ESPecter was discovered on a compromised machine along with a user-mode client component with keylogging and document-stealing functionalities, which is why ESET Research believes ESPecter is mainly used for espionage.

According to ESET findings, Ramsay has gone through several iterations based on the different instances of the framework found, denoting a linear progression on the number and complexity of its capabilities.