Skip to content


BADFLICK is a backdoor used by Leviathan in spearphishing campaigns first reported in 2018 that targeted the U.S. engineering and maritime industries.12

Item Value
ID S0642
Associated Names
Version 1.0
Created 26 August 2021
Last Modified 15 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1560 Archive Collected Data -
enterprise T1560.002 Archive via Library BADFLICK has compressed data using the aPLib compression library.2
enterprise T1005 Data from Local System BADFLICK has uploaded files from victims’ machines.2
enterprise T1140 Deobfuscate/Decode Files or Information BADFLICK can decode shellcode using a custom rotating XOR cipher.2
enterprise T1083 File and Directory Discovery BADFLICK has searched for files on the infected host.2
enterprise T1105 Ingress Tool Transfer BADFLICK has download files from its C2 server.2
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment BADFLICK has been distributed via spearphishing campaigns containing malicious Microsoft Word documents.2
enterprise T1082 System Information Discovery BADFLICK has captured victim computer name, memory space, and CPU details.2
enterprise T1016 System Network Configuration Discovery BADFLICK has captured victim IP address details.2
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File BADFLICK has relied upon users clicking on a malicious attachment delivered through spearphishing.2
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.003 Time Based Evasion BADFLICK has delayed communication to the actor-controlled IP address by 5 minutes.2

Groups That Use This Software

ID Name References
G0065 Leviathan 12