#T1056.003 Web Portal Capture

Technique

  • Tactics: Collection, Credential Access
  • Description:

    Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.

    This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through [External Remote Services](https://attack.mitre.org/techniques/T1133) and [Valid Accounts](https://attack.mitre.org/techniques/T1078) or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging)

  • First Seen: North Korean Kimsuky Actors Leverage Malicious QR Codes in Spearphishing Campaigns Targeting U.S. Entities • 2026-01-08
MITRE ATT&CK

Tagged Reports

#Kimsuky #Phishing #T1102.002 #T1059.005 #T1027 #T1583.006 #T1566.003 #T1567 #T1583.003 #T1204.004 #T1057 #T1082 #T1518.001 #T1568.001 #T1566.001 #T1547.001 #T1585.002 #T1140 #T1056.003 #T1204.001 #T1053.005 #T1539 #T1041 #T1113 #T1608.005 #T1608.001 #T1204.002 #T1598.003 #T1071.001 #T1590.005 #T1115 #T1083 #T1583.001 #T1059.001 #T1497 #T1056.001 #T1566.002 #T1036.005
2026-01-08
USFBI
#Kimsuky #Phishing #T1056.003 #T1589 #T1566 #T1550.004 #T1566.002 #T1098 #T1660 #T1598
« Back