{
	"id": "765018f3-8eae-4e09-a9c2-e6c83094d09f",
	"created_at": "2026-04-06T00:14:29.664024Z",
	"updated_at": "2026-04-10T03:34:42.780507Z",
	"deleted_at": null,
	"sha1_hash": "df1cdad5e6b207c3d1af7e177f15e1204a1260f7",
	"title": "TA866 Threat Actor: WasabiSeed \u0026 Screenshotter Malware | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2171376,
	"plain_text": "TA866 Threat Actor: WasabiSeed \u0026 Screenshotter Malware |\r\nProofpoint US\r\nBy February 08, 2023 Axel F\r\nPublished: 2023-02-06 · Archived: 2026-04-05 16:54:57 UTC\r\nKey Findings\r\nProofpoint began tracking a new threat actor, TA866.\r\nProofpoint researchers first observed campaigns in October 2022 and activity has continued into 2023.\r\nThe activity appears to be financially motivated, largely targeting organizations in the United States and\r\nGermany.\r\nWith its custom toolset including WasabiSeed and Screenshotter, TA866 analyzes victim activity via\r\nscreenshots before installing a bot and stealer.\r\nOverview\r\nSince October 2022 and continuing into January 2023, Proofpoint has observed a cluster of evolving financially\r\nmotivated activity which we are referring to as \"Screentime\". The attack chain starts with an email containing a\r\nmalicious attachment or URL and leads to malware that Proofpoint dubbed WasabiSeed and Screenshotter. In some\r\ncases, Proofpoint observed post-exploitation activity involving AHK Bot and Rhadamanthys Stealer.\r\nProofpoint is tracking this activity under threat actor designation TA866. Proofpoint assesses that TA866 is an\r\norganized actor able to perform well thought-out attacks at scale based on their availability of custom tools; ability\r\nand connections to purchase tools and services from other vendors; and increasing activity volumes.\r\nCampaign Details\r\nInitial threat types via email: Proofpoint has observed the following examples of malicious email campaigns. The\r\ntools used by the threat actor in the delivery stage (Traffic Distribution System (TDS), attachments, etc.) are not\r\nnecessarily unique and could have been purchased from other actors:\r\nPublisher (.pub) attachments with macros\r\nURLs linking (via 404 TDS) to Publisher files with macros\r\nURLs linking (via 404 TDS) to JavaScript files\r\nPDFs with URLs linking (via 404 TDS) to JavaScript files\r\nOpen source reporting details different post-exploitation payloads which Proofpoint has not confirmed such as\r\na socket.io based payload. Third-party researchers have also observed this activity start from Google Ads instead\r\nof email spam.\r\nGeographies targeted: Proofpoint observed campaigns primarily targeting organizations in the United States.\r\nProofpoint researchers also observed sporadic targeting of recipients in other countries, such as in German\r\nhttps://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me\r\nPage 1 of 17\n\nrecipients with German language emails on December 8, 2022, and on January 24, 2023.\r\nIndustries targeted: These campaigns affect all industries.\r\nEmail volumes and campaign frequency: Most campaigns during October and November 2022 involved only a\r\nlimited number of emails and focused on a small number of companies. Campaigns were observed on average one\r\nto two times a week and messages contained attached Publisher files. In November and December 2022, around\r\nthe time when the threat actor switched to using URLs, the scale of operation grew, and email volumes increased\r\ndrastically. Typical campaigns consisted of thousands or even tens of thousands of emails and were observed two\r\nto four times a week. In January 2023, the campaign frequency reduced but the email volumes ramped up even\r\nmore.\r\nFigure 1: Image showing campaign timeline and important data points\r\nCampaign Deep Dive\r\nOn January 23-24, 2023, Proofpoint observed tens of thousands of email messages targeting over a thousand\r\norganizations. Messages targeted organizations in the U.S. and Germany. The emails appeared to use thread\r\nhijacking, a \"check my presentation\" lure, and contained malicious URLs that initiated a multi-step attack chain.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me\r\nPage 2 of 17\n\nFigure 2: Example email from January 23, 2023 campaign sent to a recipient in U.S.\r\nFigure 3: Example email from January 23, 2023 campaign sent to a recipient in Germany.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me\r\nPage 3 of 17\n\nFigure 4: Overall attack chain showing the scripts, tools and malware involved.\r\nIf the user clicks on the URL, they initiate the attack chain, as follows:\r\nThe URL leads to 404 TDS which filters traffic and redirects to download of a JavaScript file\r\nThe JavaScript, if run by the user (such as by double clicking), downloads and runs an MSI package\r\nThis MSI package is the WasabiSeed installer. It executes an embedded VBS script (WasabiSeed) as well as\r\nestablishes persistence by creating an autorun shortcut in the Windows Startup folder\r\nThe WasabiSeed script\r\nDownloads and executes a second MSI file containing Screenshotter\r\nContinues polling the same URL for additional payloads in a loop\r\nThe second MSI file contains components of Screenshotter, a malware that has several variants\r\nimplemented in different scripting languages. Screenshotter has a single purpose of taking a screenshot of\r\nthe victim's screen and sending it to the command and control (C2) server\r\nActor interaction: the threat actor likely manually examines the victim's screenshot image during their\r\nnormal working hours and places additional payloads for the WasabiSeed loop to download, such as:\r\nScreenshotter: takes more screenshots (if the actor is not satisfied with previous screenshots)\r\nAHK Bot: the initial loop component (if actor is satisfied and wants to proceed with an attack)\r\nAHK Bot: the bot's main component is another infinite loop that polls and downloads additional AHK\r\nscripts. Observed scripts included:\r\nDomain profiler: determines the machine's Active Directory (AD) domain and sends it to the C2\r\nStealer loader: downloads a stealer executable and loads it in memory\r\nhttps://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me\r\nPage 4 of 17\n\nRhadamanthys: the specific stealer observed loaded by AHK Bot's Stealer Loader script was Rhadamanthys\r\nThe URL: 404 TDS\r\nThe URLs in this campaign led to 404 TDS, a Traffic Distribution System that Proofpoint has tracked since at least\r\nSeptember 2022. Proofpoint is not aware if this is a service sold on underground forums, but it is likely a shared or\r\nsold tool due to its involvement in a variety of phishing and malware campaigns. While the use of a TDS offers\r\nmany benefits, generally threat actors use them to filter only the traffic they are interested in based on geography,\r\nbrowser application, browser version, OS platform, and other factors.\r\nHundreds of random URLs in the format https://[domain.tld]/[a-z0-9]{5} were observed in this campaign. The\r\ndomains involved were registered on the day of the campaign. These domains were previously registered, expired,\r\nand then re-sold to the TDS operator. The campaign involved 20 domains, such as southfirstarea[.]com and black-socks[.]org, hosted on IP addresses 178.20.45[.]197 and 185.180.199[.]229.\r\nIf the parameters and conditions of the TDS filters were satisfied, users were redirected to a second URL (enigma-soft[.]com/zm/) with additional filtering (not part of the TDS). If this filter was satisfied too, users were redirected\r\nto a third URL (anyfisolusi[.]com/2/) to download a JavaScript file such as \"Document_24_jan-3559116.js\".\r\nJavaScript\r\nThe JavaScript code was lightly obfuscated with irrelevant comments, dead code, and variable substitution. The\r\npurpose of the code is to download and execute the next stage. It does so using a Windows Installer object (an\r\ninstallation and configuration service) which downloads and installs an MSI package from the Internet. The\r\nanalyzed script had the SHA256 of d934d109f5b446febf6aa6a675e9bcc41fade563e7998788824f56b3cc16d1ed\r\nand file name of \"Document_24_jan-3559116.js\".  \r\nFigure 5: JavaScript code after manual deobfuscation and clean-up.\r\nWasabiSeed VBS\r\nThe MSI package \"ke.msi\" (sha256:\r\n29e447a6121dd2b1d1221821bd6c4b0e20c437c62264844e8bcbb9d4be35f013) that was downloaded by the\r\nJavaScript unpacks and runs an embedded VBS script \"OCDService.vbs\" (SHA256:\r\n292344211976239c99d62be021af2f44840cd42dd4d70ad5097f4265b9d1ce01), that Proofpoint dubbed\r\nWasabiSeed. The MSI package also establishes persistence for WasabiSeed via an LNK file \"OCDService.lnk\"\r\ncreated in the Windows Startup folder.\r\nWasabiSeed is a simple VBS downloader which repeatedly uses Windows Installer to connect to the C2 server\r\nlooking for MSI packages to download and run. It begins by obtaining the C: Drive serial number, appends it to a\r\nURL request, and just like the JavaScript before it, passes the URL to a Windows Installer object and\r\nhttps://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me\r\nPage 5 of 17\n\nInstallProduct function. The downloaded file is expected to be an MSI package. Further execution is paused with a\r\nshort sleep instruction. The function then calls itself recursively.\r\nFigure 6: WasabiSeed VBS code.\r\nFigure 7: Network traffic generated by the WasabiSeed code.\r\nScreenshotter\r\nThe first payload downloaded by WasabiSeed was Screenshotter. This is a utility with a single function of taking a\r\nJPG screenshot of the user's desktop and submitting it to a remote C2 via a POST to a hardcoded IP address. This\r\nis helpful to the threat actor during the reconnaissance and victim profiling stage. Proofpoint observed several\r\nvariants of Screenshotter including Python-based, AutoIT-based, and JavaScript / IrfanView-based variants. All\r\naccomplish the same functionality, with the network protocol being identical. The JavaScript / IrfanView variant is\r\nthe latest variant at the time of publication.\r\nAs already mentioned, the Screenshotter code is packed into an MSI package (SHA256:\r\n02049ab62c530a25f145c0a5c48e3932fa7412a037036a96d7198cc57cef1f40). The package contains three files:\r\nlumina.exe: an unmodified copy of IrfanView version 4.62.\r\napp.js: This is the first file executed by the MSI package. It runs lumina.exe to capture a screenshot of the\r\ndesktop and save it as a JPG. \r\nindex.js: This is the second file executed by the MSI package. It reads in the image file taken by app.js\r\nscript, sets HTTP headers and POSTs the image to the same C2 address used by WasabiSeed, specifically to\r\nthe URL http://C2_IP/screenshot/%serial%. The value of %serial% is the same C Drive serial number as\r\nused by WasabiSeed. This allows the threat actor to connect the beacons from WasabiSeed to the specific\r\nscreenshot submitted by Screenshotter.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me\r\nPage 6 of 17\n\nFigure 8: Order of execution of scripts by the MSI.\r\nFigure 9: Screenshotter component app.js.\r\nFigure 10: Screenshotter component index.js.\r\nFigure 11: Network traffic generated by Screenshotter.\r\nAHK Bot\r\nhttps://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me\r\nPage 7 of 17\n\nAHK Bot: Looper\r\nAnalyst Note: AHK Bot post-exploitation payload was received in the December 20, 2022, campaign but not\r\nduring the January 24, 2023, campaign used as the example in this report. While the post-exploitation payload\r\ncould have changed since December 20, this is still a valuable example of what can be delivered as the final\r\npayload malware. \r\n In certain instances, when the threat actor was satisfied with the screenshot(s) from the infected machine, an MSI\r\npackage containing the initial component of the AHK Bot was made available for WasabiSeed to download. AHK\r\nBot is named after the AutoHotKey language it's written in.\r\nThe AHK Bot is a collection of separate AutoHotKey scripts. Many of them share the same hardcoded C2 address\r\n(which is different from the WasabiSeed C2 address) and use the same C: drive serial in the URL path. The initial\r\nscript of the bot, the \"Looper\", is a simple infinite loop that receives and executes further AutoHotKey scripts. The\r\nLooper code is packaged in an MSI package, that contains the following files:\r\nau3.exe: Legitimate copy of “AutoHotkeyU32.exe” version 1.1.33.10, which is the AutoHotKey interpreter\r\nexecutable.\r\nau3.ahk: The Looper AutoHotKey script.\r\nFigure 12: The MSI executes \"au3.exe\" AHK interpreter (see \"Action2_au3.exe\"), which if run without any\r\nparameters automatically looks for and executes a file named \"au3.ahk\".\r\nFigure 13: AHK Bot \"Looper\" component is an infinite loop attempting to download further AutoHotKey scripts\r\nwhich are other components of AHK bot.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me\r\nPage 8 of 17\n\nFigure 14: Network traffic generated by the Looper.\r\n AHK Bot: Domain Profiler\r\nImmediately after the AHK Bot Looper ran, it downloaded the next component, the Domain Profiler. This simple\r\nscript figures out the machine's AD domain and sends it to the C2. This is yet another step, in addition to the\r\ndesktop screenshots previously taken, used to help the threat actor determine the potential usefulness of the\r\ninfected machine and whether to proceed with the infection. The threat actor is likely looking for the infected\r\nmachine to be part of an Active Directory domain.\r\nFigure 15: Domain Profiler code.\r\nFigure 16: Network traffic generated by the Domain Profiler.\r\nAHK Bot: Stealer Loader\r\nhttps://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me\r\nPage 9 of 17\n\nThe next AHK Bot component received was the Stealer Loader. This is a large AHK script that downloads,\r\ndecrypts and runs a DLL as bytes from memory. The specific DLL loaded was a malware known as\r\n\"Rhadamanthys Stealer\". Theoretically, another payload could be placed at the expected payload location\r\n\"/download?path=e\", however the log messages inside the code, such as \"steal: load\", point to this code being\r\ntailored to loading a stealer.\r\nFigure 17: Small snippet of the Stealer Loader code.\r\nFigure 18: Network traffic showing Stealer Loader requesting a payload.\r\nRhadamanthys Stealer\r\nRhadamanthys is a stealer that was initially advertised for sale on underground forums approximately in the middle\r\nof 2022. Samples of the malware in public and private repositories can be found as early as August 2022.\r\nResearchers have published public details on this stealer, including reports from ThreatMon and Eli Salem. The\r\nfunctionality includes stealing crypto wallets, steam accounts, passwords from browsers, FTP clients, chat clients\r\n(e.g. Telegram, Discord), email clients, VPN configurations, cookies, grab files, etc.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me\r\nPage 10 of 17\n\nFigure 19: The specific Rhadamanthys Stealer sample observed loaded by the AHK bot connected to the C2\r\nmoosdies[.]top\r\nFurther Analysis and Pivoting\r\nWork Hours Analysis\r\nSeveral parts of the attack chain involve manual intervention from the threat actor. For example, the actor can\r\nmanually initiate taking of additional screenshots (via the Screenshotter), and download of post-exploitation\r\nmalware AHK Bot and its components.\r\nGiven the manual nature of availability of these payloads, researchers attempted to plot actor working hours by\r\ncollecting payload download times. While not statistically significant (less than 50 data points were collected), it is\r\nstill anecdotally interesting. Proofpoint observed payload download times between 2am and 2pm EST. If we\r\nassume a normal workday starting time around 9 a.m., then TA866's operational time zone could be UTC+2 or\r\nUCT+3.\r\nComments in Russian Language\r\nResearchers identified Russian language variable names and comments in some parts of AHK Bot. For example,\r\nthe Stealer Loader contains a comment \"here it is not known what the function should return\" in a function\r\nresponsive for running code from memory. The comment could be due to the tool developer being a native speaker\r\nor due to code copied from other sources without removing the comment.\r\nFigure 20: AHK Bot Stealer Loader contains the comment \"here it is not known what the function should return\" in\r\nRussian.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me\r\nPage 11 of 17\n\nPivoting on Tools to Find Past Activity\r\nBased on limited reporting and observed use of AHK Bot, it appears to be in exclusive use by one or a closed\r\necosystem of threat actors and can be used as a good pivot for finding potentially related campaigns. Additionally,\r\nWasabiSeed is another good tool for pivoting into additional threat activity.\r\n(A) The FINTEAM April 2019 campaign described by Check Point and by Trend Micro involved an attachment\r\nnamed \"Military Financing.xlsm\".\r\nTargeting: The description by Check Point included targeting of government organizations with specific\r\nindividuals in finance authorities or working in embassies. Hence the targeting could be either financially or\r\nespionage motivated. Meanwhile, the targeting in the Screentime cluster was strictly financially motivated.\r\nAHK Bot: This malware was used in the 2019 campaign. While it was an earlier variant of the AHK Bot\r\nused in the Screentime cluster, Proofpoint found significant similarities, especially in the networking code.\r\nAdditionally, the 2019 AHK Bot version had a \"screenshotting\" module built into the bot, while the current\r\ncampaigns use standalone Screenshotter malware.\r\nSummary of similarities: There are potential overlaps in the targeting, and significant overlaps in custom\r\ntooling used (AHK Bot).\r\n(B) In a 2020 report, Trend Micro described financial sector targeting activity delivering a credential stealer. This\r\nactivity involved attachments named \"Important_Changes.xlsm\".\r\nTargeting: According to Trend Micro, targeting included financial institutions in US and Canada. Similarly,\r\nthe targeting in the Screentime cluster was also financially motivated with geographies such as U.S. and\r\nGermany affected.\r\nAHK Bot: The initial Looper component observed in the 2020 report was nearly identical to the Looper\r\ncomponent observed in Screentime campaigns. The 2020 AHK Bot variant included a stealer implemented\r\nas the AHK module, while the Screentime campaigns use Rhadamanthys stealer.\r\nSummary of similarities: There are significant overlaps in both the targeting, and custom tooling used\r\n(AHK Bot).\r\n(C) The Asylum Ambuscade activity reported by Proofpoint in March 2022 involved an attachment named \"list of\r\npersons.xlsx\".\r\nTargeting: The Asylum Ambuscade activity targeted European government personnel in transportation,\r\nfinancial and budget allocation, administration, and population movement within Europe. The targeting\r\nappears to be espionage motivated, however it's interesting to note the recurring theme of some of the\r\nindividuals being in financial roles (like in the FINTEAM cluster). Meanwhile, the targeting in the\r\nScreentime cluster was financially motivated.\r\nTools: The SunSeed LUA script observed in the Asylum Ambuscade campaign is similar in functionality to\r\nthe WasabiSeed VBS tool from the Screentime campaign cluster. Both perform the same function\r\n(downloading payloads in a loop, using C: serial as the URL path) in different programming languages.\r\nWhile we have not directly observed the delivery of AHK Bot malware in response to SunSeed payload\r\ninfections, Proofpoint recognizes the distinct similarities between the two installers. Additional similarities\r\nalso exist in earlier parts of the attack chains, specifically in the use of the Windows Installer technique\r\nhttps://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me\r\nPage 12 of 17\n\nleading to an MSI file. Asylum Ambuscade uses this technique in the attachment macro while Screentime\r\nuses this technique in JavaScript and WasabiSeed VBS.\r\nSummary of similarities: Asylum Ambuscade differs in the targeting goals from the Screentime cluster -\r\nthere are none or weak overlaps. There are significant overlaps in functionality of WasabiSeed and SunSeed\r\nscripts and in earlier parts of the attack chains.\r\nProofpoint assesses with low to moderate confidence that these campaigns were likely performed by TA866 given\r\nthe similarities in TTPs but the possibility of the tools being used by more than one actor cannot be completely\r\nruled out. Attribution investigation is ongoing.\r\nConclusion\r\nTA866 is a newly identified threat actor that distributes malware via email utilizing both commodity and custom\r\ntools. While most of the activity observed occurred since October 2022, Proofpoint researchers identified multiple\r\nactivity clusters since 2019 that overlap with TA866 activity. Most of the activity recently observed by Proofpoint\r\nsuggests recent campaigns are financially motivated, however assessment of historic related activities suggests a\r\npossible, additional espionage objective.\r\nThe use of Screenshotter to gather information on a compromised host before deploying additional payloads\r\nindicates the threat actor is manually reviewing infections to identify high-value targets. The AD profiling is\r\nespecially concerning as follow-on activities could lead to compromises on all domain-joined hosts.\r\nIt is important to note that in order for a compromise to be successful, a user has to click on a malicious link and, if\r\nsuccessfully filtered, interact with a JavaScript file to download and run additional payloads. Organizations should\r\neducate end users about this technique and encourage users to report suspicious emails and other activities.\r\nIOCs\r\nIndicator Type Description\r\nsouthfirstarea[.]com Domain 404 TDS domain\r\npeak-pjv[.]com Domain 404 TDS domain\r\notameyshan[.]com Domain 404 TDS domain\r\nthebtcrevolution[.]com Domain 404 TDS domain\r\nannemarieotey[.]com Domain 404 TDS domain\r\nhttps://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me\r\nPage 13 of 17\n\nexpresswebstores[.]com Domain 404 TDS domain\r\nstyleselect[.]com Domain 404 TDS domain\r\nmikefaw[.]com Domain 404 TDS domain\r\nfgpprlaw[.]com Domain 404 TDS domain\r\nduncan-technologies[.]net Domain 404 TDS domain\r\nblack-socks[.]org Domain 404 TDS domain\r\nvirtualmediaoffice[.]com Domain 404 TDS domain\r\nsamsontech[.]mobi Domain 404 TDS domain\r\nfootballmeta[.]com Domain 404 TDS domain\r\ngfcitservice[.]net Domain 404 TDS domain\r\nlistfoo[.]org Domain 404 TDS domain\r\nduinvest[.]info Domain 404 TDS domain\r\nshiptrax24[.]com Domain 404 TDS domain\r\nrepossessionheadquarters[.]org Domain 404 TDS domain\r\nbluecentury[.]org Domain 404 TDS domain\r\nhttps://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me\r\nPage 14 of 17\n\nd934d109f5b446febf6aa6a675e9bcc41fade563e7998788824f56b3cc16d1ed SHA256\r\nJavaScript\r\n“Document_24_jan-3559116.js”\r\nhxxp[:]//79[.]137.198.60/1/ke.msi URL\r\nJavaScript\r\nDownloading MSI\r\n1 (WasabiSeed\r\nInstaller)\r\n29e447a6121dd2b1d1221821bd6c4b0e20c437c62264844e8bcbb9d4be35f013 SHA256\r\nWasabiSeed\r\nInstaller MSI\r\n“ke.msi”\r\n292344211976239c99d62be021af2f44840cd42dd4d70ad5097f4265b9d1ce01 SHA256\r\nOCDService.vbs\r\n(WasabiSeed)\r\ninside ke.msi\r\nhxxp[:]//109[.]107.173.72/%serial% URL\r\nWasabiSeed\r\ndownloading\r\npayloads\r\n(Screenshotter,\r\nAHK Bot)\r\n02049ab62c530a25f145c0a5c48e3932fa7412a037036a96d7198cc57cef1f40 SHA256\r\nScreenshotter\r\nInstaller MSI\r\nd0a4cd67f952498ad99d78bc081c98afbef92e5508daf723007533f000174a98 SHA256\r\nScreenshotter\r\ncomponent app.js\r\n6e53a93fc2968d90891db6059bac49e975c09546e19a54f1f93fb01a21318fdc SHA256\r\nScreenshotter\r\ncomponent\r\nlumina.exe\r\nhttps://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me\r\nPage 15 of 17\n\n322dccd18b5564ea000117e90dafc1b4bc30d256fe93b7cfd0d1bdf9870e0da6 SHA256\r\nScreenshotter\r\ncomponent index.js\r\nhxxp[:]//109[.]107.173.72/screenshot/%serial% URL\r\nScreenshotter\r\nsubmitting an\r\nimage to C2\r\n1f6de5072cc17065c284b21acf4d34b4506f86268395c807b8d4ab3d455b036b SHA256\r\nAHK Bot installer\r\nMSI\r\n3242e0a736ef8ac90430a9f272ff30a81e2afc146fcb84a25c6e56e8192791e4 SHA256\r\nAHK Bot Looper\r\ncomponent\r\n“au3.exe”\r\n3db3f919cad26ca155adf8c5d9cab3e358d51604b51b31b53d568e7bcf5301e2 SHA256\r\nAHK Bot Looper\r\ncomponent\r\n“au3.ahk”\r\nhxxp[:]//89[.]208.105.255/%serial%-du2 URL\r\nAHK Bot Looper\r\nC2\r\nhxxp[:]//89[.]208.105.255/%serial% URL\r\nAHK Bot Domain\r\nProfiler C2\r\nhxxp[:]//89[.]208.105.255/download?path=e URL\r\nAHK Bot Stealer\r\nLoader C2\r\nmoosdies[.]top Domain\r\nRhadamanthys\r\nStealer C2\r\nET Signatures \r\n2853110 - ETPRO MALWARE 404 TDS Redirect \r\n2043239 - ET MALWARE WasabiSeed Backdoor Payload Request (GET)\r\nhttps://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me\r\nPage 16 of 17\n\n2852922 - ETPRO MALWARE Screenshotter Backdoor Sending Screenshot (POST) \r\n2853008 - ETPRO MALWARE AHK Bot Looper - Payload Request \r\n2853009 - ETPRO MALWARE AHK Bot Looper - Payload Request \r\n2853010 - ETPRO MALWARE AHK Bot Looper - Payload Request \r\n2853011 - ETPRO MALWARE AHK Bot Looper - Payload Request \r\n2853015 - ETPRO MALWARE AHK Bot - Logger Sending Data \r\n2853016 - ETPRO MALWARE AHK Bot - Stealer Loader Payload Request \r\n2853017 - ETPRO MALWARE AHK Bot - Logger Sending Data \r\n2043216 - ET MALWARE AHK Bot Domain Profiler CnC Activity \r\n2043202 - ET MALWARE Rhadamanthys Stealer - Payload Download Request \r\n2853001 - ETPRO MALWARE Rhadamanthys Stealer - Payload Response \r\n2853002 - ETPRO MALWARE Rhadamanthys Stealer - Data Exfil \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me\r\nhttps://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me\r\nPage 17 of 17\n\n https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me   \nFigure 2: Example email from January 23, 2023 campaign sent to a recipient in U.S.\nFigure 3: Example email from January 23, 2023 campaign sent to a recipient in Germany.\n   Page 3 of 17 \n\n https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me   \n2852922-ETPRO MALWARE Screenshotter Backdoor Sending Screenshot (POST)\n2853008-ETPRO MALWARE AHK Bot Looper -Payload Request\n2853009-ETPRO MALWARE AHK Bot Looper -Payload Request\n2853010-ETPRO MALWARE AHK Bot Looper -Payload Request\n2853011-ETPRO MALWARE AHK Bot Looper -Payload Request\n2853015-ETPRO MALWARE AHK Bot-Logger Sending Data\n2853016-ETPRO MALWARE AHK Bot-Stealer Loader Payload Request\n2853017-ETPRO MALWARE AHK Bot-Logger Sending Data\n2043216-ET MALWARE AHK Bot Domain Profiler CnC Activity\n2043202-ET MALWARE Rhadamanthys Stealer -Payload Download Request\n2853001-ETPRO MALWARE Rhadamanthys Stealer- Payload Response\n2853002-ETPRO MALWARE Rhadamanthys Stealer- Data Exfil\nSource: https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me    \n   Page 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me"
	],
	"report_names": [
		"screentime-sometimes-it-feels-like-somebodys-watching-me"
	],
	"threat_actors": [
		{
			"id": "59d91b6f-bccf-4ae4-a14c-028b198848b6",
			"created_at": "2023-03-10T02:01:52.119563Z",
			"updated_at": "2026-04-10T02:00:03.36177Z",
			"deleted_at": null,
			"main_name": "TA866",
			"aliases": [],
			"source_name": "MISPGALAXY:TA866",
			"tools": [
				"Screenshotter",
				"AHK Bot",
				"WasabiSeed"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434469,
	"ts_updated_at": 1775792082,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/df1cdad5e6b207c3d1af7e177f15e1204a1260f7.pdf",
		"text": "https://archive.orkl.eu/df1cdad5e6b207c3d1af7e177f15e1204a1260f7.txt",
		"img": "https://archive.orkl.eu/df1cdad5e6b207c3d1af7e177f15e1204a1260f7.jpg"
	}
}