Description
An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.
Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from Screen Capture due to use of specific devices or applications for video recording rather than capturing the victim's screen.
In macOS, there are a few different malware samples that record the user's webcam such as FruitFly and Proton. (Citation: objective-see 2017 review)
Platforms
Threat Groups (4)
| ID | Group | Context |
|---|---|---|
| G1003 | Ember Bear | [Ember Bear](https://attack.mitre.org/groups/G1003) has exfiltrated images from compromised IP cameras.(Citation: CISA GRU29155 2024) |
| G0091 | Silence | [Silence](https://attack.mitre.org/groups/G0091) has been observed making videos of victims to observe bank employees day to day activities.(Citation:... |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) created a custom video recording capability that could be used to monitor operations in the victim's env... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has collected video from compromised victim devices.(Citation: FBI IC3 Flash VOID MANTICORE Ha... |
Associated Software (31)
| ID | Name | Type | Context |
|---|---|---|---|
| S0363 | Empire | Tool | [Empire](https://attack.mitre.org/software/S0363) can capture webcam data on Windows and macOS systems.(Citation: Github PowerShell Empire) |
| S0660 | Clambling | Malware | [Clambling](https://attack.mitre.org/software/S0660) can record screen content in AVI format.(Citation: Trend Micro DRBControl February 2020)(Citation... |
| S0115 | Crimson | Malware | [Crimson](https://attack.mitre.org/software/S0115) can capture webcam video on targeted systems.(Citation: Proofpoint Operation Transparent Tribe Marc... |
| S0467 | TajMahal | Malware | [TajMahal](https://attack.mitre.org/software/S0467) has the ability to capture webcam video.(Citation: Kaspersky TajMahal April 2019) |
| S0338 | Cobian RAT | Malware | [Cobian RAT](https://attack.mitre.org/software/S0338) has a feature to access the webcam on the victim’s machine.(Citation: Zscaler Cobian Aug 2017) |
| S0336 | NanoCore | Malware | [NanoCore](https://attack.mitre.org/software/S0336) can access the victim's webcam and capture data.(Citation: DigiTrust NanoCore Jan 2017)(Citation: ... |
| S0283 | jRAT | Malware | [jRAT](https://attack.mitre.org/software/S0283) has the capability to capture video from a webcam.(Citation: jRAT Symantec Aug 2018)(Citation: Kaspers... |
| S0409 | Machete | Malware | [Machete](https://attack.mitre.org/software/S0409) takes photos from the computer’s web camera.(Citation: Securelist Machete Aug 2014)(Citation: Cylan... |
| S0379 | Revenge RAT | Malware | [Revenge RAT](https://attack.mitre.org/software/S0379) has the ability to access the webcam.(Citation: Cylance Shaheen Nov 2018)(Citation: Cofense Rev... |
| S0334 | DarkComet | Malware | [DarkComet](https://attack.mitre.org/software/S0334) can access the victim’s webcam to take pictures.(Citation: TrendMicro DarkComet Sept 2014)(Citati... |
| S0385 | njRAT | Malware | [njRAT](https://attack.mitre.org/software/S0385) can access the victim's webcam.(Citation: Fidelis njRAT June 2013)(Citation: Citizen Lab Group5) |
| S0331 | Agent Tesla | Malware | [Agent Tesla](https://attack.mitre.org/software/S0331) can access the victim’s webcam and record video.(Citation: DigiTrust Agent Tesla Jan 2017)(Cita... |
| S0428 | PoetRAT | Malware | [PoetRAT](https://attack.mitre.org/software/S0428) has used a Python tool named Bewmac to record the webcam on compromised hosts.(Citation: Talos Poet... |
| S0434 | Imminent Monitor | Tool | [Imminent Monitor](https://attack.mitre.org/software/S0434) has a remote webcam monitoring capability.(Citation: Imminent Unit42 Dec2019)(Citation: Qi... |
| S0591 | ConnectWise | Tool | [ConnectWise](https://attack.mitre.org/software/S0591) can record video on remote hosts.(Citation: Anomali Static Kitten February 2021) |
| S0152 | EvilGrab | Malware | [EvilGrab](https://attack.mitre.org/software/S0152) has the capability to capture video from a victim machine.(Citation: PWC Cloud Hopper Technical An... |
| S0265 | Kazuar | Malware | [Kazuar](https://attack.mitre.org/software/S0265) captures images from the webcam.(Citation: Unit 42 Kazuar May 2017) |
| S1087 | AsyncRAT | Tool | [AsyncRAT](https://attack.mitre.org/software/S1087) can record screen content on targeted systems.(Citation: AsyncRAT GitHub) |
| S0461 | SDBbot | Malware | [SDBbot](https://attack.mitre.org/software/S0461) has the ability to record video on a compromised host.(Citation: Proofpoint TA505 October 2019)(Cita... |
| S1209 | Quick Assist | Tool | [Quick Assist](https://attack.mitre.org/software/S1209) allows for the remote administrator to view the interactive session of the running machine, in... |
References
Frequently Asked Questions
What is T1125 (Video Capture)?
T1125 is a MITRE ATT&CK technique named 'Video Capture'. It belongs to the Collection tactic(s). An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering inf...
How can T1125 be detected?
Detection of T1125 (Video Capture) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1125?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1125?
Known threat groups using T1125 include: Ember Bear, Silence, FIN7, VOID MANTICORE.