Skip to content

T1115 Clipboard Data

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

For example, on Windows adversaries can access clipboard data by using clip.exe or Get-Clipboard.431 Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., Transmitted Data Manipulation).2

macOS and Linux also have commands, such as pbpaste, to grab clipboard contents.5

Item Value
ID T1115
Sub-techniques
Tactics TA0009
Platforms Linux, Windows, macOS
Version 1.2
Created 31 May 2017
Last Modified 24 October 2025

Procedure Examples

ID Name Description
S0331 Agent Tesla Agent Tesla can steal data from the victim’s clipboard.10111213
G0082 APT38 APT38 used a Trojan called KEYLIME to collect data from the clipboard.61
G0087 APT39 APT39 has used tools capable of stealing contents of the clipboard.60
S0373 Astaroth Astaroth collects information from the clipboard by using the OpenClipboard() and GetClipboardData() libraries. 17
S0438 Attor Attor has a plugin that collects data stored in the Windows clipboard by using the OpenClipboard and GetClipboardData APIs.19
S1226 BOOKWORM BOOKWORM has used its KBLogger.dll module to steal data saved to the clipboard. 59
S0454 Cadelspy Cadelspy has the ability to steal data from the clipboard.25
S0261 Catchamas Catchamas steals data stored in the clipboard.43
S1149 CHIMNEYSWEEP CHIMNEYSWEEP can capture content from the clipboard.21
S0660 Clambling Clambling has the ability to capture and store clipboard data.3031
S0050 CosmicDuke CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds.27
S0334 DarkComet DarkComet can steal data from the clipboard.16
S1111 DarkGate DarkGate starts a thread on execution that captures clipboard data and logs it to a predefined log file.4647
S1066 DarkTortilla DarkTortilla can download a clipboard information stealer module.32
S0363 Empire Empire can harvest clipboard data on both Windows and macOS systems.7
S0569 Explosive Explosive has a function to use the OpenClipboard wrapper.45
S0381 FlawedAmmyy FlawedAmmyy can collect clipboard data.52
S0531 Grandoreiro Grandoreiro can capture clipboard data from a compromised host.41
S0170 Helminth The executable version of Helminth has a module to log clipboard contents.42
S1245 InvisibleFerret InvisibleFerret has stolen data from the clipboard using the Python project “pyperclip”.535456 InvisibleFerret has also captured clipboard contents during copy and paste operations.55
S0044 JHUHUGIT A JHUHUGIT variant accesses a screenshot saved in the clipboard and converts it to a JPG image.37
S0283 jRAT jRAT can capture clipboard data.44
S0250 Koadic Koadic can retrieve the current content of the user clipboard.9
S0356 KONNI KONNI had a feature to steal data from the clipboard.22
S0409 Machete Machete hijacks the clipboard data by creating an overlapped window that listens to keyboard events.3536
S0282 MacSpy MacSpy can steal clipboard contents.24
S0652 MarkiRAT MarkiRAT can capture clipboard content.57
S0530 Melcoz Melcoz can monitor content saved to the clipboard.49
S0455 Metamorfo Metamorfo has a function to hijack data from the clipboard by monitoring the contents of the clipboard and replacing the cryptocurrency wallet with the attacker’s.3334
S1146 MgBot MgBot can capture clipboard data.3940
S1122 Mispadu Mispadu has the ability to capture and replace Bitcoin wallet data in the clipboard on a compromised host.51
G0049 OilRig OilRig has used infostealer tools to copy clipboard data.62
C0014 Operation Wocao During Operation Wocao, threat actors collected clipboard data in plaintext.63
S1233 PAKLOG PAKLOG has monitored and extracted clipboard contents.26
S0332 Remcos Remcos steals and modifies data from the clipboard.8
S0375 Remexi Remexi collects text from the clipboard.23
S0240 ROKRAT ROKRAT can extract clipboard data from a compromised host.38
S0148 RTM RTM collects data from the clipboard.1415
S0253 RunningRAT RunningRAT contains code to open and copy data from the clipboard.50
S0692 SILENTTRINITY SILENTTRINITY can monitor Clipboard text and can use System.Windows.Forms.Clipboard.GetText() to collect data from the clipboard.6
S0467 TajMahal TajMahal has the ability to steal data from the clipboard of an infected host.58
S0004 TinyZBot TinyZBot contains functionality to collect information from the clipboard.18
S0257 VERMIN VERMIN collects data stored in the clipboard.20
S1207 XLoader XLoader can collect data stored in the victim’s clipboard.2928
S0330 Zeus Panda Zeus Panda can hook GetClipboardData function to watch for clipboard pastes to collect.48

References

  1. CISA. (2021, August 20). Alert (AA21-200B) Chinese State-Sponsored Cyber Operations: Observed TTPs. Retrieved June 21, 2022. 

  2. Maljic, T. (2020, April 16). Mining for malicious Ruby gems. Retrieved October 15, 2022. 

  3. Microsoft, JasonGerend, et al. (2023, February 3). clip. Retrieved June 21, 2022. 

  4. Microsoft. (n.d.). About the Clipboard. Retrieved March 29, 2016. 

  5. rvrsh3ll. (2016, May 18). Operating with EmPyre. Retrieved July 12, 2017. 

  6. byt3bl33d3r. (n.d.). SILENTTRINITY. Retrieved September 12, 2024. 

  7. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. 

  8. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018. 

  9. Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024. 

  10. Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018. 

  11. Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018. 

  12. Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018. 

  13. Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020. 

  14. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. 

  15. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020. 

  16. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018. 

  17. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019. 

  18. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017. 

  19. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. 

  20. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018. 

  21. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024. 

  22. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018. 

  23. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019. 

  24. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. 

  25. Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019. 

  26. Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak | P2. Retrieved September 12, 2025. 

  27. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014. 

  28. Gustavo Palazolo, Netskope. (2022, March 11). New Formbook Campaign Delivered Through Phishing Emails. Retrieved March 11, 2025. 

  29. Nart Villeneuve, Randi Eitzman, Sandor Nemes & Tyler Dean, Google Cloud. (2017, October 5). Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea. Retrieved March 11, 2025. 

  30. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. 

  31. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021. 

  32. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022. 

  33. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020. 

  34. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021. 

  35. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. 

  36. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019. 

  37. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017. 

  38. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021. 

  39. Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024. 

  40. Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024. 

  41. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020. 

  42. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. 

  43. Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved November 17, 2024. 

  44. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019. 

  45. Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021. 

  46. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024. 

  47. McGraw, T. (2024, December 4). Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware. Retrieved December 9, 2024. 

  48. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018. 

  49. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. 

  50. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018. 

  51. ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024. 

  52. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. 

  53. eSentire Threat Response Unit (TRU). (2024, November 14). Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure Pt.2. Retrieved October 17, 2025. 

  54. Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025. 

  55. Seongsu Park. (2024, November 4). From Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West. Retrieved October 17, 2025. 

  56. Unit 42. (2023, November 21). Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors. Retrieved October 17, 2025. 

  57. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021. 

  58. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019. 

  59. Robert Falcone, Mike Scott, Juan Cortes. (2015, November 10). Bookworm Trojan: A Model of Modular Architecture. Retrieved July 21, 2025. 

  60. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020. 

  61. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024. 

  62. Symantec Threat Hunter Team. (2023, October 19). Crambus: New Campaign Targets Middle Eastern Government. Retrieved November 27, 2024. 

  63. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.