Skip to main content

A new threat actor group has been identified recently, which is using a creative new custom-created malware named screenshotter, which as the name suggests, takes the screenshot of the device once compromised. The presence of this malware was initially observed by Proofpoint in September 2022, and it continued till January 2023.

In this post, we will talk about what is screenshotter malware and how to detect and mitigate screenshotter malware.

Key findings

  • The attacker group behind this scheme is named TA866, which is a new APT group.
  • The Threat actor appears to be financially motivated as they evaluate compromised computers to decide if they are worth further attack.
  • The group targeted mostly Germany and the United States.
  • TA866 utilizes the custom toolset, including WasabiSeed and Screenshotter, to analyze user activity via screenshots before deploying a bot and stealer.

Technical Analysis

The initial intrusion of the attacker is by sending phishing mail with malicious attachments. This malicious attachment contains Microsoft Publisher (.pub) files with malicious macros URLs to Publisher files with macros or PDFs with links to dangerous JavaScript.

The tools used by the threat actors during the delivery stages are mainly via URLs linking to the above-mentioned malicious file with the help of the 404 Traffic Distribution System (TDS). Some of these activities are observed via google ads as well.

The Campaign Distribution Frequency

As per the research done by Proofpoint, it was reported that in the initial months of October and November, only a few volumes of activity were found; however, by the end of November and December (the threat actor started using URLs), the operation increased and the email volume increased excessively.

Credits: Proofpoint

Attack workflow

Once the user clicks on the link provided in the phishing mail, the attack chain will begin,

  1. The URL directs to a 404 TDS page, which filters incoming traffic before redirecting it to the download page for a JavaScript file.
  2. An MSI package will start running if the user runs the JavaScript (such as by double-clicking)
  3. This MSI package is the WasabiSeed installer which executes an embedded VBS script. An autorun shortcut in the Windows Startup folder will be created to maintain persistence.
  4. The Wasabiseed Installer will again download and install ‘screenshotter’, which is an MSI file.
  5. The screenshotter malware is custom created to take screenshots of the victim and communicate with the command-and-control server.
  6. The attacker, after analyzing the screenshot will decide either to use screenshotter and take more screenshots to decide whether the target is useful or not. If satisfied, an additional payload will be dropped in the victims’ machine called the AHK Bot. 
  7. The AHK Bot determines the machine’s active directory and sends it to the attacker.
  8. Another stealer malware dropped by the AHK bot is the Rhadamanthys.
The attack chains (Credits: Proofpoint)

MITRE ATT&CK Enterprise Identifiers

  • T1566.001 (Spearphishing Attachment)
  • T1566.002 (Spearphishing Link)
  • T1059.007 (JavaScript)
  • T1059.005 (Visual Basic)
  • T1547.001 (Registry Run Keys / Startup Folder)
  • T1218 (System Binary Proxy Execution)
  • T1140 (Deobfuscate/Decode Files or Information)
  • T1113 (Screen Capture)


From the attack flow, we understand that the attack is only possible only if the user opens and clicks on the link from phishing mail and manually runs the JavaScript file, so,

  • Have a good email gateway that prevents unauthorized outside emails from entering the network.
  • Email authentication protocols help a lot in avoiding such scenarios before reaching the user.
  • Proper cyber security awareness training must be conducted for all users to prevent mishaps.
  • Suspicious emails observed must be immediately reported to the concerned teams.
  • All IOCs should be monitored, and necessary action should be taken.


southfirstarea[.]comDomain404 TDS domain
peak-pjv[.]comDomain404 TDS domain
otameyshan[.]comDomain404 TDS domain
thebtcrevolution[.]comDomain404   TDS domain
annemarieotey[.]comDomain404   TDS domain
expresswebstores[.]comDomain404   TDS domain
styleselect[.]comDomain404   TDS domain
mikefaw[.]comDomain404   TDS domain
fgpprlaw[.]comDomain404   TDS domain
duncan-technologies[.]netDomain404   TDS domain
black-socks[.]orgDomain404   TDS domain
virtualmediaoffice[.]comDomain404   TDS domain
samsontech[.]mobiDomain404   TDS domain
footballmeta[.]comDomain404   TDS domain
gfcitservice[.]netDomain404   TDS domain
listfoo[.]orgDomain404   TDS domain
duinvest[.]infoDomain404   TDS domain
shiptrax24[.]comDomain404   TDS domain
repossessionheadquarters[.]orgDomain404   TDS domain
bluecentury[.]orgDomain404   TDS domain
d934d109f5b446febf6aa6a675e9bcc41fade563e7998788824f56b3cc16d1edSHA256JavaScript “Document_24_jan-3559116.js”
hxxp[:]//79[.]137.198.60/1/ke.msiURLJavaScript Downloading MSI 1 (WasabiSeed Installer)
29e447a6121dd2b1d1221821bd6c4b0e20c437c62264844e8bcbb9d4be35f013SHA256WasabiSeed Installer MSI “ke.msi”
292344211976239c99d62be021af2f44840cd42dd4d70ad5097f4265b9d1ce01SHA256OCDService.vbs (WasabiSeed) inside ke.msi
hxxp[:]//109[.]107.173.72/%serial%URLWasabiSeed downloading payloads (Screenshotter, AHK Bot)
02049ab62c530a25f145c0a5c48e3932fa7412a037036a96d7198cc57cef1f40SHA256Screenshotter Installer MSI
d0a4cd67f952498ad99d78bc081c98afbef92e5508daf723007533f000174a98SHA256Screenshotter   component app.js
6e53a93fc2968d90891db6059bac49e975c09546e19a54f1f93fb01a21318fdcSHA256Screenshotter component lumina.exe
322dccd18b5564ea000117e90dafc1b4bc30d256fe93b7cfd0d1bdf9870e0da6SHA256Screenshotter component index.js
hxxp[:]//109[.]107.173.72/screenshot/%serial%URLScreenshotter submitting an image to C2
1f6de5072cc17065c284b21acf4d34b4506f86268395c807b8d4ab3d455b036bSHA256AHK Bot installer MSI
3242e0a736ef8ac90430a9f272ff30a81e2afc146fcb84a25c6e56e8192791e4SHA256AHK Bot Looper component “au3.exe”
3db3f919cad26ca155adf8c5d9cab3e358d51604b51b31b53d568e7bcf5301e2SHA256AHK   Bot Looper component “au3.ahk”
hxxp[:]//89[.]208.105.255/%serial%-du2URLAHK   Bot Looper C2
hxxp[:]//89[.]208.105.255/%serial%URLAHK   Bot Domain Profiler C2
hxxp[:]//89[.]208.105.255/download?path=eURLAHK   Bot Stealer Loader C2
moosdies[.]topDomainRhadamanthys   Stealer C2

ET Signatures 

  • 2853110 – ETPRO MALWARE 404 TDS Redirect 
  • 2043239 – ET MALWARE WasabiSeed Backdoor Payload Request (GET)
  • 2852922 – ETPRO MALWARE Screenshotter Backdoor Sending Screenshot (POST) 
  • 2853008 – ETPRO MALWARE AHK Bot Looper – Payload Request 
  • 2853009 – ETPRO MALWARE AHK Bot Looper – Payload Request 
  • 2853010 – ETPRO MALWARE AHK Bot Looper – Payload Request 
  • 2853011 – ETPRO MALWARE AHK Bot Looper – Payload Request 
  • 2853015 – ETPRO MALWARE AHK Bot – Logger Sending Data 
  • 2853016 – ETPRO MALWARE AHK Bot – Stealer Loader Payload Request 
  • 2853017 – ETPRO MALWARE AHK Bot – Logger Sending Data 
  • 2043216 – ET MALWARE AHK Bot Domain Profiler CnC Activity 
  • 2043202 – ET MALWARE Rhadamanthys Stealer – Payload Download Request 
  • 2853001 – ETPRO MALWARE Rhadamanthys Stealer – Payload Response 
  • 2853002 – ETPRO MALWARE Rhadamanthys Stealer – Data Exfil 


The attackers are high-profile threat actors who have the capability of using custom tools, and they manually analyses the victims through screenshots to identify high-end targets. The potential implications of AD profiling are concerning, as it could potentially result in the compromise of all domain-joined hosts, as per some clues from the analysis of the attack behavior the APT group TA866 is suspected to be a Russian threat actor. 

Leave a Reply