ID | Name | Description |
---|---|---|
S0331 | Agent Tesla |
Agent Tesla can steal data from the victim’s clipboard.[3][4][5][6] |
G0082 | APT38 |
APT38 used a Trojan called KEYLIME to collect data from the clipboard.[7] |
G0087 | APT39 |
APT39 has used tools capable of stealing contents of the clipboard.[8] |
S0373 | Astaroth |
Astaroth collects information from the clipboard by using the OpenClipboard() and GetClipboardData() libraries. [9] |
S0438 | Attor |
Attor has a plugin that collects data stored in the Windows clipboard by using the OpenClipboard and GetClipboardData APIs.[10] |
S0454 | Cadelspy |
Cadelspy has the ability to steal data from the clipboard.[11] |
S0261 | Catchamas | |
S0660 | Clambling |
Clambling has the ability to capture and store clipboard data.[13][14] |
S0050 | CosmicDuke |
CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds.[15] |
S0334 | DarkComet | |
S0363 | Empire |
Empire can harvest clipboard data on both Windows and macOS systems.[17] |
S0569 | Explosive |
Explosive has a function to use the OpenClipboard wrapper.[18] |
S0531 | Grandoreiro |
Grandoreiro can capture clipboard data from a compromised host.[19] |
S0170 | Helminth |
The executable version of Helminth has a module to log clipboard contents.[20] |
S0044 | JHUHUGIT |
A JHUHUGIT variant accesses a screenshot saved in the clipboard and converts it to a JPG image.[21] |
S0283 | jRAT | |
S0250 | Koadic |
Koadic can retrieve the current content of the user clipboard.[23] |
S0356 | KONNI | |
S0409 | Machete |
Machete hijacks the clipboard data by creating an overlapped window that listens to keyboard events.[25][26] |
S0282 | MacSpy | |
S0652 | MarkiRAT | |
S0530 | Melcoz | |
S0455 | Metamorfo |
Metamorfo has a function to hijack data from the clipboard by monitoring the contents of the clipboard and replacing the cryptocurrency wallet with the attacker's.[30][31] |
G0116 | Operation Wocao |
Operation Wocao has collected clipboard data in plaintext.[32] |
S0332 | Remcos | |
S0375 | Remexi | |
S0240 | ROKRAT |
ROKRAT can extract clipboard data from a compromised host.[35] |
S0148 | RTM | |
S0253 | RunningRAT |
RunningRAT contains code to open and copy data from the clipboard.[38] |
S0467 | TajMahal |
TajMahal has the ability to steal data from the clipboard of an infected host.[39] |
S0004 | TinyZBot |
TinyZBot contains functionality to collect information from the clipboard.[40] |
S0257 | VERMIN | |
S0330 | Zeus Panda |
Zeus Panda can hook GetClipboardData function to watch for clipboard pastes to collect.[42] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0009 | Process | OS API Execution |
Access to the clipboard is a legitimate function of many applications on an operating system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity.