S0667: Chrommme
Analyst context for executives and security teams
Chrommme is a Windows backdoor described by ATT&CK as an MFC-based tool first reported in 2021, with reported infrastructure overlaps with Gelsemium malware. The practical risk is not just “a backdoor exists”; its ATT&CK relationships show a post-compromise pattern of discovery, local data collection, staging, archiving, and exfiltration over command-and-control. For leaders, this makes Chrommme a useful validation case for whether endpoint, network, and incident response processes can prove what data was accessed and whether it left the environment.
Executive priority
Treat this as a coverage and readiness question for Windows endpoints: can the organization detect and investigate a backdoor that profiles systems and users, collects local data including screenshots, stages or archives it, and transfers it through an existing C2 channel? Priority should be on evidence quality for breach scoping, audit defensibility, and data-loss decision-making, especially where sensitive files reside on workstations or servers.
Technical view
ATT&CK provides no official detection text for Chrommme, so defenders should validate behavior-based coverage against the related techniques: system, user, network, and storage discovery; local data access and staging; screen capture; archive or encoded/encrypted files; ingress tool transfer; native API execution; scheduled transfer; and exfiltration over C2. For SOC and IR teams, the key is correlating endpoint process/file activity with outbound network activity rather than relying on a malware name or static signature.
Likely telemetry
- Windows endpoint process execution and parent/child process context
- File creation, modification, archive creation, and unusual staging-directory activity
- Endpoint records of screen capture or suspicious graphics/API-related behavior where available
- Network egress metadata, including long-lived or recurring outbound connections
- Proxy, firewall, DNS, and C2-adjacent connection logs
Detection direction
- Build detections around behavior chains: discovery followed by file collection/staging, archive or encoded file creation, and outbound transfer.
- Tune for repeated or scheduled outbound activity that aligns with local staging or archive creation, while accounting for legitimate backup, sync, and software-update workflows.
- Validate visibility into Windows endpoints because the malware object’s supplied platform is Windows.
- Do not depend on official ATT&CK detection guidance for this object; none is provided.
- Use relationship-driven context to hunt for T1005, T1016, T1033, T1082, T1680, T1074.001, T1560, T1027.013, T1140, T1029, T1041, T1105, T1106, and T1113 patterns.
Mitigation priorities
- Prioritize endpoint monitoring and retention sufficient to reconstruct discovery, collection, staging, and exfiltration behavior.
- Restrict unnecessary outbound connectivity and maintain reviewable proxy, DNS, firewall, and endpoint network logs.
- Apply least privilege and data-access controls so a compromised Windows host has limited access to sensitive local or shared data.
- Harden controls around unauthorized tool transfer and execution from user-writable locations.
- Ensure data-loss response procedures include file-access scoping, egress review, and preservation of endpoint artifacts.
Analyst notes and limits
The supplied ATT&CK record identifies Chrommme as a Windows backdoor written with the Microsoft Foundation Class framework and cites an ESET report. The relationship set is more useful for defensive planning than the short malware description because it maps the tool to discovery, collection, staging, obfuscation, transfer, and exfiltration behaviors. Infrastructure overlap with Gelsemium is noted in the official description, but this take does not infer attribution or current activity.
ATT&CK provides no official detection section, no aliases, and no explicit tactics on the malware object. The related technique descriptions are generic ATT&CK technique context, not full Chrommme procedure detail. Local environment baselines, logging configuration, and confirmed telemetry coverage are required before judging actual detection or response capability.
Chrommme
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1016 | System Network Configuration Discovery | Chrommme can enumerate the IP address of a compromised host.CitationESET Gelsemium June 2021 |
| Enterprise | T1560 | Archive Collected Data | Chrommme can encrypt and store on disk collected data before exfiltration.CitationESET Gelsemium June 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | Chrommme can download its code from C2.CitationESET Gelsemium June 2021 |
| Enterprise | T1680 | Local Storage Discovery | Chrommme has the ability to list drives.CitationESET Gelsemium June 2021 |
| Enterprise | T1082 | System Information Discovery | Chrommme has the ability to obtain the computer name of a compromised host.CitationESET Gelsemium June 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Chrommme can decrypt its encrypted internal code.CitationESET Gelsemium June 2021 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Chrommme can store captured system information locally prior to exfiltration.CitationESET Gelsemium June 2021 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Chrommme can encrypt sections of its code to evade detection.CitationESET Gelsemium June 2021 |
| Enterprise | T1113 | Screen Capture | Chrommme has the ability to capture screenshots.CitationESET Gelsemium June 2021 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Chrommme can exfiltrate collected data via C2.CitationESET Gelsemium June 2021 |
| Enterprise | T1106 | Native API | Chrommme can use Windows API including `WinExec` for execution.CitationESET Gelsemium June 2021 |
| Enterprise | T1029 | Scheduled Transfer | Chrommme can set itself to sleep before requesting a new command from C2.CitationESET Gelsemium June 2021 |
| Enterprise | T1005 | Data from Local System | Chrommme can collect data from a local system.CitationESET Gelsemium June 2021 |
| Enterprise | T1033 | System Owner/User Discovery | Chrommme can retrieve the username from a targeted system.CitationESET Gelsemium June 2021 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | c679a6c81c34… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET Gelsemium June 2021
Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
Open source URL -
[2]
mitre-attack S0667Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.