S1043: ccf32
ccf32 is data collection malware that has been used since at least February 2019, most notably during the FunnyDream campaign; there is also a similar x64 version.[1]
Analyst context for executives and security teams
ccf32 is a Windows data-collection malware family documented by ATT&CK as used since at least February 2019 and notably associated with the FunnyDream campaign. Its business significance is the data-loss workflow it represents: finding files, staging and archiving them, using scheduled execution, and attempting exfiltration while removing or hiding traces. For leaders, this is less about one malware name and more about whether Windows endpoint, file, task-scheduler, and outbound network controls can prove they would catch or contain data collection before sensitive information leaves the environment.
Executive priority
Treat this as a validation case for data-theft readiness on Windows systems. Priority questions: Do we know where sensitive local data and shares are accessible from endpoints? Can the SOC see scheduled task abuse, command-shell-driven collection, archive creation, staging directories, deletion, and outbound unencrypted transfer attempts? Can incident responders reconstruct activity if files are hidden or deleted? This object supports investment in endpoint telemetry, egress visibility, least-privilege data access, and evidence retention for audit and incident response; it does not by itself prove current exposure or active exploitation.
Technical view
ATT&CK provides no dedicated detection text for ccf32, so coverage should be validated through its documented behavior relationships. On Windows, focus on sequences involving Scheduled Task execution, Windows Command Shell activity, file and directory discovery, automated/local or remote data staging, archive utility use, hidden files/directories, file deletion, system time discovery, and exfiltration over an unencrypted non-C2 protocol. Detection engineering should prioritize correlated behavior over single indicators because many individual actions, such as cmd.exe use, archiving, scheduled tasks, and file cleanup, can be legitimate in enterprise administration.
Likely telemetry
- Windows endpoint process creation with command-line arguments, especially cmd.exe and archive utilities
- Windows scheduled task creation, modification, and execution events
- File-system telemetry for enumeration, bulk copy, staging directories, hidden attributes, archive creation, and deletion
- Endpoint security or EDR alerts tied to suspicious collection, staging, or cleanup behavior
- Network flow, proxy, DNS, and firewall logs showing outbound transfers over unencrypted non-C2 protocols
Detection direction
- Build detections around behavior chains: scheduled task or shell execution followed by file discovery, collection, staging, archive creation, and outbound transfer.
- Tune for high-risk data locations and unusual volume, timing, destination, or parent-child process relationships rather than alerting on all command-shell or archive utility use.
- Validate visibility into hidden file creation and file deletion, since the related techniques include concealment and cleanup behaviors that can reduce forensic evidence.
- Use outbound network monitoring to identify unencrypted protocol transfers that are unusual for the host, user, destination, or data volume.
- Incorporate the FunnyDream relationship as threat-intelligence context, but do not treat it as proof of attribution or current activity without local evidence.
Mitigation priorities
- Harden and monitor Windows Task Scheduler usage, especially creation or modification by non-standard users, paths, or processes.
- Limit endpoint and user access to sensitive local data and network shares through least privilege and need-to-know permissions.
- Improve egress controls and monitoring for unencrypted outbound transfer paths that are not required for business operations.
- Ensure endpoint logging captures process command lines, file activity, task events, and network connections with retention long enough for incident reconstruction.
- Control or monitor archive utilities and scripted collection behavior on systems that handle sensitive data.
Analyst notes and limits
The strongest defensive value comes from mapping ccf32 to a practical data-collection and exfiltration test plan. The object is Windows malware, while several related ATT&CK techniques list broader platforms; local validation should therefore focus first on Windows coverage and only extend to cloud or non-Windows environments where the organization has comparable data-staging or exfiltration risks.
Official ATT&CK detection guidance is not provided. The malware object has no specified tactics, aliases, labels, or supplied indicators. Campaign context is historical and should not be used to infer current targeting, attribution, or exposure. Coverage decisions require local telemetry, asset criticality, data-location knowledge, and baseline behavior.
ccf32
ccf32 is data collection malware that has been used since at least February 2019, most notably during the FunnyDream campaign; there is also a similar x64 version.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1005 | Data from Local System | ccf32 can collect files from a compromised host.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1119 | Automated Collection | ccf32 can be used to automatically collect files from a compromised host.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | ccf32 can upload collected data and files to an FTP server.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1074.002 | Remote Data Staging Sub-technique | |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | ccf32 has used `xcopy \\ |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | ccf32 has used `cmd.exe` for archiving data and deleting files.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1124 | System Time Discovery | ccf32 can determine the local time on targeted machines.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1070.004 | File Deletion Sub-technique | ccf32 can delete files and folders from compromised machines.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | ccf32 has created a hidden directory on targeted systems, naming it after the current local time (year, month, and day).CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | ccf32 can temporarily store files in a hidden directory on the local host.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | ccf32 can run on a daily basis using a scheduled task.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1083 | File and Directory Discovery | ccf32 can parse collected files to identify specific file extensions.CitationBitdefender FunnyDream Campaign November 2020 |
Groups, software, and campaigns
C0007: FunnyDream
FunnyDream was a suspected Chinese cyber espionage campaign that targeted government and foreign organizations in Malaysia, the Philippines, Taiwan, Vietnam, and other parts of Southeast Asia. Security researchers linked the FunnyDream campaign to possible Chinese-speaking threat actors through the use of the Chinoxy backdoor and noted infrastructure overlap with the TAG-16 threat group.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 11d1152de4f1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Bitdefender FunnyDream Campaign November 2020
Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
Open source URL -
[2]
mitre-attack S1043Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.