216.73.217.22

T1417: Input Capture

View on MITRE ATT&CK The MITRE Corporation · Published 17/12/2025 22:48 · Modified 27/03/2026 01:41

Essential information

MITRE technique ID
T1417
Confidence
100/100
Revoked
No
Published
17/12/2025 22:48
Modified
27/03/2026 01:41
Author / Source
The MITRE Corporation

Aliases

T1417

Platforms

android iOS

Description

Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal device usage, users often provide credentials to various locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Keylogging](https://attack.mitre.org/techniques/T1417/001)) or rely on deceiving the user into providing input into what they believe to be a genuine application prompt (e.g. [GUI Input Capture](https://attack.mitre.org/techniques/T1417/002)).

Kill chain phases

Kill chainPhase
mitre-mobile-attack collection
mitre-mobile-attack credential-access

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (4)

  • K1R0 uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 17:58 · Modified 21/12/2025 17:58
  • PROMETHIUM uses StrongPity
    The MITRE Corporation Confidence 100

    [PROMETHIUM](https://attack.mitre.org/groups/G0056) is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
  • Patchwork uses Hangover GroupChinastrats
    The MITRE Corporation Confidence 100

    [Patchwork](https://attack.mitre.org/groups/G0040) is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • Windshift uses Bahamut
    The MITRE Corporation Confidence 100

    [Windshift](https://attack.mitre.org/groups/G0112) is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.(Citation: …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14

Malware (12)

  • Remcos - S0332 uses
    Family
    Published 31/01/2025 10:09 · Modified 31/01/2025 10:09
  • CherryBlos
  • Chameleon Banking
  • VajraSpy
  • SpyNote uses
    Family
    Published 27/08/2025 16:22 · Modified 27/08/2025 16:22
  • Phenakite
  • Godfather uses
    Family
    Published 11/05/2026 09:07 · Modified 11/05/2026 09:07
  • Army Knife
  • Bahamut Spyware
  • TikTalk
  • StrongPity
  • NGate uses
    Family
    Published 21/04/2026 16:32 · Modified 21/04/2026 16:32

Reports (4)

Attack patterns (MITRE) (2)

Course Of Action (3)

  • User Guidance mitigates
  • Enterprise Policy mitigates
  • Use Recent OS Version mitigates