Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0261: Catchamas

Catchamas is a Windows Trojan that steals information from compromised systems. [1]

EnterpriseS0261MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Catchamas is a Windows information-stealing Trojan in ATT&CK. Its practical importance is not just malware identification: the related behaviors point to collection of user activity and system context, including keystrokes, screenshots, clipboard contents, open windows, local staging, registry changes, and Windows service persistence. For leaders, this makes Catchamas relevant to credential exposure, sensitive data handling, endpoint visibility, and incident response readiness on Windows systems.

Executive priority

Prioritize this as a validation case for whether Windows endpoint controls and SOC processes can prove visibility into credential and data collection behaviors. Because ATT&CK links Catchamas to Thrip, a group described as targeting satellite communications, telecoms, and defense contractors, organizations in similarly sensitive environments should ensure they can preserve evidence, scope affected hosts, and validate persistence removal. Use this object to ask whether endpoint logging, service inventory, registry monitoring, and user-data access telemetry are sufficient for audit and incident decision-making.

Technical view

ATT&CK provides no official detection text for Catchamas, so defenders should build coverage around the related techniques on Windows: Application Window Discovery, System Network Configuration Discovery, Masquerade Task or Service, Keylogging, Local Data Staging, Modify Registry, Screen Capture, Clipboard Data, and Windows Service persistence. SOC and IR teams should validate alerts and hunts for suspicious service creation or modification, service names that mimic legitimate tasks, unusual registry changes, evidence of screenshot or clipboard access, staged files in local directories, and discovery commands or API usage that collect host and network context.

Likely telemetry

  • Windows endpoint detection and response telemetry
  • Windows service creation, modification, and configuration records
  • Windows Registry modification events
  • Process execution and command-line telemetry
  • File creation and modification telemetry for local staging locations

Detection direction

  • Treat Catchamas coverage as behavior-led because no official ATT&CK detection guidance is supplied.
  • Validate Windows service monitoring, including newly created services, modified service paths, and service names or descriptions that appear to masquerade as legitimate tasks.
  • Tune for combinations of collection behaviors: keylogging indicators, screen capture, clipboard access, local file staging, and discovery activity on the same host or user context.
  • Review registry monitoring for persistence or defense-impairment relevant changes, while accounting for legitimate administrative and software installation activity.
  • Correlate host discovery and collection events with process lineage and file writes to reduce false positives from normal administration tools.

Mitigation priorities

  • Start with Windows endpoint hardening and least-privilege controls that limit unauthorized service creation and sensitive registry modification.
  • Maintain an accurate baseline of legitimate services, scheduled tasks, service names, executable paths, and registry persistence locations.
  • Ensure endpoint protection and logging are deployed consistently on Windows systems that handle credentials or sensitive data.
  • Strengthen credential protection and user awareness because keylogging behavior can bypass some credential storage protections by capturing input.
  • Prepare IR playbooks for information-stealer cases: isolate affected hosts, preserve volatile and endpoint evidence, scope credential exposure, and reset credentials based on confirmed exposure.
Analyst notes and limits

The supplied ATT&CK object identifies Catchamas as a Windows Trojan that steals information and provides technique relationships that make it useful for defensive validation. The relationship to Thrip should be treated as ATT&CK context, not as evidence of current activity in any environment. The most defensible detection strategy is to validate telemetry and analytics against the related behaviors rather than rely on a single malware name.

MITRE did not provide official detection guidance, aliases, labels, or tactics directly on the malware object. Several related techniques are cross-platform in ATT&CK, but the Catchamas object itself is supplied as Windows. Local environment data, malware analysis, EDR coverage, and incident evidence are required to determine exposure, detection quality, or actual compromise.

Official MITRE ATT&CK definition

Catchamas

Catchamas is a Windows Trojan that steals information from compromised systems. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

9 rows
Domain ID Name Relationship / procedure
Enterprise T1112 Modify Registry

Catchamas creates three Registry keys to establish persistence by adding a Windows Service.CitationSymantec Catchamas April 2018
Enterprise T1056.001 Keylogging Sub-technique

Catchamas collects keystrokes from the victim’s machine.CitationSymantec Catchamas April 2018
Enterprise T1543.003 Windows Service Sub-technique

Catchamas adds a new service named NetAdapter to establish persistence.CitationSymantec Catchamas April 2018
Enterprise T1016 System Network Configuration Discovery

Catchamas gathers the Mac address, IP address, and the network adapter information from the victim’s machine.CitationSymantec Catchamas April 2018
Enterprise T1115 Clipboard Data

Catchamas steals data stored in the clipboard.CitationSymantec Catchamas April 2018
Enterprise T1074.001 Local Data Staging Sub-technique

Catchamas stores the gathered data from the machine in .db files and .bmp files under four separate locations.CitationSymantec Catchamas April 2018
Enterprise T1036.004 Masquerade Task or Service Sub-technique

Catchamas adds a new service named NetAdapter in an apparent attempt to masquerade as a legitimate service.CitationSymantec Catchamas April 2018
Enterprise T1010 Application Window Discovery

Catchamas obtains application windows titles and then determines which windows to perform Screen Capture on.CitationSymantec Catchamas April 2018
Enterprise T1113 Screen Capture

Catchamas captures screenshots based on specific keywords in the window’s title.CitationSymantec Catchamas April 2018
Associated objects

Groups, software, and campaigns

Group Enterprise

G0076: Thrip

Thrip is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well as "living off the land" techniques. [1]

Relationship explorer

All related ATT&CK context

uses · Technique T1112: Modify Registry Enterprise uses · Technique T1056.001: Keylogging Enterprise uses · Technique T1543.003: Windows Service Enterprise uses · Technique T1016: System Network Configuration Discovery Enterprise uses · Technique T1115: Clipboard Data Enterprise uses · Technique T1074.001: Local Data Staging Enterprise uses · Technique T1036.004: Masquerade Task or Service Enterprise uses · Group G0076: Thrip Enterprise uses · Technique T1010: Application Window Discovery Enterprise uses · Technique T1113: Screen Capture Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
99c436c3587eab99...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 99c436c3587e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Symantec Catchamas April 2018

    Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved November 17, 2024.

    Open source URL
  2. [2]
    Catchamas

    (Citation: Symantec Catchamas April 2018)

  3. [3]
    mitre-attack S0261
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use