Screen Capture

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.[1][2]

ID: T1113
Sub-techniques:  No sub-techniques
Tactic: Collection
Platforms: Linux, Windows, macOS
Data Sources: Command: Command Execution, Process: OS API Execution
Version: 1.1
Created: 31 May 2017
Last Modified: 24 March 2020

Procedure Examples

ID Name Description
S0331 Agent Tesla

Agent Tesla can capture screenshots of the victim’s desktop.[3][4][5][6][7]

G0007 APT28

APT28 has used tools to take screenshots from victims.[8][9][10]

G0087 APT39

APT39 has used a screen capture utility to take screenshots on a compromised host.[11][12]

S0456 Aria-body

Aria-body has the ability to capture screenshots on compromised hosts.[13]

S0438 Attor

Attor's has a plugin that captures screenshots of the target applications.[14]

S0344 Azorult

Azorult can capture screenshots of the victim’s machines.[15]


BADNEWS has a command to take a screenshot and send it to the C2 server.[16][17]

S0337 BadPatch

BadPatch captures screenshots in .jpg format and then exfiltrates them.[18]

S0234 Bandook

Bandook is capable of taking an image of and uploading the current desktop.[19]


BISCUIT has a command to periodically take screenshots of the system.[20]

S0089 BlackEnergy

BlackEnergy is capable of taking screenshots.[21]


BRONZE BUTLER has used a tool to capture screenshots.[22][23]

S0454 Cadelspy

Cadelspy has the ability to capture screenshots and webcam photos.[24]

S0351 Cannon

Cannon can take a screenshot of the desktop.[25]

S0030 Carbanak

Carbanak performs desktop video recording and captures screenshots of the desktop and sends it to the C2 server.[26]

S0484 Carberp

Carberp can capture display screenshots with the screens_dll.dll plugin.[27]

S0348 Cardinal RAT

Cardinal RAT can capture screenshots.[28]

S0261 Catchamas

Catchamas captures screenshots based on specific keywords in the window’s title.[29]


CHOPSTICK has the capability to capture screenshots.[10]

S0154 Cobalt Strike

Cobalt Strike's "beacon" payload is capable of capturing screenshots.[30][31]

S0338 Cobian RAT

Cobian RAT has a feature to perform screen capture.[32]

S0591 ConnectWise

ConnectWise can take screenshots on remote hosts.[33]

S0050 CosmicDuke

CosmicDuke takes periodic screenshots and exfiltrates them.[34]

S0115 Crimson

Crimson contains a command to perform screen captures.[35]

S0235 CrossRAT

CrossRAT is capable of taking screen captures.[19]

G0070 Dark Caracal

Dark Caracal took screenshots using their Windows malware.[19]

S0187 Daserf

Daserf can take screenshots.[36][22]

S0021 Derusbi

Derusbi is capable of performing screen captures.[37]


DOGCALL is capable of capturing screenshots of the victim's machine.[38][39]

G0074 Dragonfly 2.0

Dragonfly 2.0 has performed screen captures of victims, including by using a tool, scr.exe (which matched the hash of ScreenUtil).[40][41]

S0062 DustySky

DustySky captures PNG screenshots of the main screen.[42]


ECCENTRICBANDWAGON can capture screenshots and store them locally.[43]

S0363 Empire

Empire is capable of capturing screenshots on Windows and macOS systems.[44]

S0152 EvilGrab

EvilGrab has the capability to capture screenshots.[45]

G0046 FIN7

FIN7 captured screenshots and desktop video recordings.[46]

S0182 FinFisher

FinFisher takes a screenshot of the screen and displays it on top of all other windows for few seconds in an apparent attempt to hide some messages showed by the system during the setup process.[47][48]

S0143 Flame

Flame can take regular screenshots when certain applications are open that are sent to the command and control server.[49]

S0277 FruitFly

FruitFly takes screenshots of the user's desktop.[50]

G0047 Gamaredon Group

Gamaredon Group's malware can take screenshots of the compromised computer every minute.[51]

S0032 gh0st RAT

gh0st RAT can capture the victim’s screen remotely.[52]


GOLD SOUTHFIELD has used the remote monitoring and management tool ConnectWise to obtain screen captures from victim's machines.[53]


GRIFFON has used a screenshot module that can be used to take a screenshot of the remote system.[54]

G0043 Group5

Malware used by Group5 is capable of watching the victim's screen.[55]


HALFBAKED can obtain screenshots from the victim.[56]

S0431 HotCroissant

HotCroissant has the ability to do real time screen viewing on an infected host.[57]

S0203 Hydraq

Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop of an infected host.[58]

S0398 HyperBro

HyperBro has the ability to take screenshots.[59]

S0260 InvisiMole

InvisiMole can capture screenshots of not only the entire screen, but of each separate window open, in case they are overlapping.[60][61]

S0163 Janicab

Janicab captured screenshots and sent them out to a C2 server.[62][63]


A JHUHUGIT variant takes screenshots by simulating the user pressing the "Take Screenshot" key (VK_SCREENSHOT), accessing the screenshot saved in the clipboard, and converting it to a JPG image.[64][65]

S0283 jRAT

jRAT has the capability to take screenshots of the victim’s machine.[66][67]

S0088 Kasidet

Kasidet has the ability to initiate keylogging and screen captures.[68]

S0265 Kazuar

Kazuar captures screenshots of the victim’s screen.[69]

S0387 KeyBoy

KeyBoy has a command to perform screen grabbing.[70]


KEYMARBLE can capture screenshots of the victim’s machine.[71]

S0437 Kivars

Kivars has the ability to capture screenshots on the infected host.[72]


KONNI can take screenshots of the victim’s machine.[73]

S0582 LookBack

LookBack can take desktop screenshots.[74]

S0409 Machete

Machete captures screenshots.[75][76][77][78]

S0282 MacSpy

MacSpy can capture screenshots of the desktop over multiple monitors.[50]

G0059 Magic Hound

Magic Hound malware can take a screenshot and upload the file to its C2 server.[79]

S0167 Matryoshka

Matryoshka is capable of performing screen captures.[80][81]

S0455 Metamorfo

Metamorfo can collect screenshots of the victim’s machine.[82]

S0339 Micropsia

Micropsia takes screenshots every 90 seconds by calling the Gdi32.BitBlt API.[83]

G0069 MuddyWater

MuddyWater has used malware that can capture screenshots of the victim’s machine.[84]


NETWIRE can capture the victim's screen.[85][86][87][88]

S0385 njRAT

njRAT can capture screenshots of the victim’s machines.[89]

S0340 Octopus

Octopus can capture screenshots of the victims’ machine.[90]

G0049 OilRig

OilRig has a tool called CANDYKING to capture a screenshot of user's desktop.[91]

S0013 PlugX

PlugX allows the operator to capture screenshots.[92]

S0428 PoetRAT

PoetRAT has the ability to take screen captures.[93][94]


POORAIM can perform screen capturing.[38]

S0194 PowerSploit

PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals.[95][96]


POWERSTATS can retrieve screenshots from compromised hosts.[97][98]


POWRUNER can capture a screenshot from a victim.[99]

S0113 Prikormka

Prikormka contains a module that captures screenshots of the victim's desktop.[100]

S0279 Proton

Proton captures the content of the desktop with the screencapture binary.[50]

S0147 Pteranodon

Pteranodon can capture screenshots at a configurable interval.[101]

S0192 Pupy

Pupy can drop a mouse-logger that will take small screenshots around at each click and then send back to the server.[102]

S0458 Ramsay

Ramsay can take screenshots every 30 seconds as well as when an external removable storage device is connected.[103]

S0495 RDAT

RDAT can take a screenshot on the infected system.[104]

S0153 RedLeaves

RedLeaves can capture screenshots.[105][106]

S0332 Remcos

Remcos takes automated screenshots of the infected machine.[107]

S0375 Remexi

Remexi takes screenshots of windows of interest.[108]

S0592 RemoteUtilities

RemoteUtilities can take screenshots on a compromised host.[109]

S0379 Revenge RAT

Revenge RAT has a plugin for screen capture.[110]

S0270 RogueRobin

RogueRobin has a command named $screenshot that may be responsible for taking screenshots of the victim machine.[111]


ROKRAT captures screenshots of the infected system using the gdi32 library.[112][113][114][115]

S0090 Rover

Rover takes screenshots of the compromised system's desktop and saves them to C:\system\screenshot.bmp for exfiltration every 60 minutes.[116]

S0148 RTM

RTM can capture screenshots.[117][118]

S0546 SharpStage

SharpStage has the ability to capture the victim's screen.[119][120]


SHUTTERSPEED can capture screenshots.[38]

G0091 Silence

Silence can capture victim screen activity.[121][122]


SLOTHFULMEDIA has taken a screenshot of a victim's desktop, named it "Filter3.jpg", and stored it in the local directory.[123]

S0273 Socksbot

Socksbot can take screenshots.[124]

S0380 StoneDrill

StoneDrill can take screenshots.[125]

S0098 T9000

T9000 can take screenshots of the desktop and target application windows, saving them to user directories as one byte XOR encrypted .dat files.[126]

S0467 TajMahal

TajMahal has the ability to take screenshots on an infected host including capturing content from windows of instant messaging applications.[127]

S0004 TinyZBot

TinyZBot contains screen capture functionality.[128]

S0094 Trojan.Karagany

Trojan.Karagany can take a desktop screenshot and save the file into \ProgramData\Mail\MailAg\shot.png.[129][130]


TURNEDUP is capable of taking screenshots.[131]


UPPERCUT can capture desktop screenshots in the PNG format and send them to the C2 server.[132]

S0386 Ursnif

Ursnif has used hooked APIs to take screenshots.[133][134]

S0476 Valak

Valak has the ability to take screenshots on a compromised host.[135]


VERMIN can perform screen captures of the victim’s machine.[136]

S0161 XAgentOSX

XAgentOSX contains the takeScreenShot (along with startTakeScreenShot and stopTakeScreenShot) functions to take screenshots using the CGGetActiveDisplayList, CGDisplayCreateImage, and NSImage:initWithCGImage methods.[9]

S0248 yty

yty collects screenshots of the victim machine.[137]

S0251 Zebrocy

A variant of Zebrocy captures screenshots of the victim’s machine in JPEG and BMP format.[25][138][139][140][141][142]

S0330 Zeus Panda

Zeus Panda can take screenshots of the victim’s machine.[143]

S0086 ZLib

ZLib has the ability to obtain screenshots of the compromised system.[144]

S0412 ZxShell

ZxShell can capture screenshots.[145]


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk. The sensor data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.


  1. Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved March 24, 2020.
  2. Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.
  3. Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.
  4. The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.
  5. Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.
  6. Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.
  7. Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.
  8. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  9. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  10. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  11. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.
  12. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  13. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
  15. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
  16. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  17. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
  18. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  19. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  20. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  21. Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
  22. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  23. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  24. Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.
  25. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  26. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  27. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020.
  28. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  29. Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018.
  30. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  31. Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.
  32. Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018.
  33. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.
  34. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
  35. Huss, D.. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  36. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  37. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  38. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  39. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
  40. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  41. Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.
  42. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  43. Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021.
  44. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  45. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  46. Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018.
  47. FinFisher. (n.d.). Retrieved December 20, 2017.
  48. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  49. Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.
  50. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  51. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  52. Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.
  53. Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020.
  54. Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019.
  55. Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
  56. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  57. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
  58. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  59. Falcone, R. and Lancaster, T.. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
  60. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  61. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  62. Brod. (2013, July 15). Signed Mac Malware Using Right-to-Left Override Trick. Retrieved July 17, 2017.
  63. Thomas. (2013, July 15). New signed malware called Janicab. Retrieved July 17, 2017.
  64. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  65. Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
  66. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
  67. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  68. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  69. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  70. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
  71. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  72. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
  73. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  1. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.
  2. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  3. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
  4. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
  5. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
  6. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  7. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  8. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
  9. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  10. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  11. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  12. McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018.
  13. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.
  14. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
  15. Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021.
  16. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  17. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
  18. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  19. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
  20. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  21. Dragos. (n.d.). ICS Cybersecurity Year in Review 2020. Retrieved February 25, 2021.
  22. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  23. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  24. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  25. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
  26. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  27. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  28. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  29. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  30. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.
  31. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
  32. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  33. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
  34. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
  35. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  36. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  37. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  38. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  39. Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.
  40. Mercer, W., Rascagneres, P. (2017, November 28). ROKRAT Reloaded. Retrieved May 21, 2018.
  41. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  42. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.
  43. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  44. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  45. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  46. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
  47. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020.
  48. GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019.
  49. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
  50. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
  51. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  52. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  53. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
  54. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  55. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
  56. Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  57. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
  58. O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
  59. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  60. Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.
  61. Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.
  62. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  63. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  64. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
  65. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  66. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
  67. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  68. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
  69. CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020.
  70. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  71. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  72. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.