Clambling has the ability to bypass UAC using apassuac.dll file.^[1][2]

Clambling has the ability to use Telnet for communication.^[1]

Clambling has the ability to communicate over HTTP.^[1]

Clambling can establish persistence by adding a Registry run key.^[1][2]

Clambling has the ability to capture and store clipboard data.^[1][2]

TheClambling dropper can use PowerShell to download the malware.^[1]

Clambling can use cmd.exe for command execution.^[1]

Clambling can register itself as a system service to gain persistence.^[2]

Clambling can collect information from a compromised host.^[1]

Clambling can deobfuscate its payload prior to execution.^[1][2]

Clambling can send files from a victim's machine to Dropbox.^[1][2]

Clambling can browse directories on a compromised host.^[1][2]

Clambling has the ability to set its file attributes to hidden.^[1]

Clambling can store a file namedmpsvc.dll, which opens a maliciousmpsvc.mui file, in the same folder as the legitimate Microsoft executableMsMpEng.exe to gain execution.^[1][2]

Clambling can capture keystrokes on a compromised host.^[1][2]

Clambling can set and delete Registry keys.^[1]

Clambling has the ability to enumerate network shares.^[1]

Clambling has the ability to use TCP and UDP for communication.^[1]

TheClambling executable has been obfuscated when dropped on a compromised host.^[1]

Clambling has been delivered to victim's machines through malicious e-mail attachments.^[1]

Clambling can enumerate processes on a targeted system.^[1]

Clambling can inject into thesvchost.exe process for execution.^[1]

Clambling can execute binaries through process hollowing.^[1]

Clambling has the ability to enumerate Registry keys, includingKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt\strDataDir to search for a bitcoin wallet.^[1][2]

Clambling has the ability to capture screenshots.^[1]

Clambling can discover the hostname, computer name, and Windows version of a targeted machine.^[1][2]

Clambling can enumerate the IP address of a compromised machine.^[1][2]

Clambling can identify the username on a compromised host.^[1][2]

Clambling can create and start services on a compromised host.^[1]

Clambling can determine the current time.^[1]

Clambling has gained execution through luring victims into opening malicious files.^[1]

Clambling can record screen content in AVI format.^[1][2]

Clambling can wait 30 minutes before initiating contact with C2.^[1]

Clambling can use Dropbox to download malicious payloads, send commands, and receive information.^[1][2]

^[1][3][4]