S0213: DOGCALL
Analyst context for executives and security teams
DOGCALL is a Windows backdoor documented by MITRE as used by APT37 and historically associated with targeting South Korean government and military organizations in 2017, typically delivered through a Hangul Word Processor exploit. Its business significance is not just the malware name; the related behaviors show a post-compromise toolset concerned with collection, credential capture, command-and-control, and bringing additional files into an environment.
Executive priority
Prioritize DOGCALL as a readiness test for high-value Windows environments where document-borne compromise, sensitive information collection, and covert external communications would create operational or diplomatic risk. Leaders should ask whether endpoint, network, identity, and incident response teams can prove visibility into keylogging, screen/audio capture, encrypted or encoded malware artifacts, external web-service-based C2, and tool transfer activity. Because MITRE provides no official detection text for this object, control assurance should be evidence-based rather than assumed from malware naming alone.
Technical view
For SOC and IR teams, validate coverage around the ATT&CK relationships rather than relying on a DOGCALL signature. The supplied relationships map DOGCALL to encrypted or encoded files, keylogging, bidirectional communication through legitimate external web services, ingress tool transfer, screen capture, and audio capture. On Windows endpoints, review whether telemetry can show suspicious document-originated process chains, files written by exploitation or malware activity, attempts to capture keystrokes or screen/audio content, and outbound web communications that may carry commands or results. Network teams should examine whether legitimate web services are monitored in a way that still preserves useful metadata for C2 investigation without assuming all such traffic is benign.
Likely telemetry
- Windows endpoint process creation and parent-child process relationships, especially around document viewers or HWP-related activity where applicable
- File creation and modification events for encoded, encrypted, or newly transferred payloads
- Endpoint behavioral telemetry for keylogging-like input capture, screen capture, and audio or microphone access
- Network proxy, DNS, firewall, and web gateway logs showing outbound connections to external web services
- EDR or host logs showing downloaded tools or files arriving after initial compromise
Detection direction
- Build detections around the related behaviors: encoded or encrypted artifacts, keylogging, screen/audio capture, ingress tool transfer, and bidirectional web-service communications.
- Tune carefully for false positives because screen capture, audio access, file transfer, and web-service use can occur in legitimate collaboration, support, and productivity workflows.
- Correlate endpoint and network evidence: a single outbound web request may be weak, but web-service traffic combined with new files, capture behavior, or suspicious document execution is more meaningful.
- Validate visibility into document-borne exploitation paths relevant to the environment, including Hangul Word Processor exposure if present.
- Because MITRE does not provide official detection guidance for DOGCALL, prefer behavior-based detection validation and retrospective hunts over malware-name-only alerting.
Mitigation priorities
- Inventory and reduce exposure to document-processing software paths relevant to the organization, including HWP use where applicable.
- Maintain timely patching and exploit mitigation for Windows endpoints and document applications used to handle untrusted files.
- Restrict and monitor unnecessary microphone, screen capture, and input capture access on high-risk workstations where operationally feasible.
- Control outbound web access with proxying, logging, and review processes that can identify suspicious use of legitimate web services for bidirectional communication.
- Harden endpoint execution controls and least privilege so transferred tools or payloads have fewer opportunities to run.
Analyst notes and limits
The most useful defensive framing is behavior-led. DOGCALL is identified as a backdoor, and its ATT&CK relationships indicate collection, credential-access, command-and-control, stealth, and file transfer behaviors. This makes it relevant to executive questions about sensitive information exposure, compromised identities, and whether SOC teams can connect endpoint capture behavior with outbound communications.
The supplied ATT&CK object has no official detection text, no aliases, and no malware-specific tactics listed on the object itself. The description supports historical use by APT37 against South Korean government and military organizations in 2017 and typical delivery via an HWP exploit, but it does not support claims of current activity, customer exposure, guaranteed detection, or broader targeting. Local software inventory, telemetry availability, and incident evidence are required to assess actual risk.
DOGCALL
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1056.001 | Keylogging Sub-technique | DOGCALL is capable of logging keystrokes.CitationFireEye APT37 Feb 2018CitationUnit 42 Nokki Oct 2018 |
| Enterprise | T1113 | Screen Capture | DOGCALL is capable of capturing screenshots of the victim's machine.CitationFireEye APT37 Feb 2018CitationUnit 42 Nokki Oct 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | DOGCALL can download and execute additional payloads.CitationUnit 42 Nokki Oct 2018 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | DOGCALL is encrypted using single-byte XOR.CitationUnit 42 Nokki Oct 2018 |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | DOGCALL is capable of leveraging cloud storage APIs such as Cloud, Box, Dropbox, and Yandex for C2.CitationFireEye APT37 Feb 2018CitationUnit 42 Nokki Oct 2018 |
| Enterprise | T1123 | Audio Capture | DOGCALL can capture microphone data from the victim's machine.CitationUnit 42 Nokki Oct 2018 |
Groups, software, and campaigns
G0067: APT37
APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.[1][2][3]
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 87564e441d99… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT37 Feb 2018
FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024.
Open source URL -
[2]
DOGCALL
(Citation: FireEye APT37 Feb 2018)
-
[3]
mitre-attack S0213Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.