Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications.
Applications can access clipboard data by using the Windows API. 
OSX provides a native command,
pbpaste, to grab clipboard contents .
|Agent Tesla||Agent Tesla can steal data from the victim’s clipboard.   |
|APT38||APT38 used a Trojan called KEYLIME to collect data from the clipboard. |
|Astaroth||Astaroth collects information from the clipboard by using the OpenClipboard() and GetClipboardData() libraries. |
|Catchamas||Catchamas steals data stored in the clipboard. |
|CosmicDuke||CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds. |
|DarkComet||DarkComet can steal data from the clipboard. |
|Empire||Empire can harvest clipboard data on both Windows and macOS systems. |
|Helminth||The executable version of Helminth has a module to log clipboard contents. |
|JHUHUGIT||A JHUHUGIT variant accesses a screenshot saved in the clipboard and converts it to a JPG image. |
|jRAT||jRAT can capture clipboard data. |
|Koadic||Koadic can retrieve the current content of the user clipboard. |
|KONNI||KONNI had a feature to steal data from the clipboard. |
|Machete||Machete hijacks the clipboard data by creating an overlapped window that listens to keyboard events.  |
|MacSpy||MacSpy can steal clipboard contents. |
|Remcos||Remcos steals and modifies data from the clipboard. |
|Remexi||Remexi collects text from the clipboard. |
|RTM||RTM collects data from the clipboard. |
|RunningRAT||RunningRAT contains code to open and copy data from the clipboard. |
|TinyZBot||TinyZBot contains functionality to collect information from the clipboard. |
|VERMIN||VERMIN collects data stored in the clipboard. |
|Zeus Panda||Zeus Panda can hook GetClipboardData function to watch for clipboard pastes to collect. |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
Access to the clipboard is a legitimate function of many applications on a Windows system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity.
- Microsoft. (n.d.). About the Clipboard. Retrieved March 29, 2016.
- rvrsh3ll. (2016, May 18). Operating with EmPyre. Retrieved July 12, 2017.
- Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
- Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018.
- Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
- Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
- Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.
- Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.
- Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.
- Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
- Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
- Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
- F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
- Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
- Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
- Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
- Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
- Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
- Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
- Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
- Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
- ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
- Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
- FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.