Malware and tool entries linked to techniques, groups, and campaigns.
Results are validated against normalized ATT&CK source records when available; sample records are used only in development or empty-data environments.
Circles reportedly takes advantage of Signaling System 7 (SS7) weaknesses, the protocol suite used to route phone calls, to both track the location of mobile devices and intercept voice calls and SMS messages. It can be connected to a telecommunications company’s infrastructure or purchased as a cloud service. Circles has reportedly been linked to the NSO Group.[1]
Clambling is a modular backdoor written in C++ that has been used by Threat Group-3390 since at least 2017.[1]
Clop is a ransomware family that was first observed in February 2019 and has been used against retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare, and high tech industries. Clop is a variant of the CryptoMix ransomware.[1][2][3]
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
Cobian RAT is a backdoor, remote access tool that has been observed since 2016.[1]
CoinTicker is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.[1]
Concipit1248 is iOS spyware that was discovered using the same name as the developer of the Android spyware Corona Updates. Further investigation revealed that the two pieces of software contained the same C2 URL and similar functionality.[1]
ConnectWise is a legitimate remote administration tool that has been used since at least 2016 by threat actors including MuddyWater and GOLD SOUTHFIELD to connect to and conduct lateral movement in target environments.[1][2]
Conti is a Ransomware-as-a-Service (RaaS) that was first observed in December 2019. Conti has been deployed via TrickBot and used against major corporations and government agencies, particularly those in North America. As with other ransomware families, actors using Conti steal sensitive files and information from compromised networks, and threaten to publish this data unless the ransom is paid.[1][2][3]
CookieMiner is mac-based malware that targets information associated with cryptocurrency exchanges as well as enabling cryptocurrency mining on the victim system itself. It was first discovered in the wild in 2019.[1]
CorKLOG is a keylogger known to be leveraged by Mustang Panda and was first observed utilized in 2024. CorKLOG is delivered through a RAR archive (e.g., src.rar), which contains two files: an executable (lcommute.exe) and the CorKLOG DLL (mscorsvc.dll). CorKLOG has established persistence on the system by creating services or with scheduled tasks.[1]
Corona Updates is Android spyware that took advantage of the Coronavirus pandemic. The campaign distributing this spyware is tracked as Project Spy. Multiple variants of this spyware have been discovered to have been hosted on the Google Play Store.[1]
CosmicDuke is malware that was used by APT29 from 2010 to 2015. [1]
CostaBricks is a loader that was used to deploy 32-bit backdoors in the CostaRicto campaign.[1]
Covenant is a multi-platform command and control framework written in .NET. While designed for penetration testing and security research, the tool has also been used by threat actors such as HAFNIUM during operations. Covenant functions through a central listener managing multiple deployed "Grunts" that communicate back to the controller.[1][2]
CrackMapExec, or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. CrackMapExec collects Active Directory information to conduct lateral movement through targeted networks.[1]
CreepyDrive is a custom implant has been used by POLONIUM since at least early 2022 for C2 with and exfiltration to actor-controlled OneDrive accounts.[1]
POLONIUM has used a similar implant called CreepyBox that relies on actor-controlled DropBox accounts.[1]
CreepySnail is a custom PowerShell implant that has been used by POLONIUM since at least 2022.[1]
Crimson is a remote access Trojan that has been used by Transparent Tribe since at least 2016.[1][2]
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.
