Skip to content

T1123 Audio Capture

An adversary can leverage a computer’s peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.1

Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.

Item Value
ID T1123
Sub-techniques
Tactics TA0009
Platforms Linux, Windows, macOS
Version 1.0
Created 31 May 2017
Last Modified 24 October 2025

Procedure Examples

ID Name Description
G0067 APT37 APT37 has used an audio capturing utility known as SOUNDWAVE that captures microphone input.42
S0438 Attor Attor’s has a plugin that is capable of recording audio using available input sound devices.1
S0234 Bandook Bandook has modules that are capable of capturing audio.11
S0454 Cadelspy Cadelspy has the ability to record audio from the compromised host.16
S0338 Cobian RAT Cobian RAT has a feature to perform voice recording on the victim’s machine.27
S0115 Crimson Crimson can perform audio surveillance using microphones.19
S0334 DarkComet DarkComet can listen in to victims’ conversations through the system’s microphone.3334
S0021 Derusbi Derusbi is capable of performing audio captures.32
S0213 DOGCALL DOGCALL can capture microphone data from the victim’s machine.36
S0152 EvilGrab EvilGrab has the capability to capture audio from a victim machine.14
S0143 Flame Flame can record audio using any existing hardware recording devices.89
S0434 Imminent Monitor Imminent Monitor has a remote microphone monitoring capability.56
S0260 InvisiMole InvisiMole can record sound using input audio devices.2829
S0163 Janicab Janicab captured audio and sent it out to a C2 server.2526
S0283 jRAT jRAT can capture microphone recordings.37
S1185 LightSpy LightSpy uses Apple’s built-in AVFoundation Framework library to capture and manage audio recordings then transform them to JSON blobs for exfiltration.15
S0409 Machete Machete captures audio from the computer’s microphone.222324
S1016 MacMa MacMa has the ability to record audio.20
S0282 MacSpy MacSpy can record the sounds from microphones on a computer.35
S1146 MgBot MgBot can capture input and output audio streams from infected devices.4041
S0339 Micropsia Micropsia can perform microphone recording.38
S0336 NanoCore NanoCore can capture audio feeds from the system.1718
S1090 NightClub NightClub can load a module to leverage the LAME encoder and mciSendStringW to control and capture audio.39
S0194 PowerSploit PowerSploit’s Get-MicrophoneAudio Exfiltration module can record system microphone audio.23
S0192 Pupy Pupy can record sound with the microphone.4
S0332 Remcos Remcos can capture data from the system’s microphone.7
S0379 Revenge RAT Revenge RAT has a plugin for microphone interception.3130
S0240 ROKRAT ROKRAT has an audio capture and eavesdropping module.10
S0098 T9000 T9000 uses the Skype API to record audio and video calls. It writes encrypted data to %APPDATA%\Intel\Skype.21
S0467 TajMahal TajMahal has the ability to capture VoiceIP application audio on an infected host.13
S0257 VERMIN VERMIN can perform audio capture.12

References

  1. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. 

  2. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018. 

  3. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018. 

  4. Nicolas Verdier. (n.d.). Retrieved January 29, 2018. 

  5. Unit 42. (2019, December 2). Imminent Monitor – a RAT Down Under. Retrieved May 5, 2020. 

  6. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020. 

  7. Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018. 

  8. Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017. 

  9. Gostev, A. (2012, May 30). Flame: Bunny, Frog, Munch and BeetleJuice…. Retrieved March 1, 2017. 

  10. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019. 

  11. Galperin, E., Et al.. (2016, August). I Got a Letter From the Government the Other Day.... Retrieved April 25, 2018. 

  12. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018. 

  13. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019. 

  14. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. 

  15. Stuart Ashenbrenner, Alden Schmidt. (2024, April 25). LightSpy Malware Variant Targeting macOS. Retrieved January 3, 2025. 

  16. Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019. 

  17. The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018. 

  18. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018. 

  19. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021. 

  20. Wardle, P. (2021, November 11). OSX.CDDS (OSX.MacMa). Retrieved June 30, 2022. 

  21. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016. 

  22. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019. 

  23. The Cylance Threat Research Team. (2017, March 22). El Machete’s Malware Attacks Cut Through LATAM. Retrieved September 13, 2019. 

  24. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020. 

  25. Brod. (2013, July 15). Signed Mac Malware Using Right-to-Left Override Trick. Retrieved July 17, 2017. 

  26. Thomas. (2013, July 15). New signed malware called Janicab. Retrieved July 17, 2017. 

  27. Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018. 

  28. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. 

  29. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. 

  30. Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved November 17, 2024. 

  31. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019. 

  32. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. 

  33. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018. 

  34. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018. 

  35. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. 

  36. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018. 

  37. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019. 

  38. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018. 

  39. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023. 

  40. Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024. 

  41. Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024. 

  42. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024.