ta866-screentime-group

TA866 / Screentime Group

also tracked as: Screentime (Proofpoint campaign cluster) Asylum Ambuscade (ESET / Proofpoint) WarmCookie cluster (Talos)

Notable for a human-in-the-loop reconnaissance model that sets it apart from most financially motivated threat actors: after gaining initial access, the group deploys Screenshotter to take periodic JPG screenshots of the victim's desktop and manually reviews them before deciding whether the target is worth pursuing further. Documented by Proofpoint in February 2023 as TA866 / Screentime, and later connected by ESET in June 2023 to the Asylum Ambuscade intrusion set — a group active since at least 2020 that runs both crimeware and cyber espionage operations concurrently. Russian language artifacts in AHK Bot source code, and prior espionage campaigns targeting European government personnel managing Ukraine-related refugee logistics, point toward Russia or Belarus state alignment. Cisco Talos in October 2024 further linked TA866 to the WarmCookie backdoor and the CSharp-Streamer-RAT — expanding the documented post-exploitation toolkit significantly beyond the 2023 Screenshotter disclosure.

origin attributionRussia / Belarus — suspected (Russian-language AHK Bot artifacts; Belarus government targeting pattern)

proofpoint designationTA866 (Screentime campaign cluster, Feb 2023)

eset / proofpoint overlapAsylum Ambuscade — crimeware + espionage dual-track (Jun 2023)

defining capabilityHuman-in-the-loop Screenshotter — manual review of victim JPGs before further exploitation

first documented activityAt least October 2022 (Screentime); Asylum Ambuscade operations since 2020

primary targetsNorth America, Germany — all industries; crypto traders, SMBs; EU gov't (espionage track)

delivery partnerTA571 — spam distribution service; high-volume malspam campaigns

talos 2024 expansionWarmCookie backdoor; CSharp-Streamer-RAT — same developer as Resident backdoor

nine-month hiatusApr 2023 – Jan 2024; returned Jan 11 2024 with PDF/OneDrive delivery change

Overview

TA866 operates with a deliberate two-stage approach: cast a wide net through high-volume phishing to achieve initial access across many organizations simultaneously, then curate that access through manual human review of Screenshotter output before committing to deeper exploitation. This separates TA866 from groups that automate victim profiling — the human review step implies an analyst is evaluating screenshots, making judgments about the value of access (is this a financial controller's machine? Is there visible sensitive content? Is the organization operating in a high-value sector?) and deciding which infections to progress to AHK Bot, Active Directory profiling, and Rhadamanthys Stealer deployment. Organizations whose desktop screenshots do not suggest sufficient value are simply not pursued further — making the initial Screenshotter infection a form of triage rather than a committed intrusion.

The Asylum Ambuscade connection, established through code-level tool overlaps by both ESET and Proofpoint, is analytically important because it transforms the TA866 picture from a financially motivated cybercriminal group to an actor with a dual-track mandate. Asylum Ambuscade was named by Proofpoint in March 2022 when it described a campaign specifically targeting European government personnel managing refugee logistics related to Russia's invasion of Ukraine — an operation with clear espionage motivation. The same actor running simultaneous crimeware campaigns (stealing from banking customers, cryptocurrency traders, and SMBs) and espionage campaigns (targeting European government officials with Ukraine-relevant access) is described by ESET as "quite unusual." ESET counted more than 4,500 crimeware victims between January 2022 and May 2023 alone, running alongside the espionage operations.

Russian-language artifacts are the primary attribution indicator: AHK Bot source code contains comments in Russian, and a 2020 version of AHK Bot appears to have been in exclusive use by a closed actor ecosystem. Combined with the targeting of European government personnel with Ukraine-related mandates and the delivery of espionage operations via compromised Ukrainian military email accounts (the March 2022 Proofpoint report described a phishing lure using a legitimate Ukrainian armed services email), the totality of evidence points toward a Russia- or Belarus-aligned actor with both state-tasked espionage assignments and financially motivated criminal side operations.

Cisco Talos's October 2024 report substantially expanded the documented TA866 toolset by linking the actor to the WarmCookie backdoor and CSharp-Streamer-RAT — establishing that the post-exploitation capability extends well beyond what the 2023 Screenshotter reports described. The Resident backdoor, previously attributed to WarmCookie intrusion activity, shares core implementation patterns with WarmCookie samples, and Talos assessed the same threat actor authored both. CSharp-Streamer-RAT was observed in TA866 intrusion activity from 2023 before appearing in WarmCookie campaigns in 2024.

Attack Chain — Screentime Campaign Model

The Screentime attack chain evolved across campaigns but the core structure remained consistent: email delivery → TDS filtering → JavaScript → MSI → WasabiSeed → Screenshotter → human-reviewed victim selection → follow-on payloads for selected victims.

screentime attack chain — january 2024 variant (pdf / onedrive delivery)

Stage 1

Email Delivery

Invoice-themed or thread-hijacking email. PDF attachment ("Document_[10 digits].pdf") or URL. Delivered via TA571 spam distribution service. Thousands to tens of thousands of messages per campaign. North America and Germany targeted primarily.

Stage 2

PDF / OneDrive URL

PDF contains a OneDrive-hosted URL. Earlier campaigns used 404 TDS URL or macro-enabled Microsoft Publisher attachments. Shift to PDF+OneDrive was the primary change in the Jan 2024 campaign return. OneDrive hosting provides legitimacy to URL-based filtering tools.

Stage 3

JavaScript

JavaScript file served from OneDrive. If run by user (requires manual execution — double-click or browser prompt). Establishes HTTPS connection to download the WasabiSeed MSI. Obfuscation pattern varies across campaigns; underlying function consistent.

Stage 4

WasabiSeed

MSI package with embedded VBS script (WasabiSeed). VBS functions as persistent downloader — loops, fetching payloads from attacker C2 using C: drive serial number in URL path as victim identifier. Creates autorun shortcut in Windows Startup folder for persistence. Downloads and executes Screenshotter MSI.

Stage 5

Screenshotter

Takes periodic JPG screenshots of victim desktop. Submits via HTTP POST to hardcoded C2 IP. Multiple implementation variants: Python, AutoIT, JavaScript/IrfanView. Single purpose — capture and transmit. An analyst manually reviews the received JPGs. Decision point: pursue this victim or not.

Stage 6

AHK Bot + Rhadamanthys

Deployed only to victims deemed worth pursuing. AHK Bot performs Active Directory domain profiling, sending domain details to C2. Loads Rhadamanthys Stealer in-memory (fileless). Rhadamanthys targets: crypto wallets, browser passwords, Steam, Telegram, Discord, email clients, VPN configs, FTP creds, cookies, files. AD profiling enables lateral movement to domain-joined hosts.

The Dual-Track — Crimeware and Espionage

The Asylum Ambuscade connection establishes that TA866 is not exclusively a financially motivated criminal group. The actor appears to run two parallel operational tracks — often using the same tooling infrastructure for both:

Crimeware track (TA866 / Screentime designation): High-volume phishing targeting organizations across all industries in North America and Germany. Objectives are financial — credential theft, crypto wallet emptying, sale of access to other actors (potentially ransomware operators). Victims include banking customers, cryptocurrency traders, and SMBs. ESET counted over 4,500 victims between January 2022 and May 2023.
Espionage track (Asylum Ambuscade designation): Targeted phishing against European government personnel. The March 2022 Proofpoint campaign specifically targeted officials managing the logistics of refugees fleeing Ukraine — individuals with access to population movement, border crossing, and humanitarian corridor data. The January 2022 campaign involved attachments named "list of persons.xlsx," targeting European government officials in transportation, financial, budget allocation, and administrative roles. The espionage targeting consistently centers on individuals with financial authority or specific access to Ukraine-related operations — consistent with intelligence collection priorities of a state with interest in Russia-Ukraine conflict dynamics.
Tool overlap establishing the connection: SunSeed (Lua first-stage downloader in Asylum Ambuscade) and WasabiSeed (VBS downloader in Screentime) perform identical functions — download payloads in a loop using C: drive serial as URL path — in different programming languages. AHK Bot appears in both clusters. The Windows Installer / MSI delivery technique appears in both attack chains. The overlapping tooling across distinct targeting objectives is the core evidence linking TA866 and Asylum Ambuscade as the same underlying actor.

Tactics, Techniques & Procedures

mitre id	technique	description
T1566.001 / T1566.002	Phishing — Spearphishing Attachment and Link	TA866 uses high-volume email campaigns delivered via the TA571 spam distribution service. Early campaigns (Oct–Nov 2022) used macro-enabled Publisher (.pub) attachments. From December 2022, URLs directing to 404 TDS. From January 2024, PDF attachments containing OneDrive URLs replaced direct URL inclusion. Some campaigns used thread hijacking ("check my presentation" lure) to impersonate ongoing conversations. Lures include invoices, project achievements, and fake corporate communications. Campaign volumes scaled from hundreds of messages in October 2022 to tens of thousands of messages by January 2023.
T1036 / T1027	Traffic Distribution System (TDS) — 404 TDS	TA866 uses 404 TDS as a traffic filtering and redirection layer between phishing email URLs and malware delivery. The TDS evaluates visitors and redirects only qualifying targets (filtering by geography, browser characteristics, or other criteria) to the JavaScript download. 404 TDS is a commercially available or shared service in the criminal ecosystem — Proofpoint has observed it used across multiple unrelated campaigns. Its use by TA866 allows geofencing of malware delivery and reduces exposure of infrastructure to security researchers.
T1547.001	WasabiSeed — Persistence via Startup Folder	WasabiSeed is a VBS-based persistent downloader embedded in the initial MSI package. Upon execution, it creates an autorun shortcut in the Windows Startup folder for persistence across reboots. WasabiSeed enters a loop, continuously fetching payloads from C2 infrastructure using the victim's C: drive serial number embedded in the URL path as a victim identifier — enabling the actor to track and differentiate individual infections and selectively deliver follow-on payloads. WasabiSeed remained largely unchanged between the March 2023 and January 2024 campaigns.
T1113 / T1041	Screenshotter — Human-Reviewed Desktop Surveillance	Screenshotter has a single documented purpose: capture a JPG screenshot of the victim's current desktop view and transmit it to an attacker-controlled C2 server via HTTP POST to a hardcoded IP address. Variants implemented in Python, AutoIT, and JavaScript/IrfanView enable deployment across different victim environments. The actor receives the screenshots and manually reviews them to determine whether the victim's machine reveals evidence of high-value access — visible financial data, enterprise environments, administrative tools, or organizational indicators worth pursuing. Victims who pass this manual triage receive AHK Bot and Rhadamanthys Stealer; others are simply not pursued further.
T1087.002 / T1069.002	AHK Bot — Active Directory Domain Profiling	AHK Bot is an AutoHotKey-based second-stage loader deployed to victims who pass the Screenshotter review. A key function is domain profiling: AHK Bot checks the victim machine's Active Directory domain membership and sends domain details to the C2. This AD profiling enables identification of enterprise targets and sets up potential lateral movement to other domain-joined hosts. AHK Bot also loads Rhadamanthys Stealer fileless (in-memory injection), avoiding on-disk payload detection. AHK Bot's Looper component from a 2020 version was nearly identical to the Screentime variant — a key tool overlap linking Asylum Ambuscade and TA866.
T1555 / T1539 / T1528	Rhadamanthys Stealer — Credential and Wallet Theft	Rhadamanthys is a commercial information stealer available on underground markets since mid-2022. TA866 deploys it via fileless in-memory injection through AHK Bot. Rhadamanthys targets: cryptocurrency wallets, browser passwords and cookies, Steam accounts, Telegram credentials, Discord tokens, FTP client configurations, email client credentials (including IMAP/SMTP), VPN configuration files, session tokens, and arbitrary file grabs. The breadth of credential targeting — spanning financial (crypto), gaming (Steam), communication (Telegram, Discord), and enterprise (email, VPN) — supports both direct financial fraud and access brokering to downstream ransomware operators.
T1071 / T1105	WarmCookie Backdoor and CSharp-Streamer-RAT (2024+)	Cisco Talos (Oct 2024) linked TA866 to the WarmCookie backdoor — assessed as authored by the same developer as the Resident backdoor previously associated with WarmCookie intrusion activity. Core functionality was implemented consistently across both. CSharp-Streamer-RAT was observed in TA866 intrusion activity from 2023, and in WarmCookie campaigns from 2024. Four C2 servers sharing programmatically generated SSL certificate characteristics were identified as a cluster. WarmCookie expands the post-compromise capability of the actor significantly beyond screenshot-and-triage, enabling persistent remote access, command execution, and sustained access to selected targets.

Criminal Ecosystem Relationships

TA866 operates within a documented cybercriminal services ecosystem rather than as a fully self-contained operation:

TA571 (spam distributor): TA571 provides high-volume spam distribution services to criminal customers including TA866. Proofpoint subsequently identified that TA571 delivered both the 2023 Screentime campaigns and the January 2024 campaign. TA571 has also distributed AsyncRAT, NetSupport RAT, IcedID, PikaBot, QakBot, and DarkGate for other customers. The use of a specialist distributor means TA866 does not need to maintain its own email sending infrastructure and can focus on post-exploitation tooling.
404 TDS (traffic distribution system): A commercially available or shared TDS service used by TA866 and other actors to filter traffic and redirect qualifying victims to malware delivery infrastructure. 404 TDS provides geographic filtering and anti-analysis characteristics that reduce security researcher visibility into the infection chain.
Rhadamanthys Stealer (commercial malware): An off-the-shelf information stealer purchased through underground markets. TA866's use of a commercial stealer for the final-stage financial operation reduces development overhead while providing broad credential-theft capability. The stealer's commercial availability also adds attribution complexity — Rhadamanthys detections alone do not identify TA866.
Access brokering (assessed): ESET assessed that TA866 may sell the access it establishes to SMBs to downstream actors, including potentially ransomware operators. No confirmed access sale transactions have been publicly documented, but the combination of AD domain profiling and persistent WasabiSeed access creates sellable network footholds whose value extends beyond the immediate Rhadamanthys credential harvest.

Indicators of Compromise

ioc note

WasabiSeed and Screenshotter components remained largely unchanged between March 2023 and January 2024, suggesting the Proofpoint Emerging Threats rules (ET 2043239 WasabiSeed; ETPRO 2852922 Screenshotter) provide durable detection across campaigns. The C: drive serial number embedded in WasabiSeed C2 URL paths provides a per-victim identifier that can be used to correlate infections within a campaign. Full YARA rules and IOC sets are in Proofpoint's Screentime publication and the Cisco Talos TA866/Asylum Ambuscade report.

indicators of compromise — key technical identifiers

ET rule — WasabiSeed 2043239 — ET MALWARE WasabiSeed Backdoor Payload Request (GET)

ETPRO rule — Screenshotter 2852922 — ETPRO MALWARE Screenshotter Backdoor Sending Screenshot (POST)

WasabiSeed C2 URL pattern C: drive serial number embedded in URL path — enables per-victim tracking; all WasabiSeed variants share this pattern

Screenshotter C2 method HTTP POST to hardcoded C2 IP address — JPG screenshot submitted; same hardcoded C2 IP observed across multiple victim infections in same campaign

WasabiSeed persistence Autorun shortcut created in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup — check for unexpected .lnk files in Startup folder

AHK Bot artifact Russian-language comments in AHK Bot source: "here it is not known what the function should return" — key attribution artifact from Proofpoint analysis

Jan 2024 email pattern PDF filename pattern: Document_[10 digits].pdf; subjects: "Project achievements" and similar invoice/corporate themes

CSharp-Streamer-RAT C2 109[.]236[.]80[.]191 — CSharp-Streamer-RAT C2 from 2023 TA866 intrusions; SSL certificate cluster (4 servers, programmatically generated certificates) — Talos Oct 2024

Delivery infrastructure TA571 spam service (identified by Proofpoint); 404 TDS for URL-based campaigns; OneDrive for JavaScript file hosting in 2024 campaigns

full ioc reference Proofpoint — Screentime: Sometimes It Feels Like Somebody's Watching Me (Feb 2023); Cisco Talos — Highlighting TA866/Asylum Ambuscade Activity Since 2021 (Oct 2024)

Mitigation & Defense

Block or Restrict JavaScript Execution from Browser and File Explorer: The TA866 attack chain requires a user to double-click a JavaScript (.js) file received from OneDrive or a TDS-redirected URL. Windows Script Host (WSH) can be disabled via Group Policy or registry to prevent .js files from executing directly. Endpoint protection rules blocking mshta.exe, wscript.exe, and cscript.exe from executing files sourced from user download directories significantly break the TA866 delivery chain. Microsoft 365 environments should configure Safe Links and Safe Attachments policies to scan OneDrive-hosted content before serving it to users.
Alert on WasabiSeed Persistence Pattern — Startup Folder .lnk Files: WasabiSeed creates an autorun shortcut in the Windows Startup folder. Monitoring for .lnk file creation in the Startup folder by processes other than known application installers is a high-signal behavioral indicator. File integrity monitoring on %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup should generate alerts for any new or modified .lnk files, particularly those created by msiexec.exe or wscript.exe parent processes.
Network Detection for Screenshotter POST to Hardcoded IP: Screenshotter transmits JPG screenshots via HTTP POST to a hardcoded IP address — not a domain. Network monitoring for outbound HTTP POST requests carrying image/jpeg content type to non-CDN IP addresses from enterprise workstations is unusual and should generate alerts. The Emerging Threats ETPRO rule 2852922 provides signature-based detection for this exfiltration pattern. Any endpoint making HTTP POST requests carrying screenshot-sized binary payloads to hardcoded IPs outside established enterprise destinations should be investigated immediately.
Active Directory Domain Profiling Detection — AHK Bot: AHK Bot sends Active Directory domain details to a C2 server as a prerequisite to the Rhadamanthys Stealer stage. Monitoring for AutoHotkey (AutoHotkey.exe or ahk2exe.exe) processes making outbound network connections — particularly to external IPs — is a high-confidence indicator on enterprise workstations where AutoHotkey is not a sanctioned tool. AHK Bot's AD queries can also be detected through LDAP query logging — an unusual LDAP query from a workstation-class process is an indicator of post-exploitation reconnaissance.
Rhadamanthys Stealer Scope Awareness for Incident Response: When Rhadamanthys is confirmed on a host, the credential scope is broad: browser passwords and cookies across all installed browsers, all cryptocurrency wallet files, Steam session tokens, Telegram and Discord credentials, VPN configuration files (including VPN keys and certificates), FTP client saved credentials, email client credentials (all stored accounts), and arbitrary files matching attacker-specified patterns. Incident response for a Rhadamanthys infection should treat all credentials stored on the host as compromised and initiate credential rotation across all affected accounts — including cryptocurrency wallets (requiring on-chain fund movement, not just password change).
User Education on JavaScript File Execution: TA866's attack chain has a required user interaction point: the victim must run a JavaScript file received from OneDrive. Unlike macro-based delivery that executes when a document is opened, JavaScript delivery requires the user to actively double-click the .js file in Windows Explorer or a file browser, despite Windows typically showing a warning. Security awareness training should explicitly cover the risk of executing JavaScript files received via file-sharing services, regardless of whether the link came from an email thread the user recognizes — thread hijacking makes the source appear legitimate.

analyst note

The human-in-the-loop Screenshotter model is TA866's most analytically distinctive operational characteristic, and it reflects a rational economic decision: at scale, not every initial access is worth the overhead of deploying AHK Bot, waiting for AD profiling, and running Rhadamanthys against a low-value target. By inserting a manual review checkpoint — essentially an analyst looking at screenshots of victim desktops — the group conserves post-exploitation resources and focuses deeper operations on infections with detectable financial or intelligence value. This is more operationally expensive per victim than automated profiling, but the human judgment call likely improves return on investment per exploitation attempt. The dual crimeware/espionage mandate confirmed by the Asylum Ambuscade overlap adds a dimension that purely financial-motivation framing misses. The espionage track — targeting European officials managing Ukraine refugee logistics in the weeks after Russia's February 2022 invasion — is not something a financially motivated actor does for money. The combination of high-volume criminal operations (4,500+ crimeware victims documented by ESET) and targeted state-adjacent espionage operations (European government officials with Ukraine access) is consistent with a criminal actor operating under some degree of state tasking — a model well-documented in Russia-linked cybercrime where criminal groups accept government intelligence assignments in exchange for operational tolerance. The Talos 2024 linkage to WarmCookie and CSharp-Streamer-RAT suggests TA866's backend capability has matured significantly since the 2023 Screenshotter disclosure, and that the actor's post-compromise toolkit is substantially more capable than the initial public reporting indicated.

Sources & Further Reading

— end of profile