S0660: Clambling
Clambling is a modular backdoor written in C++ that has been used by Threat Group-3390 since at least 2017.[1]
Analyst context for executives and security teams
Clambling matters because ATT&CK describes it as a Windows modular C++ backdoor associated with broad post-compromise behavior: discovery, collection, command-and-control, registry activity, PowerShell/cmd execution, process injection/hollowing, and user-data capture such as keystrokes, screenshots, clipboard, and video. For leaders, the decision point is not a single malware name; it is whether Windows endpoint, identity, and network monitoring can prove visibility into a modular backdoor that may blend into normal admin and web traffic.
Executive priority
Prioritize Clambling as a coverage-validation use case for Windows resilience and incident readiness. The related techniques touch sensitive data collection, credential exposure through keylogging, C2 over web or other protocols, and persistence or defense impairment via registry modification. Security leaders should ask whether SOC runbooks can connect endpoint behavior, network egress, and user-risk evidence quickly enough to support containment decisions, regulatory evidence, and business continuity planning for sectors or environments where Threat Group-3390 tradecraft is relevant.
Technical view
ATT&CK provides no official detection text for Clambling, so defenders should validate coverage through the related behaviors rather than a malware-specific signature alone. On Windows, focus on correlated sequences: command shell or PowerShell execution; registry query or modification; system, user, process, network, file, directory, and share discovery; process injection or process hollowing indicators; local data access; clipboard, screen, video, or keystroke collection signals; and outbound C2 using web protocols, application-layer protocols, non-application-layer protocols, or bidirectional communication through external web services. Treat the relationship to Threat Group-3390 as context for threat-informed testing, not as proof of current activity in any environment.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, including PowerShell and cmd activity
- Windows Registry query and modification events
- Endpoint memory or EDR telemetry relevant to process injection and process hollowing
- File system access, directory enumeration, and local data access events
- User, process, system information, system time, network configuration, and network share discovery telemetry
Detection direction
- Build behavior-based detections mapped to the related ATT&CK techniques rather than relying only on a Clambling name or hash.
- Correlate discovery commands, registry activity, and script or shell execution with later collection or outbound network activity to reduce false positives from normal administration.
- Tune PowerShell and Windows command shell analytics against known administrative baselines; these interpreters are legitimate tools and will generate noise without context.
- Validate whether EDR or host sensors can observe process injection and process hollowing behaviors, not just process starts.
- Review coverage for collection behaviors such as clipboard, screen, video, and keystroke capture; many environments do not collect these signals by default or restrict them for privacy reasons.
Mitigation priorities
- Start with Windows endpoint hardening and least-privilege controls that limit unnecessary registry modification, script execution, and high-risk administrative activity.
- Apply application control or execution policy controls where feasible for PowerShell, cmd-launched tooling, and unapproved binaries, while preserving legitimate administration paths.
- Ensure EDR or equivalent endpoint protection is configured to monitor process injection, process hollowing, registry changes, and suspicious collection behaviors.
- Constrain outbound network access with proxy, firewall, and egress filtering controls; monitor approved web protocols and external web services rather than assuming they are benign.
- Protect credentials and sensitive user activity by strengthening identity controls, privileged access management, and rapid credential reset procedures during suspected compromise.
Analyst notes and limits
The strongest defensive value comes from using Clambling as a scenario for validating telemetry joins across Windows endpoint, registry, scripting, collection, and network egress data. The ATT&CK relationship to Threat Group-3390 provides threat context, and the source reference is Trend Micro’s DRBControl reporting, but local evidence is required before making any attribution or exposure claim.
The supplied ATT&CK object has no official detection guidance, no aliases, no malware-specific indicators, and no explicit tactic list on the malware object. Several related techniques are cross-platform in ATT&CK, but the Clambling object itself is supplied with Windows as its platform, so this take limits platform-specific guidance to Windows. Environment-specific baselines, logging configuration, privacy rules, and sensor capabilities will determine practical coverage.
Clambling
Clambling is a modular backdoor written in C++ that has been used by Threat Group-3390 since at least 2017.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1125 | Video Capture | Clambling can record screen content in AVI format.CitationTrend Micro DRBControl February 2020CitationTalent-Jump Clambling February 2020 |
| Enterprise | T1095 | Non-Application Layer Protocol | Clambling has the ability to use TCP and UDP for communication.CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | Clambling has the ability to set its file attributes to hidden.CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | Clambling can use Dropbox to download malicious payloads, send commands, and receive information.CitationTrend Micro DRBControl February 2020CitationTalent-Jump Clambling February 2020 |
| Enterprise | T1113 | Screen Capture | Clambling has the ability to capture screenshots.CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | Clambling can wait 30 minutes before initiating contact with C2.CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1012 | Query Registry | Clambling has the ability to enumerate Registry keys, including |
| Enterprise | T1083 | File and Directory Discovery | Clambling can browse directories on a compromised host.CitationTrend Micro DRBControl February 2020CitationTalent-Jump Clambling February 2020 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Clambling can establish persistence by adding a Registry run key.CitationTrend Micro DRBControl February 2020CitationTalent-Jump Clambling February 2020 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Clambling has gained execution through luring victims into opening malicious files.CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | Clambling can send files from a victim's machine to Dropbox.CitationTrend Micro DRBControl February 2020CitationTalent-Jump Clambling February 2020 |
| Enterprise | T1027 | Obfuscated Files or Information | The Clambling executable has been obfuscated when dropped on a compromised host.CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1569.002 | Service Execution Sub-technique | Clambling can create and start services on a compromised host.CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1055 | Process Injection | Clambling can inject into the `svchost.exe` process for execution.CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Clambling has been delivered to victim's machines through malicious e-mail attachments.CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1115 | Clipboard Data | Clambling has the ability to capture and store clipboard data.CitationTrend Micro DRBControl February 2020CitationTalent-Jump Clambling February 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Clambling can use cmd.exe for command execution.CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1082 | System Information Discovery | Clambling can discover the hostname, computer name, and Windows version of a targeted machine.CitationTrend Micro DRBControl February 2020CitationTalent-Jump Clambling February 2020 |
| Enterprise | T1135 | Network Share Discovery | Clambling has the ability to enumerate network shares.CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1071 | Application Layer Protocol | Clambling has the ability to use Telnet for communication.CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1056.001 | Keylogging Sub-technique | Clambling can capture keystrokes on a compromised host.CitationTrend Micro DRBControl February 2020CitationTalent-Jump Clambling February 2020 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | Clambling can execute binaries through process hollowing.CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Clambling can deobfuscate its payload prior to execution.CitationTrend Micro DRBControl February 2020CitationTalent-Jump Clambling February 2020 |
| Enterprise | T1057 | Process Discovery | Clambling can enumerate processes on a targeted system.CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1124 | System Time Discovery | Clambling can determine the current time.CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1112 | Modify Registry | Clambling can set and delete Registry keys.CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Clambling has the ability to communicate over HTTP.CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | Clambling has the ability to bypass UAC using a `passuac.dll` file.CitationTrend Micro DRBControl February 2020CitationTalent-Jump Clambling February 2020 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Clambling can register itself as a system service to gain persistence.CitationTalent-Jump Clambling February 2020 |
| Enterprise | T1033 | System Owner/User Discovery | Clambling can identify the username on a compromised host.CitationTrend Micro DRBControl February 2020CitationTalent-Jump Clambling February 2020 |
| Enterprise | T1059.001 | PowerShell Sub-technique | The Clambling dropper can use PowerShell to download the malware.CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1016 | System Network Configuration Discovery | Clambling can enumerate the IP address of a compromised machine.CitationTrend Micro DRBControl February 2020CitationTalent-Jump Clambling February 2020 |
| Enterprise | T1005 | Data from Local System | Clambling can collect information from a compromised host.CitationTrend Micro DRBControl February 2020 |
| Enterprise | T1574.001 | DLL Sub-technique | Clambling can store a file named `mpsvc.dll`, which opens a malicious `mpsvc.mui` file, in the same folder as the legitimate Microsoft executable `MsMpEng.exe` to gain execution.CitationTrend Micro DRBControl February 2020CitationTalent-Jump Clambling February 2020 |
Groups, software, and campaigns
G0027: Threat Group-3390
Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[1] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.[2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c7c3830683a2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Trend Micro DRBControl February 2020
Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
Open source URL -
[2]
mitre-attack S0660Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.