T1115: T1115

Search IOCs, vulnerabilities, APT…

216.73.217.22

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:37 · Modified 27/03/2026 01:09

Essential information

MITRE technique ID: T1115
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:37
Modified: 27/03/2026 01:09
Author / Source: The MITRE Corporation

Aliases

Clipboard Data

Platforms

windows macos linux

Description

Adversaries may collect data stored in the clipboard from users copying information within or between applications. For example, on Windows adversaries can access clipboard data by using `clip.exe` or `Get-Clipboard`.(Citation: MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002)).(Citation: mining_ruby_reversinglabs) macOS and Linux also have commands, such as `pbpaste`, to grab clipboard contents.(Citation: Operating with EmPyre)

Kill chain phases

Kill chain	Phase
mitre-attack	collection

Marking (TLP)

External references

mining_ruby_reversinglabs
MSDN Clipboard
Operating with EmPyre
CISA_AA21_200B
clip_win_server
mitre-attack (T1115)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (50)

GlassWorm uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Vultur uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
XDSpy uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DragonBreath uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
POLONIUM uses Plaid Rain

The MITRE Corporation Confidence 100

[POLONIUM](https://attack.mitre.org/groups/G1005) is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Kimsuky uses Black BansheeVelvet Chollima

The MITRE Corporation Confidence 100

[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter…

First seen 01/01/1970 · Last seen 16/11/5138 ·
STARDUST CHOLLIMA uses NICKEL GLADSTONEBeagleBoyz

The MITRE Corporation Confidence 100

[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020)…

First seen 01/01/1970 · Last seen 16/11/5138 ·
WIP19 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Silver Fox uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
China-nexus APT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BianLian uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
LummaStealer uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 50

GodRAT uses

Family
KarstoRAT uses

Family
SnappyClient uses

Family
SPECTR uses

Family
Astaroth - S0373 uses

Family
RedLine Stealer uses

Family
DeepCreep uses
Clipminer uses
DanaBot uses

Family
AsyncRAT uses

Family
Odyssey uses

Family
FakeCrack uses

← Previous

Page / 13

1–12 of 154

GlassWorm attack installs fake browser extension for surveillance related

18 MITREs 1 Malware 1 Observable 1 APT
Technical Analysis of SnappyClient related

19 MITREs 2 Malwares 5 Observables
MAAS VIP_Keylogger Campaign related

7 MITREs 1 Malware 5 Observables
CastleRAT attack first to abuse Deno JavaScript runtime … related

21 MITREs 1 Malware 3 Observables
Fake Zoom meeting 'update' silently installs surveillance software related

14 MITREs 1 Observable
Moonrise RAT: A New Low-Detection Threat with High-Cost … related

20 MITREs 7 Observables
Malicious OpenClaw Skills Used to Distribute Atomic MacOS … related

14 MITREs 1 Malware 29 Observables
Remcos Revisited: Inside the RAT's Evolving Command-and-Control Techniques related

8 MITREs 1 Malware 1 Observable
Deep Dive into New XWorm Campaign Utilizing Multiple-Themed … related

2 CVEs 20 MITREs 1 Malware 8 Observables
PurpleBravo’s Targeting of the IT Software Supply Chain related

20 MITREs 187 Observables 1 APT
New Remcos Campaign Distributed Through Fake Shipping Document related

1 CVE 19 MITREs 1 Malware 13 Observables
Deceptive Layoff-Themed HR Email Distributes Remcos RAT Malware related

11 MITREs 1 Malware 3 Observables

← Previous

Page / 5

13–24 of 50

Vulnerabilities (CVE) (15)

CVE-2020-1472 KEV targets

5.5 Medium

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …

Attack vector: Local
Published: 03/11/2021
Modified: 27/05/2026

CVE-2021-40444 KEV targets

Microsoft MSHTML contains a unspecified vulnerability that allows for remote code execution.

Published: 03/11/2021
Modified: 27/05/2026

CVE-2025-20333 KEV targets

9.9 Critical

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense …

Attack vector: Network
Published: 25/09/2025
Modified: 21/12/2025

Analyzed

CVE-2017-11882 KEV targets

7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector: Local
Complexity: Low
Published: 15/11/2017
Modified: 29/05/2026

CWE-119

CVE-2022-43704

targets

CVE-2021-33742 KEV targets

Microsoft Windows MSHTML Platform contains an unspecified vulnerability that allows for remote code execution.

Published: 03/11/2021
Modified: 21/12/2025

CVE-2017-0199 KEV targets

7.8 High

Microsoft Office and WordPad contain an unspecified vulnerability due to the way the applications parse specially crafted files. Successful exploitation allows for …

Attack vector: LOCAL
Complexity: LOW
Published: 12/04/2017
Modified: 22/04/2026

CVE-2021-30551 KEV targets

Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2018-0802 KEV targets

Microsoft Office contains a memory corruption vulnerability due to the way objects are handled in memory. Successful exploitation allows for remote code …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2023-27350 KEV targets

9.8 Critical

PaperCut MF/NG contains an improper access control vulnerability within the SetupCompleted class that allows authentication bypass and code execution in the context …

Attack vector: Network
Published: 21/04/2023
Modified: 21/12/2025

CVE-2021-21166 KEV targets

Google Chromium contains a race condition vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2025-29824 KEV targets

7.8 High

Microsoft Windows Common Log File System (CLFS) Driver contains a use-after-free vulnerability that allows an authorized attacker to elevate privileges locally.

Attack vector: Local
Published: 08/04/2025
Modified: 21/12/2025

Undergoing Analysis

← Previous

Page / 2

1–12 of 15

Remcos uses

The MITRE Corporation Confidence 100

[Remcos](https://attack.mitre.org/software/S0332) is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. [Remcos](https://attack.mitre.org/software/S0332) has been observed being used in…
Koadic uses

The MITRE Corporation Confidence 100

[Koadic](https://attack.mitre.org/software/S0250) is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub. [Koadic](https://attack.mitre.org/software/S0250) has several options for staging payloads and creating implants, and performs…
Empire uses

The MITRE Corporation Confidence 100

[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…

Contact About Legal notice Privacy policy Terms of use

T1115: T1115

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (50)

Malware (154)

Reports (50)

Vulnerabilities (CVE) (15)

Tool (3)