Skip to content

T1113 Screen Capture

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.12

Item Value
ID T1113
Sub-techniques
Tactics TA0009
Platforms Linux, Windows, macOS
Version 1.1
Created 31 May 2017
Last Modified 24 October 2025

Procedure Examples

ID Name Description
S0331 Agent Tesla Agent Tesla can capture screenshots of the victim’s desktop.2122232425
S0622 AppleSeed AppleSeed can take screenshots on a compromised host by calling a series of APIs.163164
G0007 APT28 APT28 has used tools to take screenshots from victims.209148100210
G0087 APT39 APT39 has used a screen capture utility to take screenshots on a compromised host.220221
G1044 APT42 APT42 has used malware, such as GHAMBAR and POWERPOST, to take screenshots.212
S0456 Aria-body Aria-body has the ability to capture screenshots on compromised hosts.85
S1087 AsyncRAT AsyncRAT has the ability to view the screen on compromised hosts.15
S0438 Attor Attor’s has a plugin that captures screenshots of the target applications.103
S0344 Azorult Azorult can capture screenshots of the victim’s machines.181
S1081 BADHATCH BADHATCH can take screenshots and send them to an actor-controlled C2 server.54
S0128 BADNEWS BADNEWS has a command to take a screenshot and send it to the C2 server.3435
S0337 BadPatch BadPatch captures screenshots in .jpg format and then exfiltrates them.84
S0234 Bandook Bandook is capable of taking an image of and uploading the current desktop.49130
S0017 BISCUIT BISCUIT has a command to periodically take screenshots of the system.51
S0089 BlackEnergy BlackEnergy is capable of taking screenshots.37
S0657 BLUELIGHT BLUELIGHT has captured a screenshot of the display every 30 seconds for the first 5 minutes after initiating a C2 loop, and then once every five minutes thereafter.172
G0060 BRONZE BUTLER BRONZE BUTLER has used a tool to capture screenshots.96204
S1063 Brute Ratel C4 Brute Ratel C4 can take screenshots on compromised hosts.7
S0454 Cadelspy Cadelspy has the ability to capture screenshots and webcam photos.168
S0351 Cannon Cannon can take a screenshot of the desktop.61
S0030 Carbanak Carbanak performs desktop video recording and captures screenshots of the desktop and sends it to the C2 server.40
S0484 Carberp Carberp can capture display screenshots with the screens_dll.dll plugin.171
S0348 Cardinal RAT Cardinal RAT can capture screenshots.186
S0261 Catchamas Catchamas captures screenshots based on specific keywords in the window’s title.184
S0631 Chaes Chaes can capture screenshots of the infected machine.175
S0674 CharmPower CharmPower has the ability to capture screenshots.170
S1149 CHIMNEYSWEEP CHIMNEYSWEEP can capture screenshots on targeted systems using a timer and either upload them or store them to disk.162
S0023 CHOPSTICK CHOPSTICK has the capability to capture screenshots.100
S0667 Chrommme Chrommme has the ability to capture screenshots.121
S0660 Clambling Clambling has the ability to capture screenshots.43
S0154 Cobalt Strike Cobalt Strike’s Beacon payload is capable of capturing screenshots.686970
S0338 Cobian RAT Cobian RAT has a feature to perform screen capture.33
S0591 ConnectWise ConnectWise can take screenshots on remote hosts.13
S0050 CosmicDuke CosmicDuke takes periodic screenshots and exfiltrates them.102
S0115 Crimson Crimson contains a command to perform screen captures.949899
S0235 CrossRAT CrossRAT is capable of taking screen captures.49
S1153 Cuckoo Stealer Cuckoo Stealer can run screencapture to collect screenshots from compromised hosts. 88
G0070 Dark Caracal Dark Caracal took screenshots using their Windows malware.49
S0187 Daserf Daserf can take screenshots.9596
S0021 Derusbi Derusbi is capable of performing screen captures.157
S0213 DOGCALL DOGCALL is capable of capturing screenshots of the victim’s machine.80117
G0035 Dragonfly Dragonfly has performed screen captures of victims, including by using a tool, scr.exe (which matched the hash of ScreenUtil).201202203
S1159 DUSTTRAP DUSTTRAP can capture screenshots.90
S0062 DustySky DustySky captures PNG screenshots of the main screen.129
S0593 ECCENTRICBANDWAGON ECCENTRICBANDWAGON can capture screenshots and store them locally.115
S0363 Empire Empire is capable of capturing screenshots on Windows and macOS systems.5
S0152 EvilGrab EvilGrab has the capability to capture screenshots.137
G0046 FIN7 FIN7 captured screenshots and desktop video recordings.222
S0182 FinFisher FinFisher takes a screenshot of the screen and displays it on top of all other windows for few seconds in an apparent attempt to hide some messages showed by the system during the setup process.3029
S0143 Flame Flame can take regular screenshots when certain applications are open that are sent to the command and control server.107
S0381 FlawedAmmyy FlawedAmmyy can capture screenshots.124
S0277 FruitFly FruitFly takes screenshots of the user’s desktop.122
S1044 FunnyDream The FunnyDream ScreenCap component can take screenshots on a compromised host.4
G0047 Gamaredon Group Gamaredon Group’s malware can take screenshots of the compromised computer every minute.205207206
S0032 gh0st RAT gh0st RAT can capture the victim’s screen remotely.135
G0115 GOLD SOUTHFIELD GOLD SOUTHFIELD has used the remote monitoring and management tool ConnectWise to obtain screen captures from victim’s machines.211
S0417 GRIFFON GRIFFON has used a screenshot module that can be used to take a screenshot of the remote system.18
G0043 Group5 Malware used by Group5 is capable of watching the victim’s screen.219
S0151 HALFBAKED HALFBAKED can obtain screenshots from the victim.138
S1229 Havoc Havoc can capture screenshots.605958
S0431 HotCroissant HotCroissant has the ability to do real time screen viewing on an infected host.182
S0203 Hydraq Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop of an infected host.131
S0398 HyperBro HyperBro has the ability to take screenshots.119
S0260 InvisiMole InvisiMole can capture screenshots of not only the entire screen, but of each separate window open, in case they are overlapping.7374
S0163 Janicab Janicab captured screenshots and sent them out to a C2 server.198199
S0044 JHUHUGIT A JHUHUGIT variant takes screenshots by simulating the user pressing the “Take Screenshot” key (VK_SCREENSHOT), accessing the screenshot saved in the clipboard, and converting it to a JPG image.1920
S0283 jRAT jRAT has the capability to take screenshots of the victim’s machine.178179
S0088 Kasidet Kasidet has the ability to initiate keylogging and screen captures.133
S0265 Kazuar Kazuar captures screenshots of the victim’s screen.136
S0387 KeyBoy KeyBoy has a command to perform screen grabbing.146
S0271 KEYMARBLE KEYMARBLE can capture screenshots of the victim’s machine.149
G0094 Kimsuky Kimsuky has captured browser screenshots using TRANSLATEXT.120
S0437 Kivars Kivars has the ability to capture screenshots on the infected host.116
S0356 KONNI KONNI can take screenshots of the victim’s machine.134
S1185 LightSpy LightSpy uses Apple’s built-in AVFoundation Framework library to access the user’s camera and screen. It uses the AVCaptureStillImage to take a picture using the user’s camera and the AVCaptureScreen to take a screenshot or record the user’s screen for a specified period of time.55
S0680 LitePower LitePower can take system screenshots and save them to %AppData%.83
S0681 Lizar Lizar can take JPEG screenshots of an infected system.9392 Lizar has also used a plugin to take a screenshot of the infected system.92
S0582 LookBack LookBack can take desktop screenshots.114
S1213 Lumma Stealer Lumma Stealer has taken screenshots of victim machines.44
S1142 LunarMail LunarMail can capture screenshots from compromised hosts.150
S0409 Machete Machete captures screenshots.194195196197
S1016 MacMa MacMa has used Apple’s Core Graphic APIs, such as CGWindowListCreateImageFromArray, to capture the user’s screen and open windows.5253
S0282 MacSpy MacSpy can capture screenshots of the desktop over multiple monitors.122
S1060 Mafalda Mafalda can take a screenshot of the target machine and save it to a file.104
G0059 Magic Hound Magic Hound malware can take a screenshot and upload the file to its C2 server.213
S1156 Manjusaka Manjusaka can take screenshots of the victim desktop.110
S0652 MarkiRAT MarkiRAT can capture screenshots that are initially saved as ‘scr.jpg’.200
S0167 Matryoshka Matryoshka is capable of performing screen captures.125126
S1059 metaMain metaMain can take and save screenshots.104105
S0455 Metamorfo Metamorfo can collect screenshots of the victim’s machine.139140
S0339 Micropsia Micropsia takes screenshots every 90 seconds by calling the Gdi32.BitBlt API.142
S1122 Mispadu Mispadu has the ability to capture screenshots on compromised hosts.47484546
G1019 MoustachedBouncer MoustachedBouncer has used plugins to take screenshots on targeted systems.123
G0069 MuddyWater MuddyWater has used malware that can capture screenshots of the victim’s machine.214
S0198 NETWIRE NETWIRE can capture the victim’s screen.160159158161
S1090 NightClub NightClub can load a module to call CreateCompatibleDC and GdipSaveImageToStream for screen capture.123
S0385 njRAT njRAT can capture screenshots of the victim’s machines.56
S1107 NKAbuse NKAbuse can take screenshots of the victim machine.185
S0644 ObliqueRAT ObliqueRAT can capture a screenshot of the current screen.42
S0340 Octopus Octopus can capture screenshots of the victims’ machine.188189190
G0049 OilRig OilRig has a tool called CANDYKING to capture a screenshot of user’s desktop.208
S1050 PcShare PcShare can take screen shots of a compromised machine.4
S0643 Peppy Peppy can take screenshots on targeted systems.94
S0013 PlugX PlugX allows the operator to capture screenshots.145
S0428 PoetRAT PoetRAT has the ability to take screen captures.166167
S0216 POORAIM POORAIM can perform screen capturing.80
S0194 PowerSploit PowerSploit’s Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals.910
S0223 POWERSTATS POWERSTATS can retrieve screenshots from compromised hosts.176177
S0184 POWRUNER POWRUNER can capture a screenshot from a victim.180
S0113 Prikormka Prikormka contains a module that captures screenshots of the victim’s desktop.50
S0279 Proton Proton captures the content of the desktop with the screencapture binary.122
S0147 Pteranodon Pteranodon can capture screenshots at a configurable interval.1617
S0192 Pupy Pupy can drop a mouse-logger that will take small screenshots around at each click and then send back to the server.3
S1209 Quick Assist Quick Assist allows for the remote administrator to take screenshots of the running system.8
S0686 QuietSieve QuietSieve has taken screenshots every five minutes and saved them to the user’s local Application Data folder under Temp\SymbolSourceSymbols\icons or Temp\ModeAuto\icons.193
S1148 Raccoon Stealer Raccoon Stealer can capture screenshots from victim systems.128127
S0629 RainyDay RainyDay has the ability to capture screenshots.132
S0458 Ramsay Ramsay can take screenshots every 30 seconds as well as when an external removable storage device is connected.36
S0662 RCSession RCSession can capture screenshots from a compromised host.81
S0495 RDAT RDAT can take a screenshot on the infected system.77
S0153 RedLeaves RedLeaves can capture screenshots.7675
S1240 RedLine Stealer RedLine Stealer can capture screenshots on a compromised host.8687
S0332 Remcos Remcos takes automated screenshots of the infected machine.12
S0375 Remexi Remexi takes screenshots of windows of interest.165
S0592 RemoteUtilities RemoteUtilities can take screenshots on a compromised host.14
S0379 Revenge RAT Revenge RAT has a plugin for screen capture.156
S0270 RogueRobin RogueRobin has a command named $screenshot that may be responsible for taking screenshots of the victim machine.174
S0240 ROKRAT ROKRAT can capture screenshots of the infected system using the gdi32 library.151152153154155
S0090 Rover Rover takes screenshots of the compromised system’s desktop and saves them to C:\system\screenshot.bmp for exfiltration every 60 minutes.91
S0148 RTM RTM can capture screenshots.191192
S0546 SharpStage SharpStage has the ability to capture the victim’s screen.7172
S0217 SHUTTERSPEED SHUTTERSPEED can capture screenshots.80
G0091 Silence Silence can capture victim screen activity.216217
S0692 SILENTTRINITY SILENTTRINITY can take a screenshot of the current desktop.6
S0633 Sliver Sliver can take screenshots of the victim’s active display.11
S0533 SLOTHFULMEDIA SLOTHFULMEDIA has taken a screenshot of a victim’s desktop, named it “Filter3.jpg”, and stored it in the local directory.173
S0649 SMOKEDHAM SMOKEDHAM can capture screenshots of the victim’s desktop.143144
S0273 Socksbot Socksbot can take screenshots.147
S0380 StoneDrill StoneDrill can take screenshots.183
S1034 StrifeWater StrifeWater has the ability to take screen captures.108
S1064 SVCReady SVCReady can take a screenshot from an infected host.106
S0663 SysUpdate SysUpdate has the ability to capture screenshots.118
S0098 T9000 T9000 can take screenshots of the desktop and target application windows, saving them to user directories as one byte XOR encrypted .dat files.169
S0467 TajMahal TajMahal has the ability to take screenshots on an infected host including capturing content from windows of instant messaging applications.67
S0004 TinyZBot TinyZBot contains screen capture functionality.97
S1239 TONESHELL TONESHELL has conducted screen capturing.41
S1201 TRANSLATEXT TRANSLATEXT has the ability to capture screenshots of new browser tabs, based on the presence of the Capture flag.120
S0094 Trojan.Karagany Trojan.Karagany can take a desktop screenshot and save the file into \ProgramData\Mail\MailAg\shot.png.2728
S1196 Troll Stealer Troll Stealer can capture screenshots from victim machines.3839
S0647 Turian Turian has the ability to take screenshots.57
S0199 TURNEDUP TURNEDUP is capable of taking screenshots.26
S0275 UPPERCUT UPPERCUT can capture desktop screenshots in the PNG format and send them to the C2 server.82
S0386 Ursnif Ursnif has used hooked APIs to take screenshots.111112
S0476 Valak Valak has the ability to take screenshots on a compromised host.89
S0257 VERMIN VERMIN can perform screen captures of the victim’s machine.109
G1017 Volt Typhoon Volt Typhoon has obtained a screenshot of the victim’s system using the gdi32.dll and gdiplus.dll libraries.218
G1035 Winter Vivern Winter Vivern delivered PowerShell scripts capable of taking screenshots of victim machines.215
S1065 Woody RAT Woody RAT has the ability to take a screenshot of the infected host desktop using Windows GDI+.113
S0161 XAgentOSX XAgentOSX contains the takeScreenShot (along with startTakeScreenShot and stopTakeScreenShot) functions to take screenshots using the CGGetActiveDisplayList, CGDisplayCreateImage, and NSImage:initWithCGImage methods.148
S0658 XCSSET XCSSET saves a screen capture of the victim’s system with a numbered filename and .jpg extension. Screen captures are taken at specified intervals based on the system. 187
S1207 XLoader XLoader can capture screenshots on compromised hosts.3231
S0248 yty yty collects screenshots of the victim machine.141
S0251 Zebrocy A variant of Zebrocy captures screenshots of the victim’s machine in JPEG and BMP format.616263646566
S0330 Zeus Panda Zeus Panda can take screenshots of the victim’s machine.78
S0086 ZLib ZLib has the ability to obtain screenshots of the compromised system.101
S0412 ZxShell ZxShell can capture screenshots.79

References

  1. Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved March 24, 2020. 

  2. Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017. 

  3. Nicolas Verdier. (n.d.). Retrieved January 29, 2018. 

  4. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. 

  5. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. 

  6. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. 

  7. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023. 

  8. Microsoft. (2024, September 4). Use Quick Assist to help users. Retrieved March 14, 2025. 

  9. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018. 

  10. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018. 

  11. BishopFox. (n.d.). Sliver Screenshot. Retrieved September 16, 2021. 

  12. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018. 

  13. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021. 

  14. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. 

  15. Nyan-x-Cat. (n.d.). NYAN-x-CAT / AsyncRAT-C-Sharp. Retrieved October 3, 2023. 

  16. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017. 

  17. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022. 

  18. Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019. 

  19. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017. 

  20. Mercer, W., et al. (2017, October 22). “Cyber Conflict” Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018. 

  21. Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018. 

  22. The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018. 

  23. Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018. 

  24. Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018. 

  25. Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020. 

  26. O’Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018. 

  27. Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016. 

  28. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020. 

  29. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018. 

  30. FinFisher. (n.d.). Retrieved September 12, 2024. 

  31. Gustavo Palazolo, Netskope. (2022, March 11). New Formbook Campaign Delivered Through Phishing Emails. Retrieved March 11, 2025. 

  32. Nart Villeneuve, Randi Eitzman, Sandor Nemes & Tyler Dean, Google Cloud. (2017, October 5). Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea. Retrieved March 11, 2025. 

  33. Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018. 

  34. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. 

  35. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018. 

  36. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel’s infiltration and isolation network. Retrieved March 24, 2021. 

  37. Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016. 

  38. Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025. 

  39. Symantec Threat Hunter Team. (2024, May 16). Springtail: New Linux Backdoor Added to Toolkit. Retrieved January 17, 2025. 

  40. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018. 

  41. Lior Rochberger, Tom Fakterman, Robert Falcone. (2023, September 22). Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda. Retrieved September 9, 2025. 

  42. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021. 

  43. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. 

  44. Cybereaon Security Services Team. (n.d.). Your Data Is Under New Lummanagement: The Rise of LummaStealer. Retrieved March 22, 2025. 

  45. ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024. 

  46. Garcia, F., Regalado, D. (2023, March 7). Inside Mispadu massive infection campaign in LATAM. Retrieved March 15, 2024. 

  47. SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024. 

  48. SCILabs. (2023, May 23). Evolution of banking trojan URSA/Mispadu. Retrieved March 13, 2024. 

  49. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. 

  50. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016. 

  51. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016. 

  52. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022. 

  53. Wardle, P. (2021, November 11). OSX.CDDS (OSX.MacMa). Retrieved June 30, 2022. 

  54. Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021. 

  55. Stuart Ashenbrenner, Alden Schmidt. (2024, April 25). LightSpy Malware Variant Targeting macOS. Retrieved January 3, 2025. 

  56. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019. 

  57. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 

  58. Immersive Content Team. (2024, April 9). Havoc C2 Framework – A Defensive Operator’s Guide. Retrieved August 13, 2025. 

  59. Shivtarkar, N. and Jain, S. (2023, February 14). Havoc Across the Cyberspace. Retrieved August 4, 2025. 

  60. Ungur, P. (n.d.). HAVOC. Retrieved August 4, 2025. 

  61. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018. 

  62. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019. 

  63. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019. 

  64. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. 

  65. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. 

  66. CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020. 

  67. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019. 

  68. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017. 

  69. Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021. 

  70. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. 

  71. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020. 

  72. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020. 

  73. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. 

  74. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. 

  75. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018. 

  76. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017. 

  77. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020. 

  78. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018. 

  79. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. 

  80. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024. 

  81. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021. 

  82. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018. 

  83. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022. 

  84. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018. 

  85. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020. 

  86. Mohansundaram M, Neil Tyagi. (2024, April 17). Redline Stealer: A Novel Approach. Retrieved September 17, 2025. 

  87. Splunk Threat Research Team. (2023, June 1). Do Not Cross The ‘RedLine’ Stealer: Detections and Analysis. Retrieved September 17, 2025. 

  88. Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024. 

  89. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020. 

  90. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024. 

  91. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016. 

  92. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022. 

  93. Seals, T. (2021, May 14). FIN7 Backdoor Masquerades as Ethical Hacking Tool. Retrieved February 2, 2022. 

  94. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. 

  95. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017. 

  96. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. 

  97. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017. 

  98. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021. 

  99. N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022. 

  100. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024. 

  101. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. 

  102. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014. 

  103. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. 

  104. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023. 

  105. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023. 

  106. Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022. 

  107. Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017. 

  108. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022. 

  109. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018. 

  110. Asheer Malhotra & Vitor Ventura. (2022, August 2). Manjusaka: A Chinese sibling of Sliver and Cobalt Strike. Retrieved September 4, 2024. 

  111. Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019. 

  112. Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019. 

  113. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022. 

  114. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021. 

  115. Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021. 

  116. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020. 

  117. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018. 

  118. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. 

  119. Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019. 

  120. Park, S. (2024, June 27). Kimsuky deploys TRANSLATEXT to target South Korean academia. Retrieved October 14, 2024. 

  121. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. 

  122. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. 

  123. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023. 

  124. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. 

  125. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. 

  126. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved November 17, 2024. 

  127. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024. 

  128. S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024. 

  129. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020. 

  130. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021. 

  131. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018. 

  132. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. 

  133. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016. 

  134. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018. 

  135. Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018. 

  136. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018. 

  137. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. 

  138. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017. 

  139. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020. 

  140. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021. 

  141. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018. 

  142. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018. 

  143. FireEye. (2021, May 11). Shining a Light on DARKSIDE Ransomware Operations. Retrieved September 22, 2021. 

  144. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021. 

  145. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018. 

  146. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019. 

  147. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. 

  148. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy’s Xagent macOS Tool. Retrieved July 12, 2017. 

  149. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018. 

  150. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024. 

  151. Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018. 

  152. Mercer, W., Rascagneres, P. (2017, November 28). ROKRAT Reloaded. Retrieved May 21, 2018. 

  153. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019. 

  154. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020. 

  155. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022. 

  156. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019. 

  157. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. 

  158. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021. 

  159. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign’s Usage of Process Hollowing. Retrieved January 7, 2021. 

  160. McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018. 

  161. Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021. 

  162. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024. 

  163. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. 

  164. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024. 

  165. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019. 

  166. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020. 

  167. Dragos. (n.d.). ICS Cybersecurity Year in Review 2020. Retrieved February 25, 2021. 

  168. Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019. 

  169. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016. 

  170. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022. 

  171. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024. 

  172. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021. 

  173. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020. 

  174. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018. 

  175. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021. 

  176. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. 

  177. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020. 

  178. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018. 

  179. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019. 

  180. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. 

  181. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018. 

  182. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020. 

  183. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019. 

  184. Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved November 17, 2024. 

  185. KASPERSKY GERT. (2023, December 14). Unveiling NKAbuse: a new multiplatform threat abusing the NKN protocol. Retrieved February 8, 2024. 

  186. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018. 

  187. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021. 

  188. Kaspersky Lab’s Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018. 

  189. Paganini, P. (2018, October 16). Russia-linked APT group DustSquad targets diplomatic entities in Central Asia. Retrieved August 24, 2021. 

  190. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021. 

  191. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. 

  192. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020. 

  193. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022. 

  194. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. 

  195. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019. 

  196. The Cylance Threat Research Team. (2017, March 22). El Machete’s Malware Attacks Cut Through LATAM. Retrieved September 13, 2019. 

  197. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020. 

  198. Brod. (2013, July 15). Signed Mac Malware Using Right-to-Left Override Trick. Retrieved July 17, 2017. 

  199. Thomas. (2013, July 15). New signed malware called Janicab. Retrieved July 17, 2017. 

  200. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021. 

  201. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. 

  202. Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017. 

  203. Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021. 

  204. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. 

  205. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. 

  206. Rusnák, Z. (2024, September 26). Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023. Retrieved October 30, 2024. 

  207. Threat Hunter Team, Symantec and Carbon Black. (2025, April 10). Shuckworm Targets Foreign Military Mission Based in Ukraine. Retrieved July 23, 2025. 

  208. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017. 

  209. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. 

  210. Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022. 

  211. Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved November 17, 2024. 

  212. Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromises. Retrieved October 9, 2024. 

  213. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017. 

  214. Kaspersky Lab’s Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018. 

  215. CERT-UA. (2023, February 1). UAC-0114 aka Winter Vivern to target Ukrainian and Polish GOV entities (CERT-UA#5909). Retrieved July 29, 2024. 

  216. GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019. 

  217. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020. 

  218. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024. 

  219. Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016. 

  220. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020. 

  221. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. 

  222. Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018.