T1125: T1125

Search IOCs, vulnerabilities, APT…

216.73.216.10

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID: T1125
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:38
Modified: 27/03/2026 01:10
Author / Source: The MITRE Corporation

Aliases

Video Capture

Platforms

windows macos linux

Description

An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files. Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1113) due to use of specific devices or applications for video recording rather than capturing the victim's screen. In macOS, there are a few different malware samples that record the user's webcam such as FruitFly and Proton. (Citation: objective-see 2017 review)

Kill chain phases

Kill chain	Phase
mitre-attack	collection

Marking (TLP)

External references

objsee mac malware 2017
mitre-attack (T1125)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (19)

FIN7 uses GOLD NIAGARAITG14

The MITRE Corporation Confidence 100

[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT37 uses InkySquidGroup123

The MITRE Corporation Confidence 100

[APT37](https://attack.mitre.org/groups/G0067) is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA2715 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Transparent Tribe uses COPPER FIELDSTONEMythic Leopard

The MITRE Corporation Confidence 100

[Transparent Tribe](https://attack.mitre.org/groups/G0134) is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.(Citation: Proofpoint…

First seen 01/01/1970 · Last seen 16/11/5138 ·
SideCopy, Transparent Tribe (APT36) uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Saint Bear uses UNC2589Bleeding Bear

The MITRE Corporation Confidence 100

[Saint Bear](https://attack.mitre.org/groups/G1031) is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
PlushDaemon uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sticky Werewolf uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
POLONIUM uses Plaid Rain

The MITRE Corporation Confidence 100

[POLONIUM](https://attack.mitre.org/groups/G1005) is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sordeal Group uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
China-nexus APT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 2

1–12 of 19

Bandook uses

Family
Agent Tesla - S0331 uses

Family
HelloXD uses
MagicRAT uses

Family
DarkKomet uses

Family
Oblique RAT uses
Remcos RAT uses

Family
Cobian RAT uses
NanoCore uses
PoetRAT uses
TigerRAT uses

Family
Reverse RAT uses

Family

← Previous

Page / 9

1–12 of 98

A Multi-Stage Steganographic Loader Campaign Deploying Diverse Payloads … related

AlienVault Confidence 100 18 MITREs 10 Malwares 1 IOC
TA4922: The Suspected Chinese Crime Group is Going … related

AlienVault Confidence 100 23 MITREs 8 Malwares 23 IOCs 23 Observables 1 APT
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
An In-Depth Analysis of Novel KarstoRAT Malware related

AlienVault Confidence 100 25 MITREs 1 Malware 6 IOCs 6 Observables
Analyzing a Malicious Compiled HTML Help File Delivering … related

2 CVEs 16 MITREs 1 Malware 6 Observables
CrySome RAT : An Advanced Persistent .NET Remote … related

24 MITREs 1 Malware 2 Observables
CastleRAT attack first to abuse Deno JavaScript runtime … related

21 MITREs 1 Malware 3 Observables
Moonrise RAT: A New Low-Detection Threat with High-Cost … related

20 MITREs 7 Observables
Remcos Revisited: Inside the RAT's Evolving Command-and-Control Techniques related

8 MITREs 1 Malware 1 Observable
New year, new sector: Targeting India's startup ecosystem related

19 MITREs 1 Malware 2 Observables 1 APT
Illusory Wishes: China-nexus APT Targets the Tibetan Community related

17 MITREs 2 Malwares 26 Observables 1 APT

← Previous

Page / 2

1–12 of 19

Vulnerabilities (CVE) (24)

CVE-2016-1646 KEV targets

8.8 High

Google Chromium V8 Engine contains an out-of-bounds read vulnerability that allows a remote attacker to cause a denial of service or possibly …

Attack vector: NETWORK
Complexity: LOW
Published: 29/03/2016
Modified: 22/04/2026

CWE-125

CVE-2023-38831 KEV targets

7.8 High

RARLAB WinRAR contains an unspecified vulnerability that allows an attacker to execute code when a user attempts to view a benign file …

Attack vector: Local
Published: 24/08/2023
Modified: 27/05/2026

CVE-2018-17480 KEV targets

Google Chromium V8 Engine contains out-of-bounds write vulnerability that allows a remote attacker to execute code inside a sandbox via a crafted …

Published: 08/06/2022
Modified: 21/12/2025

CVE-2017-5030 KEV targets

8.8 High

Google Chromium V8 Engine contains a memory corruption vulnerability that allows a remote attacker to execute code via a crafted HTML page. …

Attack vector: NETWORK
Complexity: LOW
Published: 25/04/2017
Modified: 22/04/2026

CWE-125

CVE-2016-5198 KEV targets

8.8 High

Google Chromium V8 Engine contains an out-of-bounds memory access vulnerability that allows a remote attacker to perform read/write operations, leading to code …

Attack vector: NETWORK
Complexity: LOW
Published: 19/01/2017
Modified: 22/04/2026

CWE-125 CWE-787

CVE-2020-6418 KEV targets

Google Chromium V8 Engine contains a type confusion vulnerability allows a remote attacker to potentially exploit heap corruption via a crafted HTML …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2018-6065 KEV targets

Google Chromium V8 Engine contains an integer overflow vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted …

Published: 08/06/2022
Modified: 21/12/2025

CVE-2021-33044 targets

CVE-2018-17463 KEV targets

Google Chromium V8 Engine contains an unspecified vulnerability that allows a remote attacker to execute code inside a sandbox via a crafted …

Published: 08/06/2022
Modified: 21/12/2025

CVE-2017-5070 KEV targets

8.8 High

Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to execute code inside a sandbox via a …

Attack vector: NETWORK
Complexity: LOW
Published: 27/10/2017
Modified: 22/04/2026

CWE-843

CVE-2022-3236 KEV targets

9.8 Critical

A code injection vulnerability in the User Portal and Webadmin of Sophos Firewall allows for remote code execution.

Attack vector: Network
Published: 23/09/2022
Modified: 27/05/2026

CVE-2025-55182 KEV targets

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

← Previous

Page / 2

13–24 of 24

Pupy uses

The MITRE Corporation Confidence 100

[Pupy](https://attack.mitre.org/software/S0192) is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. (Citation: GitHub Pupy) It is written in Python and can be generated as…
AsyncRAT uses

The MITRE Corporation Confidence 100

[AsyncRAT](https://attack.mitre.org/software/S1087) is an open-source remote access tool originally available through the NYANxCAT Github repository that has been used in malicious campaigns.(Citation: Morphisec Snip3 May 2021)(Citation: Cisco Operation Layover…
PcShare uses

The MITRE Corporation Confidence 100

[PcShare](https://attack.mitre.org/software/S1050) is an open source remote access tool that has been modified and used by Chinese threat actors, most notably during the FunnyDream campaign since late 2018.(Citation: Bitdefender…
QuasarRAT uses

The MITRE Corporation Confidence 100

[QuasarRAT](https://attack.mitre.org/software/S0262) is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. [QuasarRAT](https://attack.mitre.org/software/S0262) is developed in the C# language.(Citation: GitHub QuasarRAT)(Citation: Volexity…
Remcos uses

The MITRE Corporation Confidence 100

[Remcos](https://attack.mitre.org/software/S0332) is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. [Remcos](https://attack.mitre.org/software/S0332) has been observed being used in…
ConnectWise uses

The MITRE Corporation Confidence 100

[ConnectWise](https://attack.mitre.org/software/S0591) is a legitimate remote administration tool that has been used since at least 2016 by threat actors including [MuddyWater](https://attack.mitre.org/groups/G0069) and [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) to connect to and conduct…
Imminent Monitor uses

The MITRE Corporation Confidence 100

[Imminent Monitor](https://attack.mitre.org/software/S0434) was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure.…
Quick Assist uses

The MITRE Corporation Confidence 100

[Quick Assist](https://attack.mitre.org/software/S1209) is a remote assistance tool primarily for Microsoft Windows, although a macOS version also exists. [Quick Assist](https://attack.mitre.org/software/S1209) allows for remote screen sharing and, with end user…
Empire uses

The MITRE Corporation Confidence 100

[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…

Contact About Legal notice Privacy policy Terms of use

T1125: T1125

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (19)

Malware (98)

Reports (19)

Vulnerabilities (CVE) (24)

Tool (9)