Skip to content


BADCALL is a Trojan malware variant used by the group Lazarus Group. 1

Item Value
ID S0245
Associated Names
Version 1.1
Created 17 October 2018
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1001 Data Obfuscation -
enterprise T1001.003 Protocol Impersonation BADCALL uses a FakeTLS method during C2.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography BADCALL encrypts C2 traffic using an XOR/ADD cipher.1
enterprise T1562 Impair Defenses -
enterprise T1562.004 Disable or Modify System Firewall BADCALL disables the Windows firewall before binding to a port.1
enterprise T1112 Modify Registry BADCALL modifies the firewall Registry key SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfileGloballyOpenPorts\List.1
enterprise T1571 Non-Standard Port BADCALL communicates on ports 443 and 8000 with a FakeTLS method.1
enterprise T1090 Proxy BADCALL functions as a proxy server between the victim and C2 server.1
enterprise T1082 System Information Discovery BADCALL collects the computer name and host name on the compromised system.1
enterprise T1016 System Network Configuration Discovery BADCALL collects the network adapter information.1

Groups That Use This Software

ID Name References
G0032 Lazarus Group 1


Back to top