{
	"id": "a7327587-f39f-4a93-921c-2e3e891b30d2",
	"created_at": "2026-04-06T01:29:12.021397Z",
	"updated_at": "2026-04-10T13:11:45.574964Z",
	"deleted_at": null,
	"sha1_hash": "1de99d80a81847982a7391b27fd32b1fe20b52a5",
	"title": "Necurs Malware Will Now Take a Screenshot of Your Screen, Report Runtime Errors",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 888168,
	"plain_text": "Necurs Malware Will Now Take a Screenshot of Your Screen, Report\r\nRuntime Errors\r\nBy Catalin Cimpanu\r\nPublished: 2017-10-17 · Archived: 2026-04-06 01:06:05 UTC\r\nMalware families evolve on a daily basis, but some updates catch your eye more than others. Necurs has just gone through\r\none of these \"interesting\" updates, according to US security firm Symantec.\r\nBefore we go on, we must explain that Necurs is a name given to both a malware strain and the botnet of infected computers\r\nit creates.\r\nIn the world of security research, the Necurs malware strain is a \"downloader\" or \"loader,\" and just like similar downloaders,\r\nit only has three major functions: (1) gain boot persistence on an infected PC, (2) collect telemetry on infected hosts, and (3)\r\ndownload and install a second-stage payload.\r\nhttps://www.bleepingcomputer.com/news/security/necurs-malware-will-now-take-a-screenshot-of-your-screen-report-runtime-errors/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/necurs-malware-will-now-take-a-screenshot-of-your-screen-report-runtime-errors/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nThe Necurs malware is distributed via spam sent by Necurs bots or hacked web servers. When you read news stories about\r\n\"the Necurs botnet spreading the Locky ransomware,\" it's actually \"the Necurs botnet spreading the Necurs downloader,\r\nwhich then installs the Locky ransomware.\"\r\nNecurs downloader gets two interesting new features\r\nThis Necurs downloader often gets ignored because it's usually pretty small and insignificant. Recently, researchers from\r\nSymantec observed two major additions to the Necurs downloader.\r\nThe first is the addition of a Powershell script that takes a screengrab of the infected user's screen, and after waiting a few\r\nseconds, it uploads the image to a remote server.\r\nThe second function is a built-in error reporting function that watches the Necurs downloader for errors, records problems,\r\nand sends the info back to Necurs operators.\r\nOther malware families also come with these types of features, but they have never been seen in downloaders.\r\nNecurs team looking for valuable hosts\r\nAccording to Symantec, the reasons for the screenshot behavior may be that Necurs operators are looking for more clues\r\nabout the computers they infect, besides the telemetry data they collect shortly after infection.\r\nThis info could allow them to detect when they infect more valuable environments, like the ones running professional office-related software, which usually mean computers on corporate networks.\r\nAs for the error reporting feature, this is easily explained, as malware authors, just like any other software developer, are\r\nalways looking to gather data on crashes to improve their application.\r\n\"After all, you can’t count on the victims to report back errors and issues!,\" Symantec points out about the crash reporting\r\nfunctionality.\r\nSymantec also provided a graphic with Necurs spam waves this year, confirming previous reports of increased activity in the\r\npast few months. Currently, the Necurs botnet is busy pushing the Locky ransomware and the TrickBot banking trojan.\r\nhttps://www.bleepingcomputer.com/news/security/necurs-malware-will-now-take-a-screenshot-of-your-screen-report-runtime-errors/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/necurs-malware-will-now-take-a-screenshot-of-your-screen-report-runtime-errors/\r\nhttps://www.bleepingcomputer.com/news/security/necurs-malware-will-now-take-a-screenshot-of-your-screen-report-runtime-errors/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/necurs-malware-will-now-take-a-screenshot-of-your-screen-report-runtime-errors/"
	],
	"report_names": [
		"necurs-malware-will-now-take-a-screenshot-of-your-screen-report-runtime-errors"
	],
	"threat_actors": [],
	"ts_created_at": 1775438952,
	"ts_updated_at": 1775826705,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1de99d80a81847982a7391b27fd32b1fe20b52a5.pdf",
		"text": "https://archive.orkl.eu/1de99d80a81847982a7391b27fd32b1fe20b52a5.txt",
		"img": "https://archive.orkl.eu/1de99d80a81847982a7391b27fd32b1fe20b52a5.jpg"
	}
}