The User Desktop Screenshot feature is a common capability found in Remote Access Trojans (RATs) and Command-and-Control (C2) infrastructures. While it is less frequently seen in other malware categories such as Information Stealers, it may still be implemented for specific use cases.

Purpose and Use Cases

This feature allows an attacker to capture visual data from a victim's desktop environment. It is especially popular among script kiddies and amateur threat actors who use it for:

• Spying on victims: Observing browsing activity, visible plaintext credentials, chat messages, games, and other on-screen information.

• Gathering intelligence: Identifying user behavior patterns, currently used applications, and potentially extracting sensitive information visible on the screen.

• Verifying the effects of other malware features: For example, confirming that message boxes, hidden desktop icons, or disabled start menus are visible on the victim’s screen.

• Monitoring real-time interactions: When paired with remote chat features, attackers can directly watch the victim’s reaction or usage patterns live.

This capability provides a passive yet powerful surveillance method, enabling the attacker to collect a wide array of data without necessarily alerting the user.

Live Desktop Streaming and Remote Control

Advanced RATs often extend the screenshot feature by including live desktop streaming, offering functionality similar to Virtual Network Computing (VNC) software but in a stealthier form. This typically includes:

• Live screen streaming
• Remote keyboard and mouse control
• Clipboard access
• Window or application-specific control

This live control allows attackers not only to observe but also to interact with the victim’s environment in real time. Some use cases include:

• Navigating the operating system
• Extracting data not otherwise reachable by automated means
• Interfering with the victim’s actions (e.g., moving the mouse, opening/closing windows) for amusement or disruption

Performance Considerations

Most RATs implement unoptimized full-screen image transmission, leading to significant latency and performance issues due to:

• High CPU usage for continuous screen encoding
• Network strain from transmitting full frames repeatedly

However, more sophisticated implementations may include optimizations such as:

• Region-based updates: Only transmitting changed portions of the screen (dirty rectangles)
• Image comparison algorithms: To detect pixel-level differences between frames
• Hooking system messages: Identifying window updates or UI changes without full-screen scanning
• Video compression: Using codecs (e.g., MJPEG, H.264) to reduce bandwidth usage (increase Malware size)

These improvements can significantly reduce CPU and bandwidth consumption, resulting in a smoother and more responsive streaming experience.

Selective Capture Options

Some advanced RATs provide options for more targeted screenshot capabilities, including:

• Window-specific capture: Capturing only the contents of a particular window (e.g., a browser or chat app)
• Monitor selection: Choosing a specific display in multi-monitor setups

This allows the attacker to focus on areas of interest, avoiding unnecessary data collection.

Featured Windows API

• BitBlt Gdi32.dll