pcTattletale
Malware⚠️ Overview
pcTattletale is a commercial stalkerware application first discovered in public threat reports around 2017. It is developed and operated by the Florida-based company PC Tattletale Inc., and belongs to the category of Remote Access Trojans (RAT) and spyware, marketed for parental monitoring and employee surveillance but frequently abused for intimate partner stalking.
🔧 Technical Capabilities
pcTattletale propagates via direct installation by users who have physical or remote access to the target device, often through deceptive setup files or as a bundled component. Its primary attack vector is social engineering where the installer gains trust to run the executable. Once installed, the malware uses a Windows service called PcTattletale.exe to achieve persistence and communicates with a command-and-control (C2) infrastructure hosted on Amazon Web Services (AWS) as reported by TechCrunch in 2024. It captures screenshots, logs keystrokes, records audio from the microphone, and exfiltrates data from cloud accounts including Google, Facebook, and Instagram by extracting stored credentials. Evasion techniques include naming its service to mimic legitimate processes and using an obfuscated configuration file that is encrypted but stored locally; it does not use anti-debug or rootkit features but relies on the fact that many antivirus programs whitelist it as legitimate software.
📜 History & Notable Incidents
First identified around 2017, pcTattletale gained notoriety in May 2024 when a massive data breach exposed over 300,000 user accounts and internal logs, as reported by Troy Hunt on Have I Been Pwned. The breach was linked to a publicly accessible AWS S3 bucket that leaked victim screenshots, C2 URLs, and customer email addresses. No formal CVEs have been assigned to the malware itself, but the breach revealed poor security postures. In June 2024, the company shut down its operations following the breach and negative media coverage, though remnants of the infrastructure remained online for months.
🔍 Detection Indicators
Known file artifacts include PcTattletale.exe in %ProgramFiles% or %AppData%, and a configuration file usually named "config.dat" or "settings.cfg" containing encrypted credentials. Behavioral signatures include high-frequency HTTP POST requests to AWS-hosted domains (e.g., *.amazonaws.com) with specific User-Agent strings like "PcTattletale/1.0" and persistent registry keys under HKEY_LOCAL_MACHINESoftwarePcTattletale. Network IOCs include known C2 IP ranges from the AWS us-east-1 region and outbound connections on port 443 to these endpoints.
☠️ Risk & Impact
The primary damage of pcTattletale is severe privacy violation and intimate partner surveillance. It exfiltrates sensitive personal data—including text messages, call logs, and cloud account credentials—often leading to identity theft. Affected sectors include individual consumer victims and small businesses that unwittingly allowed surveillance. Financial losses stem from unauthorized account access; one documented case involved a victim losing $5,000 through a cryptocurrency wallet hijack after the spyware captured seed phrases.
🛡️ Mitigation
Recommended defensive measures include installing reputable mobile security apps that detect stalkerware (e.g., Malwarebytes, Kaspersky), monitoring for unauthorized administrator accounts, and regularly reviewing running processes for suspicious services named PcTattletale. Victims should run a full factory reset of the device and change all online account passwords immediately. Security teams can block the known AWS IP ranges used by the C2 and add signatures for the User-Agent string in network detection rules.
Similar Threats
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.