||Agent Tesla has the ability to steal credentials from FTP clients and wireless profiles.
||APT33 has used a variety of publicly available tools like LaZagne to gather credentials.
||APT39 has used the Smartftp Password Decryptor tool to decrypt FTP passwords.
||Astaroth uses an external software known as NetPass to recover passwords.
||Carberp‘s passw.plug plugin can gather account information from multiple instant messaging, email, and social media services, as well as FTP, VNC, and VPN clients.
||CosmicDuke collects user credentials, including passwords, for various programs including popular instant messaging applications and email clients as well as WLAN keys.
||Evilnum can collect email credentials from victims.
||FIN6 has used the Stealer One credential stealer to target e-mail and file transfer utilities including FTP.
||HEXANE has run
cmdkey on victim machines to identify stored credentials.
||KGH_SPY can collect credentials from WINSCP.
||LaZagne can obtain credentials from databases, mail, and WiFi across multiple platforms.
||Leafminer used several tools for retrieving login and password information, including LaZagne.
||Lokibot has stolen credentials from multiple applications and data sources including Windows OS credentials, email clients, FTP, and SFTP clients.
||Matryoshka is capable of stealing Outlook passwords.
||Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the credential vault and DPAPI.
||MuddyWater has performed credential dumping with LaZagne and other tools, including by dumping passwords saved in victim email.
||NETWIRE can retrieve passwords from messaging and mail client applications.
||OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.
||OLDBAIT collects credentials from several email clients.
||PinchDuke steals credentials from compromised hosts. PinchDuke‘s credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated with many sources such as The Bat!, Yahoo!, Mail.ru, Passport.Net, Google Talk, and Microsoft Outlook.
||PLEAD has the ability to steal saved passwords from Microsoft Outlook.
||PoshC2 can decrypt passwords stored in the RDCMan configuration file.
||A module in Prikormka collects passwords stored in applications installed on the victim.
||Pupy can use Lazagne for harvesting credentials.
||QuasarRAT can obtain passwords from common FTP clients.
||During the SolarWinds Compromise, APT29 used account credentials they obtained to attempt access to Group Managed Service Account (gMSA) passwords.
||Stealth Falcon malware gathers passwords from multiple sources, including Windows Credential Vault and Outlook.