Screenshotter
Screenshotter is a utility malware payload used in TA866 activity, including the cluster Proofpoint called “Screentime,” and also observed by Proofpoint as a companion payload in some Rhadamanthys delivery chains. Its primary function is to capture a JPG screenshot of the victim’s desktop and exfiltrate it to command-and-control infrastructure via HTTP POST. Proofpoint reported Screenshotter being delivered through multi-stage email-driven infection chains, including invoice-themed campaigns targeting North America in January 2024 and earlier TA866 campaigns from late 2022 into 2023 that primarily targeted organizations in the United States, with some targeting in Germany, across multiple industries. Observed delivery vectors included malicious email attachments or URLs, OneDrive-hosted JavaScript, macro-enabled Publisher files, PDFs containing URLs, and 404 TDS redirection. In the documented chains, JavaScript downloaded an MSI, which executed the WasabiSeed VBS downloader; WasabiSeed then downloaded a second MSI containing Screenshotter and continued polling for additional payloads. Proofpoint assessed TA571 as the spam distributor in some campaigns and TA866 as responsible for the post-exploitation tooling including WasabiSeed and Screenshotter. Screenshotter has been observed in multiple implementations, including Python, AutoIT, and a JavaScript/IrfanView variant described by Proofpoint as the latest at publication. In the JavaScript/IrfanView variant, the MSI contained a legitimate IrfanView executable used to capture the screen—reported as snap.exe in one campaign and lumina.exe (IrfanView 4.62) in another—along with app.js and index.js. app.js invoked the executable to save a desktop screenshot as gs.jpg, and index.js uploaded the image to C2. Reported C2 patterns included hxxp://193[.]233.133.179:80/screenshot/[C: Drive Serial Number] and hxxp://109[.]107.173.72/screenshot/%serial%. Proofpoint reported that TA866 likely used the screenshots to manually triage victims before deciding whether to deliver follow-on payloads such as AHK Bot and, via AHK Bot, Rhadamanthys Stealer.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The first payload downloaded by WasabiSeed was Screenshotter. This is a utility with a single function of taking a JPG screenshot of the user's desktop and submitting it to a remote C2 via a POST to a hardcoded IP address.
IOCs tracked for this family
10 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Observed as a companion payload delivered alongside Rhadamanthys.
A custom screenshot collection utility delivered via MSI. It runs a bundled legitimate IrfanView executable (snap.exe) to capture the desktop to a JPG and then uploads the screenshot to a C2 endpoint.
Single-purpose screenshot collection utility (multiple variants: Python/AutoIT/JavaScript+IrfanView) that captures the desktop and exfiltrates the image to C2 for victim profiling prior to follow-on payload deployment.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.