pcTattletale
pcTattletale is a spyware/stalkerware application and remote surveillance service created by Bryan Fleming. It was described as originally marketed as monitoring software for parents and employers, but later operated as full-blown stalkerware and was advertised for employee monitoring as well as monitoring spouses or domestic partners without their consent. The malware allowed an operator to remotely view screenshots and private data from infected Android and Windows devices, and reporting states it uploaded sensitive victim data including messages, photos, and location information. It was used to secretly monitor devices without the target’s consent, and Fleming admitted to making, selling, and advertising the spyware for unlawful uses, including knowingly assisting customers in spying on non-consenting adults.
The malware was linked to real-world intrusions affecting the hospitality sector. In one reported 2024 case, a victim logged into a Booking.com administration portal on a hotel computer infected with pcTattletale had their screen captured, and broader reporting connected this to unauthorized access to Booking.com-related booking data and subsequent phishing activity.
pcTattletale also suffered major security failures. Reporting states a significant flaw exposed millions of screen captures to the open internet. In May 2024, the service suffered a breach in which its website was defaced and tens of gigabytes of data were posted publicly. Exposed data reportedly included membership records, names of infected PCs, captured messages, IP logs, device information, customer information, and some victims’ stolen data. Additional reporting states the company stored hundreds of millions of screenshots from compromised devices in Amazon S3, with analysis indicating more than 300 million screenshots had been stored and some were publicly accessible online. Have I Been Pwned reported that more than 138,000 customers had signed up to use the service.
Following the 2024 breach, pcTattletale shut down. Bryan Fleming later pleaded guilty in the United States to charges tied to making, selling, and advertising spyware for unlawful uses; reporting describes the case as the first successful U.S. Department of Justice prosecution of a spyware maker since 2014.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
1 technique
Stealth
Credential Access
1 technique
Credential Access
Collection
4 techniques
Collection
Spyware like pcTattletale, often termed "stalkerware," is used to secretly monitor devices without consent, uploading sensitive data such as messages, photos, and location.
“You put it on their Android phone, they won't be able to see it,” Fleming said in the video. “As they use their Android phone and click around, you see a movie of everything they've done.”
Exfiltration
1 technique
Exfiltration
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Consumer-grade spyware/stalkerware used to infect hotel computers and capture screenshots, including of a victim logged into a Booking.com administration portal.
Commercial spyware/stalkerware used to secretly monitor devices without consent and upload sensitive data including messages, photos, location data, and screen captures.
Spyware service that collected infected PC names, captured messages, IP address logs, and device information from compromised systems.
Commercial spyware/surveillance software referenced in the context of legal action against its founder.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.