T1123: Audio Capture
An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.[1]
Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.
Analyst context for executives and security teams
Audio Capture matters because a compromised workstation can become a listening device. For executives and security leaders, the risk is not only data theft from files or email; it is exposure of sensitive conversations, meetings, negotiations, investigations, and operational discussions. ATT&CK lists this as a collection technique across Windows, macOS, and Linux, with many related RATs and spyware families using it, so defenders should treat microphone and communication-app access as a privacy, espionage, and incident-response concern, not just an endpoint malware issue.
Executive priority
Prioritize this where sensitive conversations happen on general-purpose endpoints: executive devices, legal and HR workstations, finance teams, government or critical-infrastructure operators, incident-response war rooms, and users handling regulated or confidential information. Leadership should ask whether the organization can prove which applications and processes access microphones, whether endpoint controls restrict unauthorized capture, and whether SOC/IR teams can find newly created audio recordings before later exfiltration. Because MITRE provides no official detection text for T1123, coverage should be validated rather than assumed.
Technical view
T1123 is a collection technique for Linux, macOS, and Windows in which malware or scripts interact with microphones, webcams, operating-system APIs, or voice/video-call applications to capture audio. ATT&CK notes that recordings may be written to disk and exfiltrated later. SOC and detection teams should validate behavior-based detection around unusual process access to audio devices or audio APIs, unexpected creation of audio files, suspicious child processes or scripts associated with RAT activity, and follow-on staging or outbound transfer of recorded media. Relationship context is important: ATT&CK links this technique to multiple RATs and spyware tools, including Derusbi, T9000, Crimson, Flame, EvilGrab, Janicab, Pupy, PowerSploit, DOGCALL, Bandook, ROKRAT, VERMIN, InvisiMole, MacSpy, jRAT, Remcos, DarkComet, NanoCore, Cobian RAT, Micropsia, and Revenge RAT, plus group usage by APT37 and VOID MANTICORE. DET0221 is listed as a related behavioral detection strategy, but the supplied object does not include its detection logic.
Likely telemetry
- Endpoint process execution and command/script activity on Windows, macOS, and Linux
- Operating-system or application records of microphone, webcam, or audio-device access where available
- File creation and modification events for newly generated audio recordings or media files
- Process-to-device or process-to-API activity involving audio capture interfaces
- Voice and video call application activity where those applications can be abused or monitored
Detection direction
- Validate coverage with behavior, not only malware names: many related software objects are RATs or spyware, and tool-specific signatures will miss custom or repackaged capture logic.
- Tune for unusual processes accessing microphones or audio APIs, especially office-document-spawned processes, scripting runtimes, remote administration tools, or unknown binaries.
- Correlate microphone access with audio file creation and later file movement or outbound network activity; the ATT&CK description explicitly notes files may be written to disk and exfiltrated later.
- Baseline legitimate collaboration, conferencing, recording, and accessibility software to reduce false positives while still alerting on unexpected parent processes, users, paths, or times.
- Give higher investigative priority to executive, legal, finance, government, critical-infrastructure, and incident-response systems where recorded conversations have high business impact.
Mitigation priorities
- Restrict microphone and camera access to approved applications using operating-system and endpoint management controls where available.
- Harden endpoints against RAT and spyware execution through least privilege, application control, script governance, and endpoint protection appropriate to Windows, macOS, and Linux fleets.
- Review privacy and device-permission configurations for high-risk users and systems, especially those involved in sensitive meetings or regulated work.
- Ensure endpoint logging captures process activity, device access where available, file creation of media artifacts, and subsequent transfer activity.
- Include audio-capture scenarios in incident-response playbooks so responders check for local recordings, staging directories, and exfiltration paths during collection-focused intrusions.
Analyst notes and limits
The main decision value of T1123 is that it extends collection risk from stored data to live conversations. The relationship set shows broad use across Windows-focused RATs and spyware, plus macOS, Linux, and cross-platform tools, which makes endpoint telemetry and device-permission governance important. The supplied ATT&CK object includes a related detection strategy, DET0221, but not its details; teams should review and test that strategy separately before claiming coverage.
This take uses only the supplied ATT&CK fields, references, and relationships. MITRE did not provide official detection text for this technique in the supplied object. Specific event IDs, API names, vendor detections, file extensions, and prevention settings are environment-dependent and are not asserted here. Related group and software usage establishes historical ATT&CK context, not current targeting or exposure of any organization.
Audio Capture
An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.[1]
Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
G1055: VOID MANTICORE
VOID MANTICORE is a threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS).[1] Active since at least mid-2022, VOID MANTICORE has targeted government entities, critical infrastructure, and private sector organizations across Albania, Israel, and the United States.[1][2] VOID MANTICORE conducts destructive cyber operations, combining wiper attacks with hack-and-leak campaigns. The group has operated under multiple public-facing personas, including HomeLand Justice in operations against Albania, Karma and Karma Below in campaigns targeting Israeli organizations, and Handala Hack, its current primary persona, which has claimed activity against Israeli and U.S. entities, including a March 2026 attack against Stryker Corporation.[1][3] VOID MANTICORE has been observed collaborating with Scarred Manticore, which has been linked to initial access operations preceding VOID MANTICORE’s activity.[4]
G0067: APT37
APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.[1][2][3]
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
S0143: Flame
S0240: ROKRAT
S0234: Bandook
Bandook is a commercially available RAT, written in Delphi and C++, that has been available since at least 2007. It has been used against government, financial, energy, healthcare, education, IT, and legal organizations in the US, South America, Europe, and Southeast Asia. Bandook has been used by Dark Caracal, as well as in a separate campaign referred to as "Operation Manul".[1][2][3]
S0194: PowerSploit
PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. [1] [2] [3]
S0257: VERMIN
S0467: TajMahal
S0192: Pupy
Pupy is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. [1] It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). [1] Pupy is publicly available on GitHub. [1]
S0152: EvilGrab
S1185: LightSpy
First observed in 2018, LightSpy is a modular malware family that initially targeted iOS devices in Southern Asia before expanding to Android and macOS platforms. It consists of a downloader, a main executable that manages network communications, and functionality-specific modules, typically implemented as `.dylib` files (iOS, macOS) or `.apk` files (Android). LightSpy can collect VoIP call recordings, SMS messages, and credential stores, which are then exfiltrated to a command and control (C2) server.[1]
S0454: Cadelspy
S0336: NanoCore
S0115: Crimson
Crimson is a remote access Trojan that has been used by Transparent Tribe since at least 2016.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d29080dbeaf4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET Attor Oct 2019
Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
Open source URL -
[2]
mitre-attack T1123Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.