S0660: Clambling
Clambling is a modular backdoor written in C++ that has been used by Threat Group-3390 since at least 2017.[1]
Analyst context for executives and security teams
Clambling matters because ATT&CK describes it as a Windows modular C++ backdoor associated with broad post-compromise behavior: discovery, collection, command-and-control, registry activity, PowerShell/cmd execution, process injection/hollowing, and user-data capture such as keystrokes, screenshots, clipboard, and video. For leaders, the decision point is not a single malware name; it is whether Windows endpoint, identity, and network monitoring can prove visibility into a modular backdoor that may blend into normal admin and web traffic.
Executive priority
Prioritize Clambling as a coverage-validation use case for Windows resilience and incident readiness. The related techniques touch sensitive data collection, credential exposure through keylogging, C2 over web or other protocols, and persistence or defense impairment via registry modification. Security leaders should ask whether SOC runbooks can connect endpoint behavior, network egress, and user-risk evidence quickly enough to support containment decisions, regulatory evidence, and business continuity planning for sectors or environments where Threat Group-3390 tradecraft is relevant.
Technical view
ATT&CK provides no official detection text for Clambling, so defenders should validate coverage through the related behaviors rather than a malware-specific signature alone. On Windows, focus on correlated sequences: command shell or PowerShell execution; registry query or modification; system, user, process, network, file, directory, and share discovery; process injection or process hollowing indicators; local data access; clipboard, screen, video, or keystroke collection signals; and outbound C2 using web protocols, application-layer protocols, non-application-layer protocols, or bidirectional communication through external web services. Treat the relationship to Threat Group-3390 as context for threat-informed testing, not as proof of current activity in any environment.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, including PowerShell and cmd activity
- Windows Registry query and modification events
- Endpoint memory or EDR telemetry relevant to process injection and process hollowing
- File system access, directory enumeration, and local data access events
- User, process, system information, system time, network configuration, and network share discovery telemetry
Detection direction
- Build behavior-based detections mapped to the related ATT&CK techniques rather than relying only on a Clambling name or hash.
- Correlate discovery commands, registry activity, and script or shell execution with later collection or outbound network activity to reduce false positives from normal administration.
- Tune PowerShell and Windows command shell analytics against known administrative baselines; these interpreters are legitimate tools and will generate noise without context.
- Validate whether EDR or host sensors can observe process injection and process hollowing behaviors, not just process starts.
- Review coverage for collection behaviors such as clipboard, screen, video, and keystroke capture; many environments do not collect these signals by default or restrict them for privacy reasons.
Mitigation priorities
- Start with Windows endpoint hardening and least-privilege controls that limit unnecessary registry modification, script execution, and high-risk administrative activity.
- Apply application control or execution policy controls where feasible for PowerShell, cmd-launched tooling, and unapproved binaries, while preserving legitimate administration paths.
- Ensure EDR or equivalent endpoint protection is configured to monitor process injection, process hollowing, registry changes, and suspicious collection behaviors.
- Constrain outbound network access with proxy, firewall, and egress filtering controls; monitor approved web protocols and external web services rather than assuming they are benign.
- Protect credentials and sensitive user activity by strengthening identity controls, privileged access management, and rapid credential reset procedures during suspected compromise.
Analyst notes and limits
The strongest defensive value comes from using Clambling as a scenario for validating telemetry joins across Windows endpoint, registry, scripting, collection, and network egress data. The ATT&CK relationship to Threat Group-3390 provides threat context, and the source reference is Trend Micro’s DRBControl reporting, but local evidence is required before making any attribution or exposure claim.
The supplied ATT&CK object has no official detection guidance, no aliases, no malware-specific indicators, and no explicit tactic list on the malware object. Several related techniques are cross-platform in ATT&CK, but the Clambling object itself is supplied with Windows as its platform, so this take limits platform-specific guidance to Windows. Environment-specific baselines, logging configuration, privacy rules, and sensor capabilities will determine practical coverage.
Clambling
Clambling is a modular backdoor written in C++ that has been used by Threat Group-3390 since at least 2017.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
Groups, software, and campaigns
G0027: Threat Group-3390
Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[1] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.[2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c7c3830683a2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Trend Micro DRBControl February 2020
Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
Open source URL -
[2]
mitre-attack S0660Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.