T1056 - Input Capture - MITRE ATT&CK

Threat entity extracted from intelligence sources

Frequency
156
occurrences
First Seen
November 12, 2025
Last Seen
July 15, 2026

T1056 - Input Capture is a mitre_attack tracked across 50 threat clusters and 156 intelligence report mentions on ThreatCluster. First observed November 12, 2025; most recent activity July 15, 2026.

Overview

T1056 - Input Capture covers techniques that capture user input, including keystrokes and clipboard data, to steal credentials or sensitive information. Recent reports show Android-based FvncBot capturing keystrokes and dropping payloads, and the Ferocious Kitten APT deploying MarkiRAT to perform keystroke and clipboard logging, underscoring the technique's cross-platform relevance. This remains a significant attack vector for credential theft and data exfiltration across actors and environments.

Related Threat Clusters

Recent Intelligence Reports

  • EtherHiding to ClickFix Analysis — www.derp.ca · July 15, 2026
  • Gamers Download Fake Cheats and Hand Attackers a Live Remote Control of Their Windows PCs — Cybersecuritynews · July 15, 2026
  • How an Infostealer Infection Led to a Sophisticated ClickFix Campaign at Artlist — Infostealers · July 14, 2026
  • RiskX interview video featuring Colin Mahony and Mastercard's Aditi Sawhney — Recordedfuture · July 10, 2026
  • New GoodPersonRAT malware distributed via fake LetsVPN installer — Feeds.Feedburner · July 9, 2026
  • Hackers bait users with popular VPNs, but fake installers lead to complete compromise — Cybernews · July 9, 2026
  • RedHook Abuses Accessibility Service to Enable Developer Options and Wireless Debugging — Gbhackers · July 9, 2026
  • Threat Landscape For Industrial Automation Systems Q1 2026 — ics-cert.kaspersky.com · July 9, 2026

CVSS v3.1 Breakdown