S0222: CCBkdr
Analyst context for executives and security teams
CCBkdr matters because it represents malware delivered through a trusted, signed software distribution path: a compromised CCleaner release from the vendor’s distribution website. For leaders, the practical lesson is that “trusted software” can still become an initial access path, so resilience depends on software supply chain governance, endpoint visibility, and the ability to investigate suspicious behavior after installation, not just on allowing signed applications.
Executive priority
Treat this as a supply chain risk and incident readiness example. Security leaders should ask whether the organization can identify affected software versions, prove where trusted installers came from, detect unexpected command-and-control behavior from legitimate application processes, and produce audit evidence for software inventory, update controls, and third-party software risk decisions. Budget priority should favor asset/software inventory, endpoint and network telemetry, and response playbooks for compromised trusted software rather than relying only on signature or publisher trust.
Technical view
The supplied ATT&CK relationships connect CCBkdr to T1195.002 Compromise Software Supply Chain for initial access and T1568.002 Domain Generation Algorithms for command and control. SOC and IR teams should validate coverage on Windows endpoints for software installation/update provenance, execution of the affected application, network activity that may indicate dynamically generated C2 domains, and the ability to scope exposure by installed software and version. Because MITRE provides no official detection text for this malware object, local detection logic should be built from endpoint behavior, network/DNS patterns, software inventory, and threat intelligence from the cited references rather than assuming a single canonical analytic.
Likely telemetry
- Windows endpoint process execution and parent/child process telemetry
- Software inventory, installed application version, and update history
- Installer/download provenance where available, including source URL or distribution channel records
- Code-signing and file metadata for installed binaries
- DNS query logs suitable for identifying unusual or algorithmic domain lookups
Detection direction
- Validate whether signed or trusted software is monitored for abnormal post-installation behavior, not automatically excluded from investigation.
- Correlate Windows software inventory with endpoint and network telemetry to determine whether suspicious activity follows installation or execution of the relevant software.
- Tune DNS and network analytics for DGA-like behavior, while accounting for false positives from legitimate software that uses high-volume or dynamic domain patterns.
- Ensure allowlisting, reputation, or certificate-based trust controls do not create blind spots for compromised signed software.
- Use the relationship to T1195.002 to test whether supply chain scenarios are covered in alert triage and incident response workflows, including rapid host scoping.
Mitigation priorities
- Maintain accurate software and asset inventory so potentially affected Windows systems can be identified quickly.
- Strengthen third-party software intake and update governance, including validation of source, version, and change history where feasible.
- Avoid blanket trust for signed software; pair trust decisions with runtime monitoring and exception review.
- Ensure DNS, proxy, firewall, and endpoint telemetry are retained long enough to investigate delayed discovery of supply chain compromise.
- Prepare an incident response playbook for compromised trusted software that includes exposure scoping, containment, eradication, and executive communications.
Analyst notes and limits
This take is based on the official ATT&CK S0222 CCBkdr object, its description, external references, and the supplied relationships to T1195.002 and T1568.002. The key defensive value is not a malware-specific signature but validation that the organization can handle a trusted software distribution compromise and investigate DGA-style command-and-control indicators on Windows systems.
MITRE does not provide official detection text, aliases, labels, or object-level tactics for CCBkdr in the supplied fields. The malware platform is listed as Windows; broader platform references belong to related techniques and should not be treated as confirmed CCBkdr platforms. Local software inventory, telemetry availability, and environment-specific baselines are required before making exposure or coverage claims.
CCBkdr
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1195.002 | Compromise Software Supply Chain Sub-technique | CCBkdr was added to a legitimate, signed version 5.33 of the CCleaner software and distributed on CCleaner's distribution site.CitationTalos CCleanup 2017CitationIntezer Aurora Sept 2017CitationAvast CCleaner3 2018 |
| Enterprise | T1568.002 | Domain Generation Algorithms Sub-technique | CCBkdr can use a DGA for Fallback Channels if communications with the primary command and control server are lost.CitationTalos CCleanup 2017 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | f952db51b163… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Talos CCleanup 2017
Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast Number of Machines at Risk. Retrieved March 9, 2018.
Open source URL -
[2]
Intezer Aurora Sept 2017
Rosenberg, J. (2017, September 20). Evidence Aurora Operation Still Active: Supply Chain Attack Through CCleaner. Retrieved February 13, 2018.
Open source URL -
[3]
mitre-attack S0222Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.