Screenshotter
Screenshotter is a malware family and utility used to capture periodic screenshots from infected Windows systems and exfiltrate them to attacker-controlled command-and-control infrastructure over HTTP, typically via POST requests. Reporting ties it closely to TA866, also known as Asylum Ambuscade, which used it in financially motivated intrusion chains and possibly espionage-related activity. In observed TA866 campaigns, initial access commonly came via malspam, malvertising, or 404 TDS redirection to malicious JavaScript downloaders, which retrieved MSI packages. A WasabiSeed downloader then established persistence via an LNK shortcut in the Windows Startup directory, polled C2 using the victim drive serial number, and downloaded Screenshotter as a follow-on payload. Screenshotter has been observed in JavaScript, Python, AutoHotKey, and AutoIT implementations. One documented JavaScript variant used a bundled legitimate IrfanView executable (for example, snap.exe or lumina.exe) to save a desktop screenshot as gs.jpg, after which another component uploaded the image to C2. TA866 appears to have used the screenshots to manually triage victims before selectively deploying additional tooling such as AHK Bot and, in some cases, Rhadamanthys. Observed C2 patterns included hardcoded IP-based HTTP endpoints such as hxxp://109[.]107.173.72/screenshot/%serial% and hxxp://193[.]233.133.179:80/screenshot/[C: Drive Serial Number]. Screenshotter has also been observed delivered alongside or as a companion to other malware including Rhadamanthys, Remcos, zgRAT, AHK Bot, BitRAT, XWorm, Lumma, and XLoader. Victimology associated with TA866 activity was concentrated in the United States, with manufacturing the most affected sector, followed by government and financial services.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Screenshotter is a malware family used to generate periodic screenshots from infected systems which are transmitted to the threat actor over HTTP.
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
1 technique
Initial Access
Stealth
1 technique
Stealth
IOCs tracked for this family
10 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Observed as a companion payload delivered alongside Rhadamanthys.
Screenshotter captures periodic screenshots from infected systems and exfiltrates them over HTTP. Variants were observed in JavaScript, Python and AutoHotKey implementations.
A custom screenshot collection utility delivered via MSI. It runs a bundled legitimate IrfanView executable (snap.exe) to capture the desktop to a JPG and then uploads the screenshot to a C2 endpoint.
Single-purpose screenshot collection utility (multiple variants: Python/AutoIT/JavaScript+IrfanView) that captures the desktop and exfiltrates the image to C2 for victim profiling prior to follow-on payload deployment.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.