Description
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
For example, on Windows adversaries can access clipboard data by using clip.exe or Get-Clipboard.(Citation: MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., Transmitted Data Manipulation).(Citation: mining_ruby_reversinglabs)
macOS and Linux also have commands, such as pbpaste, to grab clipboard contents.(Citation: Operating with EmPyre)
Platforms
Threat Groups (4)
| ID | Group | Context |
|---|---|---|
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used tools capable of stealing contents of the clipboard.(Citation: Symantec Chafer February 2018) |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has the ability to steal data from the clipboard.(Citation: Aryaka Kimsuky July 2025) |
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) used a Trojan called KEYLIME to collect data from the clipboard.(Citation: FireEye APT38 Oct 2018) |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used infostealer tools to copy clipboard data.(Citation: Symantec Crambus OCT 2023) |
Associated Software (41)
| ID | Name | Type | Context |
|---|---|---|---|
| S0331 | Agent Tesla | Malware | [Agent Tesla](https://attack.mitre.org/software/S0331) can steal data from the victim’s clipboard.(Citation: Talos Agent Tesla Oct 2018)(Citation: For... |
| S0148 | RTM | Malware | [RTM](https://attack.mitre.org/software/S0148) collects data from the clipboard.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019) |
| S0692 | SILENTTRINITY | Tool | [SILENTTRINITY](https://attack.mitre.org/software/S0692) can monitor Clipboard text and can use `System.Windows.Forms.Clipboard.GetText()` to collect ... |
| S0334 | DarkComet | Malware | [DarkComet](https://attack.mitre.org/software/S0334) can steal data from the clipboard.(Citation: Malwarebytes DarkComet March 2018) |
| S0373 | Astaroth | Malware | [Astaroth](https://attack.mitre.org/software/S0373) collects information from the clipboard by using the OpenClipboard() and GetClipboardData() librar... |
| S0004 | TinyZBot | Malware | [TinyZBot](https://attack.mitre.org/software/S0004) contains functionality to collect information from the clipboard.(Citation: Cylance Cleaver) |
| S0363 | Empire | Tool | [Empire](https://attack.mitre.org/software/S0363) can harvest clipboard data on both Windows and macOS systems.(Citation: Github PowerShell Empire) |
| S0438 | Attor | Malware | [Attor](https://attack.mitre.org/software/S0438) has a plugin that collects data stored in the Windows clipboard by using the OpenClipboard and GetCli... |
| S0332 | Remcos | Tool | [Remcos](https://attack.mitre.org/software/S0332) steals and modifies data from the clipboard.(Citation: Riskiq Remcos Jan 2018)(Citation: Fortinet Re... |
| S0257 | VERMIN | Malware | [VERMIN](https://attack.mitre.org/software/S0257) collects data stored in the clipboard.(Citation: Unit 42 VERMIN Jan 2018) |
| S1149 | CHIMNEYSWEEP | Malware | [CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can capture content from the clipboard.(Citation: Mandiant ROADSWEEP August 2022) |
| S0356 | KONNI | Malware | [KONNI](https://attack.mitre.org/software/S0356) had a feature to steal data from the clipboard.(Citation: Talos Konni May 2017) |
| S0375 | Remexi | Malware | [Remexi](https://attack.mitre.org/software/S0375) collects text from the clipboard.(Citation: Securelist Remexi Jan 2019) |
| S0282 | MacSpy | Malware | [MacSpy](https://attack.mitre.org/software/S0282) can steal clipboard contents.(Citation: objsee mac malware 2017) |
| S0454 | Cadelspy | Malware | [Cadelspy](https://attack.mitre.org/software/S0454) has the ability to steal data from the clipboard.(Citation: Symantec Chafer Dec 2015) |
| S1233 | PAKLOG | Malware | [PAKLOG](https://attack.mitre.org/software/S1233) has monitored and extracted clipboard contents.(Citation: Zscaler PAKLOG CorkLog SplatCloak Splatdro... |
| S0250 | Koadic | Tool | [Koadic](https://attack.mitre.org/software/S0250) can retrieve the current content of the user clipboard.(Citation: Github Koadic) |
| S0050 | CosmicDuke | Malware | [CosmicDuke](https://attack.mitre.org/software/S0050) copies and exfiltrates the clipboard contents every 30 seconds.(Citation: F-Secure Cosmicduke) |
| S1207 | XLoader | Malware | [XLoader](https://attack.mitre.org/software/S1207) can collect data stored in the victim's clipboard.(Citation: Google XLoader 2017)(Citation: Netskop... |
| S0660 | Clambling | Malware | [Clambling](https://attack.mitre.org/software/S0660) has the ability to capture and store clipboard data.(Citation: Trend Micro DRBControl February 20... |
References
- CISA. (2021, August 20). Alert (AA21-200B) Chinese State-Sponsored Cyber Operations: Observed TTPs. Retrieved June 21, 2022.
- Maljic, T. (2020, April 16). Mining for malicious Ruby gems. Retrieved October 15, 2022.
- Microsoft, JasonGerend, et al. (2023, February 3). clip. Retrieved June 21, 2022.
- Microsoft. (n.d.). About the Clipboard. Retrieved March 29, 2016.
- rvrsh3ll. (2016, May 18). Operating with EmPyre. Retrieved July 12, 2017.
Frequently Asked Questions
What is T1115 (Clipboard Data)?
T1115 is a MITRE ATT&CK technique named 'Clipboard Data'. It belongs to the Collection tactic(s). Adversaries may collect data stored in the clipboard from users copying information within or between applications. For example, on Windows adversaries can access clipboard data by using <code>clip....
How can T1115 be detected?
Detection of T1115 (Clipboard Data) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1115?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1115?
Known threat groups using T1115 include: APT39, Kimsuky, APT38, OilRig.