This new "custom" malware hits your device with specially-designed attacks

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

Cybersecurity researchers from Proofpoint have uncovered a brand new, custom-built malware being used by threat actors to deliver a wide variety of specifically tailored stage-two attacks.

These payloads are capable of different things, from espionage to data theft, making the attacks even more dangerous due to their unpredictability. 

The researchers, who dubbed the campaign Screentime, say it is being conducted by a new threat actor labeled TA866. While it’s a possibility that the group is already known to the wider cybersecurity community, no one has yet been able to link it to any existing groups or campaigns.

Protecting your business from the biggest threats online

<a href="" data-link-merchant=""">Protecting your business from the biggest threats online
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (<a href="" data-link-merchant=""" data-link-merchant=""" target="_self">What does this mean?) 

Espionage and theft

Proofpoint describes TA866 as an “organized actor able to perform well-thought-out attacks at scale based on their availability of custom tools, ability and connections to purchase tools and services from other vendors, and increasing activity volumes”.

The researchers also suggest that the threat actors might be Russian, as some variable names and comments in parts of their stage-two payloads were written in the Russian language. 

In Screentime, TA866 would send out phishing emails, trying to get victims to download the malicious payload called WasabiSeed. This malware establishes persistence on the target endpoint, and then delivers different stage-two payloads, depending on what the threat actors deem appropriate at the time. 

Sometimes, it would deliver Screenshotter, malware with a self-explanatory name, while other times, it would deliver AHK Bot, an infinite loop component delivering Domain profiler, Stealer loader, and the Rhadamanthys stealer. 

Generally speaking, the group seems to be financially motivated, Proofpoint argues. However, there were instances that led the researchers to believe that the group is also sometimes interested in espionage. It targeted mostly organizations in the United States, and Germany. It’s indiscriminate in terms of verticals - the campaigns affect all industries.

The earliest signs of Screentime campaigns were seen in October 2022, Proofpoint said, adding that the activity continued into 2023, as well. In fact, in late January this year, the researchers observed “tens of thousands of email messages” targeting more than a thousand organizations. 

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.