Attackers have added another tool to their arsenal allowing them to screenshot desktops of infected victims.

The Necurs botnet had recently undergone a revival, spreading millions of malicious emails spreading the Locky ransomware along with the Trickbot banking Trojan.

Necurs can take screenshots and send them back to a remote server while also sending back information when the downloader has issues with performing functions on the machine. Researchers suggest that the attackers are actively attempting to gather “operational” intelligence about the performance of their campaigns.

The reports are designed to aid the attackers with problems when distributing the malware. The attack begins with a phony voicemail. Once opened, a JavaScript download will then install the Locky or Trickbot payload. Once loaded in the system, the downloader also runs a PowerShell script that will take screenshots.

Researchers warn users to ensure that their devices are up to date with the latest software.