Russian threat group suspect uses screenshotting to observe victims before striking, says analyst


A new threat group motivated by greed and possibly aligned with Russia has been spotted in the wild by a cybersecurity analyst – and it is apparently happy to play a patient game, using a malicious screenshot tool to observe potential targets from afar before deciding to strike.

Proofpoint said it had spotted the group, tagged as TA866, distributing malware via phishing emails since October. While it believes the group’s primary motive is financial gain, it adds that “assessment of historic related activities suggests a possible, additional espionage objective.”

The cybersecurity firm cannot be sure that the threat group is affiliated with Russia and conducting spying operations on the disgraced superstate’s behalf, but it says that an assessment of the working patterns followed by TA866 suggests that this might be the case.

“There are artifacts observed in the attack chain including Russian language in the code and work hours analysis that align with a typical 9 to 5 workday in time zones that include Russia, as well as other countries,” Proofpoint told Cybernews. “However, these factors alone are not enough to associate with high confidence to a state sponsor or geography.”

The attacks are aimed at all industries in the US and Germany and appear to have persisted into 2023.

Proofpoint says it observed “a cluster of evolving financially motivated activity” that it dubbed “Screentime,” adding that TA866’s attack vector consisted of sending emails containing a malicious attachment or URL to deliver a payload of malware that it dubbed “WasabiSeed” and “Screenshotter.”

In some cases, Proofpoint said it had also tracked follow-up attacks after a system had been compromised, using the malware tools AHK Bot and Rhadamanthys Stealer.

An escalating problem

The campaigns waged by TA866 and observed by the analyst towards the end of last year ran into thousands of phishing emails in just a handful of months, using trusted software documents to allay suspicion among victims.

“Campaigns were observed on average one to two times a week and messages contained attached Publisher files,” said Proofpoint.

But from November, the threat group decided to target URLs – the digital marker by which website locations around the world can be determined – causing the scale of the operation to grow drastically and bogus emails to multiply.

At this point, Proofpoint said, “typical campaigns consisted of thousands or even tens of thousands of emails and were observed two to four times a week.” Intriguingly, in the first month of this year, the number of TA866 salvos decreased – but the number of social engineering emails increased, suggesting growing efficiency on the part of the threat actor.

Describing TA866 as “an organized actor able to perform well thought-out attacks at scale based on their availability of custom tools,” Proofpoint warns that the suspected Russian group has the “ability and connections to purchase tools and services from other vendors” rendering it capable of targeting more victims.