Citation: Unit 42 DarkHydrus July 2018)
Attor

Attor's has a plugin that captures screenshots of the target applications.(Citation: ESET Attor Oct 2019)
LitePower

LitePower can take system screenshots and save them to `%AppData%`.(Citation: Kaspersky WIRTE November 2021)
NightClub

NightClub can load a module to call `CreateCompatibleDC` and `GdipSaveImageToStream` for screen capture.(Citation: MoustachedBouncer ESET August 2023)
RTM

RTM can capture screenshots.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)
Derusbi

Derusbi is capable of performing screen captures.(Citation: FireEye Periscope March 2018)
BadPatch

BadPatch captures screenshots in .jpg format and then exfiltrates them.(Citation: Unit 42 BadPatch Oct 2017)
XLoader

XLoader can capture screenshots on compromised hosts.(Citation: Google XLoader 2017)(Citation: Netskope XLoader 2022)
Zebrocy

A variant of Zebrocy captures screenshots of the victim’s machine in JPEG and BMP format.(Citation: Unit42 Cannon Nov 2018)(Citation: ESET Zebrocy Nov 2018)(Citation: Unit42 Sofacy Dec 2018)(Citation: ESET Zebrocy May 2019)(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: CISA Zebrocy Oct 2020)
FinFisher

FinFisher takes a screenshot of the screen and displays it on top of all other windows for few seconds in an apparent attempt to hide some messages showed by the system during the setup process.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)
LunarMail

LunarMail can capture screenshots from compromised hosts.(Citation: ESET Turla Lunar toolset May 2024)
CrossRAT

CrossRAT is capable of taking screen captures.(Citation: Lookout Dark Caracal Jan 2018)
Cadelspy

Cadelspy has the ability to capture screenshots and webcam photos.(Citation: Symantec Chafer Dec 2015)
Cobalt Strike

Cobalt Strike's "beacon" payload is capable of capturing screenshots.(Citation: cobaltstrike manual)
Cobalt Strike

Cobalt Strike's Beacon payload is capable of capturing screenshots.(Citation: cobaltstrike manual)(Citation: Amnesty Intl. Ocean Lotus February 2021)(Citation: Cobalt Strike Manual 4.3 November 2020)
Cobian RAT

Cobian RAT has a feature to perform screen capture.(Citation: Zscaler Cobian Aug 2017)
HotCroissant

HotCroissant has the ability to do real time screen viewing on an infected host.(Citation: Carbon Black HotCroissant April 2020)
Valak

Valak has the ability to take screenshots on a compromised host.(Citation: Cybereason Valak May 2020)

Kivars

Kivars has the ability to capture screenshots on the infected host.(Citation: TrendMicro BlackTech June 2017)
TajMahal

TajMahal has the ability to take screenshots on an infected host including capturing content from windows of instant messaging applications.(Citation: Kaspersky TajMahal April 2019)
Raccoon Stealer

Raccoon Stealer can capture screenshots from victim systems.(Citation: S2W Racoon 2022)(Citation: Sekoia Raccoon2 2022)
Daserf

Daserf can take screenshots.(Citation: Trend Micro Daserf Nov 2017)(Citation: Secureworks BRONZE BUTLER Oct 2017)
Cardinal RAT

Cardinal RAT can capture screenshots.(Citation: PaloAlto CardinalRat Apr 2017)
BISCUIT

BISCUIT has a command to periodically take screenshots of the system.(Citation: Mandiant APT1 Appendix)
Ramsay

Ramsay can take screenshots every 30 seconds as well as when an external removable storage device is connected.(Citation: Antiy CERT Ramsay April 2020)
Carberp

Carberp can capture display screenshots with the screens_dll.dll plugin.(Citation: Prevx Carberp March 2011)
NKAbuse

NKAbuse can take screenshots of the victim machine.(Citation: NKAbuse SL)
Revenge RAT

Revenge RAT has a plugin for screen capture.(Citation: Cylance Shaheen Nov 2018)
MacMa

MacMa has used Apple’s Core Graphic APIs, such as `CGWindowListCreateImageFromArray`, to capture the user's screen and open windows.(Citation: ESET DazzleSpy Jan 2022)(Citation: Objective-See MacMa Nov 2021)
FunnyDream

The FunnyDream ScreenCap component can take screenshots on a compromised host.(Citation: Bitdefender FunnyDream Campaign November 2020)
SysUpdate

SysUpdate has the ability to capture screenshots.(Citation: Trend Micro Iron Tiger April 2021)
TinyZBot

TinyZBot contains screen capture functionality.(Citation: Cylance Cleaver)
Proton

Proton captures the content of the desktop with the screencapture binary.(Citation: objsee mac malware 2017)
LookBack

LookBack can take desktop screenshots.(Citation: Proofpoint LookBack Malware Aug 2019)
Pupy

Pupy can drop a mouse-logger that will take small screenshots around at each click and then send back to the server.(Citation: GitHub Pupy)
PoetRAT

PoetRAT has the ability to take screen captures.(Citation: Talos PoetRAT April 2020)(Citation: Dragos Threat Report 2020)
CHOPSTICK

CHOPSTICK has the capability to capture screenshots.(Citation: DOJ GRU Indictment Jul 2018)
ZxShell

ZxShell can capture screenshots.(Citation: FireEye APT41 Aug 2019)
Cannon

Cannon can take a screenshot of the desktop.(Citation: Unit42 Cannon Nov 2018)
Troll Stealer

Troll Stealer can capture screenshots from victim machines.(Citation: S2W Troll Stealer 2024)(Citation: Symantec Troll Stealer 2024)
njRAT

njRAT can capture screenshots of the victim’s machines.(Citation: Trend Micro njRAT 2018)
TURNEDUP

TURNEDUP is capable of taking screenshots.(Citation: FireEye APT33 Sept 2017)
POWERSTATS

POWERSTATS can retrieve screenshots from compromised hosts.(Citation: FireEye MuddyWater Mar 2018)(Citation: TrendMicro POWERSTATS V3 June 2019)
Manjusaka

Manjusaka can take screenshots of the victim desktop.(Citation: Talos Manjusaka 2022)
metaMain

metaMain can take and save screenshots.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022)
XCSSET

XCSSET saves a screen capture of the victim's system with a numbered filename and .jpg extension. Screen captures are taken at specified intervals based on the system. (Citation: trendmicro xcsset xcode project 2020)
Octopus

Octopus can capture screenshots of the victims’ machine.(Citation: Securelist Octopus Oct 2018)(Citation: Security Affairs DustSquad Oct 2018)(Citation: ESET Nomadic Octopus 2018)
Socksbot

Socksbot can take screenshots.(Citation: TrendMicro Patchwork Dec 2017)
ECCENTRICBANDWAGON

ECCENTRICBANDWAGON can capture screenshots and store them locally.(Citation: CISA EB Aug 2020)
BADNEWS

BADNEWS has a command to take a screenshot and send it to the C2 server.(Citation: Forcepoint Monsoon)(Citation: PaloAlto Patchwork Mar 2018)
Remexi

Remexi takes screenshots of windows of interest.(Citation: Securelist Remexi Jan 2019)
jRAT

jRAT has the capability to take screenshots of the victim’s machine.(Citation: jRAT Symantec Aug 2018)(Citation: Kaspersky Adwind Feb 2016)
MacSpy

MacSpy can capture screenshots of the desktop over multiple monitors.(Citation: objsee mac malware 2017)
Lizar

Lizar can take JPEG screenshots of an infected system.(Citation: Threatpost Lizar May 2021)(Citation: BiZone Lizar May 2021)

Azorult

Azorult can capture screenshots of the victim’s machines.(Citation: Unit42 Azorult Nov 2018)
UPPERCUT

UPPERCUT can capture desktop screenshots in the PNG format and send them to the C2 server.(Citation: FireEye APT10 Sept 2018)
StrifeWater

StrifeWater has the ability to take screen captures.(Citation: Cybereason StrifeWater Feb 2022)
Quick Assist

Quick Assist allows for the remote administrator to take screenshots of the running system.(Citation: Microsoft Quick Assist 2024)
SLOTHFULMEDIA

SLOTHFULMEDIA has taken a screenshot of a victim's desktop, named it "Filter3.jpg", and stored it in the local directory.(Citation: CISA MAR SLOTHFULMEDIA October 2020)
Flame

Flame can take regular screenshots when certain applications are open that are sent to the command and control server.(Citation: Kaspersky Flame)
APT28

APT28 has used tools to take screenshots from victims.(Citation: ESET Sednit Part 2)(Citation: XAgentOSX 2017)(Citation: DOJ GRU Indictment Jul 2018)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)
Gamaredon Group

Gamaredon Group's malware can take screenshots of the compromised computer every minute.(Citation: ESET Gamaredon June 2020)

APT39

APT39 has used a screen capture utility to take screenshots on a compromised host.(Citation: Symantec Chafer February 2018)(Citation: FBI FLASH APT39 September 2020)
MuddyWater

MuddyWater has used malware that can capture screenshots of the victim’s machine.(Citation: Securelist MuddyWater Oct 2018)
Dragonfly 2.0

Dragonfly 2.0 has performed screen captures of victims, including by using a tool, scr.exe (which matched the hash of ScreenUtil).(Citation: US-CERT TA18-074A)(Citation: Symantec Dragonfly Sept 2017)
BRONZE BUTLER

BRONZE BUTLER has used a tool to capture screenshots.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)
Silence

Silence can capture victim screen activity.(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)
MoustachedBouncer

MoustachedBouncer has used plugins to take screenshots on targeted systems.(Citation: MoustachedBouncer ESET August 2023)
Group5

Malware used by Group5 is capable of watching the victim's screen.(Citation: Citizen Lab Group5)
Dragonfly

Dragonfly has performed screen captures of victims, including by using a tool, scr.exe (which matched the hash of ScreenUtil).(Citation: US-CERT TA18-074A)(Citation: Symantec Dragonfly Sept 2017)(Citation: Gigamon Berserk Bear October 2021)
OilRig

OilRig has a tool called CANDYKING to capture a screenshot of user's desktop.(Citation: FireEye APT34 Webinar Dec 2017)
FIN7

FIN7 captured screenshots and desktop video recordings.(Citation: DOJ FIN7 Aug 2018)
Volt Typhoon

Volt Typhoon has obtained a screenshot of the victim's system using the gdi32.dll and gdiplus.dll libraries.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)
Kimsuky

Kimsuky has captured browser screenshots using TRANSLATEXT.(Citation: Zscaler Kimsuky TRANSLATEXT)

Magic Hound

Magic Hound malware can take a screenshot and upload the file to its C2 server.(Citation: Unit 42 Magic Hound Feb 2017)
APT42

APT42 has used malware, such as GHAMBAR and POWERPOST, to take screenshots.(Citation: Mandiant APT42-charms)

GOLD SOUTHFIELD

GOLD SOUTHFIELD has used the remote monitoring and management tool ConnectWise to obtain screen captures from victim's machines.(Citation: Tetra Defense Sodinokibi March 2020)
Winter Vivern

Winter Vivern delivered PowerShell scripts capable of taking screenshots of victim machines.(Citation: CERT-UA WinterVivern 2023)
Dark Caracal

Dark Caracal took screenshots using their Windows malware.(Citation: Lookout Dark Caracal Jan 2018)

Mitigations
Mitigation Description
Screen Capture Mitigation

Blocking software based on screen capture functionality may be difficult, and there may be legitimate software that performs those actions. Instead, identify potentially malicious software that may have functionality to acquire screen captures, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Detection

Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk. The sensor data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.

References

  1. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  2. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  3. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  4. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
  5. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
  6. Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024.
  7. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  8. Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.
  9. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  10. FireEye. (2021, May 11). Shining a Light on DARKSIDE Ransomware Operations. Retrieved September 22, 2021.
  11. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.
  12. Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021.
  13. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  14. BishopFox. (n.d.). Sliver Screenshot. Retrieved September 16, 2021.
  15. Wardle, P. (2021, November 11). OSX.CDDS (OSX.MacMa). Retrieved June 30, 2022.
  16. Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
  17. Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.
  18. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  19. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
  20. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  21. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
  22. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  23. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  24. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  25. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
  26. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
  27. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
  28. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
  29. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  30. Nyan-x-Cat. (n.d.). NYAN-x-CAT / AsyncRAT-C-Sharp. Retrieved October 3, 2023.
  31. N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022.
  32. FinFisher. (n.d.). Retrieved September 12, 2024.
  33. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  34. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
  35. Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018.
  36. KASPERSKY GERT. (2023, December 14). Unveiling NKAbuse: a new multiplatform threat abusing the NKN protocol. Retrieved February 8, 2024.
  37. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  38. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
  39. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  40. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.
  41. Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromises. Retrieved October 9, 2024.
  42. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020.
  43. Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.
  44. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  45. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved November 17, 2024.
  46. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
  47. SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024.
  48. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
  49. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
  50. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  51. Thomas. (2013, July 15). New signed malware called Janicab. Retrieved July 17, 2017.
  52. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  53. S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024.
  54. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  55. Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025.
  56. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
  57. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  58. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.
  59. Dragos. (n.d.). ICS Cybersecurity Year in Review 2020. Retrieved February 25, 2021.
  60. SCILabs. (2023, May 23). Evolution of banking trojan URSA/Mispadu. Retrieved March 13, 2024.
  61. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
  62. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
  63. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.
  64. Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.
  65. Paganini, P. (2018, October 16). Russia-linked APT group DustSquad targets diplomatic entities in Central Asia. Retrieved August 24, 2021.
  66. Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.
  67. GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019.
  68. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  69. Gustavo Palazolo, Netskope. (2022, March 11). New Formbook Campaign Delivered Through Phishing Emails. Retrieved March 11, 2025.
  70. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  71. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  72. Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
  73. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  74. The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.
  75. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  76. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
  77. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
  78. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
  79. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
  80. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  81. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  82. Nart Villeneuve, Randi Eitzman, Sandor Nemes & Tyler Dean, Google Cloud. (2017, October 5). Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea. Retrieved March 11, 2025.
  83. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  84. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  85. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  86. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  87. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  88. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  89. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  90. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
  91. Symantec Threat Hunter Team. (2024, May 16). Springtail: New Linux Backdoor Added to Toolkit. Retrieved January 17, 2025.
  92. Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.
  93. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.
  94. Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.
  95. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.
  96. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  97. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  98. Seals, T. (2021, May 14). FIN7 Backdoor Masquerades as Ethical Hacking Tool. Retrieved February 2, 2022.
  99. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  100. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  101. Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  102. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
  103. Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved November 17, 2024.
  104. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  105. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  106. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.
  107. Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.
  108. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  109. Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.
  110. Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved November 17, 2024.
  111. Mercer, W., Rascagneres, P. (2017, November 28). ROKRAT Reloaded. Retrieved May 21, 2018.
  112. Brod. (2013, July 15). Signed Mac Malware Using Right-to-Left Override Trick. Retrieved July 17, 2017.
  113. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
  114. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  115. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
  116. Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
  117. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  118. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
  119. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  120. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  121. Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
  122. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  123. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
  124. Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.
  125. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  126. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
  127. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
  128. Park, S. (2024, June 27). Kimsuky deploys TRANSLATEXT to target South Korean academia. Retrieved October 14, 2024.
  129. Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.
  130. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  131. Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.
  132. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  133. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
  134. Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018.
  135. Asheer Malhotra & Vitor Ventura. (2022, August 2). Manjusaka: A Chinese sibling of Sliver and Cobalt Strike. Retrieved September 4, 2024.
  136. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  137. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024.
  138. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
  139. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  140. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  141. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  142. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  143. CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020.
  144. Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019.
  145. Stuart Ashenbrenner, Alden Schmidt. (2024, April 25). LightSpy Malware Variant Targeting macOS. Retrieved January 3, 2025.
  146. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022.
  147. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  148. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.
  149. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  150. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  151. Cybereaon Security Services Team. (n.d.). Your Data Is Under New Lummanagement: The Rise of LummaStealer. Retrieved March 22, 2025.
  152. Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022.
  153. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  154. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  155. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
  156. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024.
  157. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024.
  158. CERT-UA. (2023, February 1). UAC-0114 aka Winter Vivern to target Ukrainian and Polish GOV entities (CERT-UA#5909). Retrieved July 29, 2024.
  159. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  160. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
  161. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
  162. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
  163. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  164. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  165. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  166. Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.
  167. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  168. McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018.
  169. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  170. Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.
  171. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024.
  172. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  173. Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.
  174. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  175. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  176. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
  177. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  178. O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
  179. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  180. ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.
  181. Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.
  182. Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.
  183. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
  184. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  185. Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021.
  186. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  187. Garcia, F., Regalado, D. (2023, March 7). Inside Mispadu massive infection campaign in LATAM. Retrieved March 15, 2024.
  188. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  189. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  190. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
  191. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  192. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  193. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
  194. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  195. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
  196. Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved March 24, 2020.
  197. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  198. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  199. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.
  200. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
  201. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.
  202. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  203. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  204. Microsoft. (2024, September 4). Use Quick Assist to help users. Retrieved March 14, 2025.
  205. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  206. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
  207. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  208. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
  209. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022.
  210. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  211. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  212. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  213. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
  214. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
  215. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  216. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.