Screen Capture

Agent Tesla can capture screenshots of the victim’s desktop.^{[3][4][5][6][7]}

AppleSeed can take screenshots on a compromised host by calling a series of APIs.^[8][9]

APT28 has used tools to take screenshots from victims.^{[10][11][12][13]}

APT39 has used a screen capture utility to take screenshots on a compromised host.^[14][15]

APT42 has used malware, such as GHAMBAR and POWERPOST, to take screenshots.^[16]

Aria-body has the ability to capture screenshots on compromised hosts.^[17]

AsyncRAT has the ability to view the screen on compromised hosts.^[18]

Attor's has a plugin that captures screenshots of the target applications.^[19]

Azorult can capture screenshots of the victim’s machines.^[20]

BADHATCH can take screenshots and send them to an actor-controlled C2 server.^[21]

BADNEWS has a command to take a screenshot and send it to the C2 server.^[22][23]

BadPatch captures screenshots in .jpg format and then exfiltrates them.^[24]

Bandook is capable of taking an image of and uploading the current desktop.^[25][26]

BISCUIT has a command to periodically take screenshots of the system.^[27]

BlackEnergy is capable of taking screenshots.^[28]

BLUELIGHT has captured a screenshot of the display every 30 seconds for the first 5 minutes after initiating a C2 loop, and then once every five minutes thereafter.^[29]

BRONZE BUTLER has used a tool to capture screenshots.^[30][31]

Brute Ratel C4 can take screenshots on compromised hosts.^[32]

Cadelspy has the ability to capture screenshots and webcam photos.^[33]

Cannon can take a screenshot of the desktop.^[34]

Carbanak performs desktop video recording and captures screenshots of the desktop and sends it to the C2 server.^[35]

Carberp can capture display screenshots with the screens_dll.dll plugin.^[36]

Cardinal RAT can capture screenshots.^[37]

Catchamas captures screenshots based on specific keywords in the window’s title.^[38]

Chaes can capture screenshots of the infected machine.^[39]

CharmPower has the ability to capture screenshots.^[40]

CHIMNEYSWEEP can capture screenshots on targeted systems using a timer and either upload them or store them to disk.^[41]

CHOPSTICK has the capability to capture screenshots.^[12]

Chrommme has the ability to capture screenshots.^[42]

Clambling has the ability to capture screenshots.^[43]

Cobalt Strike's Beacon payload is capable of capturing screenshots.^[44][45][46]

Cobian RAT has a feature to perform screen capture.^[47]

ConnectWise can take screenshots on remote hosts.^[48]

CosmicDuke takes periodic screenshots and exfiltrates them.^[49]

Crimson contains a command to perform screen captures.^[50][51][52]

CrossRAT is capable of taking screen captures.^[25]

Cuckoo Stealer can run screencapture to collect screenshots from compromised hosts. ^[53]

Dark Caracal took screenshots using their Windows malware.^[25]

Daserf can take screenshots.^[54][30]

Derusbi is capable of performing screen captures.^[55]

DOGCALL is capable of capturing screenshots of the victim's machine.^[56][57]

Dragonfly has performed screen captures of victims, including by using a tool, scr.exe (which matched the hash of ScreenUtil).^[58][59][60]

DUSTTRAP can capture screenshots.^[61]

DustySky captures PNG screenshots of the main screen.^[62]

ECCENTRICBANDWAGON can capture screenshots and store them locally.^[63]

Empire is capable of capturing screenshots on Windows and macOS systems.^[64]

EvilGrab has the capability to capture screenshots.^[65]

FIN7 captured screenshots and desktop video recordings.^[66]

FinFisher takes a screenshot of the screen and displays it on top of all other windows for few seconds in an apparent attempt to hide some messages showed by the system during the setup process.^[67][68]

Flame can take regular screenshots when certain applications are open that are sent to the command and control server.^[69]

FlawedAmmyy can capture screenshots.^[70]

FruitFly takes screenshots of the user's desktop.^[71]

The FunnyDream ScreenCap component can take screenshots on a compromised host.^[72]

Gamaredon Group's malware can take screenshots of the compromised computer every minute.^[73]

gh0st RAT can capture the victim’s screen remotely.^[74]

GOLD SOUTHFIELD has used the remote monitoring and management tool ConnectWise to obtain screen captures from victim's machines.^[75]

GRIFFON has used a screenshot module that can be used to take a screenshot of the remote system.^[76]

Malware used by Group5 is capable of watching the victim's screen.^[77]

HALFBAKED can obtain screenshots from the victim.^[78]

HotCroissant has the ability to do real time screen viewing on an infected host.^[79]

Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop of an infected host.^[80]

HyperBro has the ability to take screenshots.^[81]

InvisiMole can capture screenshots of not only the entire screen, but of each separate window open, in case they are overlapping.^[82][83]

Janicab captured screenshots and sent them out to a C2 server.^[84][85]

A JHUHUGIT variant takes screenshots by simulating the user pressing the "Take Screenshot" key (VK_SCREENSHOT), accessing the screenshot saved in the clipboard, and converting it to a JPG image.^[86][87]

jRAT has the capability to take screenshots of the victim’s machine.^[88][89]

Kasidet has the ability to initiate keylogging and screen captures.^[90]

Kazuar captures screenshots of the victim’s screen.^[91]

KeyBoy has a command to perform screen grabbing.^[92]

KEYMARBLE can capture screenshots of the victim’s machine.^[93]

Kimsuky has captured browser screenshots using TRANSLATEXT.^[94]

Kivars has the ability to capture screenshots on the infected host.^[95]

KONNI can take screenshots of the victim’s machine.^[96]

LightSpy uses Apple's built-in AVFoundation Framework library to access the user's camera and screen. It uses the AVCaptureStillImage to take a picture using the user's camera and the AVCaptureScreen to take a screenshot or record the user's screen for a specified period of time.^[97]

LitePower can take system screenshots and save them to %AppData%.^[98]

Lizar can take JPEG screenshots of an infected system.^[99][100]

LookBack can take desktop screenshots.^[101]

Lumma Stealer has taken screenshots of victim machines.^[102]

LunarMail can capture screenshots from compromised hosts.^[103]

Machete captures screenshots.^{[104][105][106][107]}

MacMa has used Apple’s Core Graphic APIs, such as CGWindowListCreateImageFromArray, to capture the user's screen and open windows.^[108][109]

MacSpy can capture screenshots of the desktop over multiple monitors.^[71]

Mafalda can take a screenshot of the target machine and save it to a file.^[110]

Magic Hound malware can take a screenshot and upload the file to its C2 server.^[111]

Manjusaka can take screenshots of the victim desktop.^[112]

MarkiRAT can capture screenshots that are initially saved as ‘scr.jpg’.^[113]

Matryoshka is capable of performing screen captures.^[114][115]

metaMain can take and save screenshots.^[110][116]

Metamorfo can collect screenshots of the victim’s machine.^[117][118]

Micropsia takes screenshots every 90 seconds by calling the Gdi32.BitBlt API.^[119]

Mispadu has the ability to capture screenshots on compromised hosts.^{[120][121][122][123]}

MoustachedBouncer has used plugins to take screenshots on targeted systems.^[124]

MuddyWater has used malware that can capture screenshots of the victim’s machine.^[125]

NETWIRE can capture the victim's screen.^{[126][127][128][129]}

NightClub can load a module to call CreateCompatibleDC and GdipSaveImageToStream for screen capture.^[124]

njRAT can capture screenshots of the victim’s machines.^[130]

NKAbuse can take screenshots of the victim machine.^[131]

ObliqueRAT can capture a screenshot of the current screen.^[132]

Octopus can capture screenshots of the victims’ machine.^{[133][134][135]}

OilRig has a tool called CANDYKING to capture a screenshot of user's desktop.^[136]

PcShare can take screen shots of a compromised machine.^[72]

Peppy can take screenshots on targeted systems.^[50]

PlugX allows the operator to capture screenshots.^[137]

PoetRAT has the ability to take screen captures.^[138][139]

POORAIM can perform screen capturing.^[56]

PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals.^[140][141]

POWERSTATS can retrieve screenshots from compromised hosts.^[142][143]

POWRUNER can capture a screenshot from a victim.^[144]

Prikormka contains a module that captures screenshots of the victim's desktop.^[145]

Proton captures the content of the desktop with the screencapture binary.^[71]

Pteranodon can capture screenshots at a configurable interval.^[146][147]

Pupy can drop a mouse-logger that will take small screenshots around at each click and then send back to the server.^[148]

Quick Assist allows for the remote administrator to take screenshots of the running system.^[149]

QuietSieve has taken screenshots every five minutes and saved them to the user's local Application Data folder under Temp\SymbolSourceSymbols\icons or Temp\ModeAuto\icons.^[150]

Raccoon Stealer can capture screenshots from victim systems.^[151][152]

RainyDay has the ability to capture screenshots.^[153]

Ramsay can take screenshots every 30 seconds as well as when an external removable storage device is connected.^[154]

RCSession can capture screenshots from a compromised host.^[155]

RDAT can take a screenshot on the infected system.^[156]

RedLeaves can capture screenshots.^[157][158]

Remcos takes automated screenshots of the infected machine.^[159]

Remexi takes screenshots of windows of interest.^[160]

RemoteUtilities can take screenshots on a compromised host.^[161]

Revenge RAT has a plugin for screen capture.^[162]

RogueRobin has a command named $screenshot that may be responsible for taking screenshots of the victim machine.^[163]

ROKRAT can capture screenshots of the infected system using the gdi32 library.^{[164][165][166][167][168]}

Rover takes screenshots of the compromised system's desktop and saves them to C:\system\screenshot.bmp for exfiltration every 60 minutes.^[169]

RTM can capture screenshots.^[170][171]

SharpStage has the ability to capture the victim's screen.^[172][173]

SHUTTERSPEED can capture screenshots.^[56]

Silence can capture victim screen activity.^[174][175]

SILENTTRINITY can take a screenshot of the current desktop.^[176]

Sliver can take screenshots of the victim’s active display.^[177]

SLOTHFULMEDIA has taken a screenshot of a victim's desktop, named it "Filter3.jpg", and stored it in the local directory.^[178]

SMOKEDHAM can capture screenshots of the victim’s desktop.^[179][180]

Socksbot can take screenshots.^[181]