Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0245: BADCALL

BADCALL is a Trojan malware variant used by the group Lazarus Group. [1]

EnterpriseS0245MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

BADCALL is a Windows Trojan malware variant that ATT&CK links to Lazarus Group use. Its value for defenders is not a signature alone, but the cluster of behaviors around covert command-and-control, host discovery, Registry modification, and Windows firewall changes. For security leaders, this is a reminder to validate whether Windows endpoint and network controls can show when malware blends traffic into normal-looking protocols, uses unusual ports, or changes local host controls.

Executive priority

Prioritize BADCALL as a coverage-validation item for Windows incident readiness and command-and-control detection, especially where executive risk discussions include state-sponsored threat activity referenced by ATT&CK through Lazarus Group. Leaders should ask whether SOC teams can prove collection and alerting for suspicious outbound traffic, Windows Registry changes, and host firewall modifications, because those evidence sources often determine whether an investigation can scope and contain this kind of malware behavior.

Technical view

ATT&CK does not provide dedicated detection text for BADCALL, so defenders should build validation around the mapped behaviors: Protocol or Service Impersonation, Proxy, Non-Standard Port, Symmetric Cryptography for command-and-control; System Network Configuration Discovery and System Information Discovery for discovery; Modify Registry and Windows Host Firewall modification for persistence or defense impairment. Focus validation on Windows endpoints, outbound network activity, process-to-network correlations, Registry write events, and firewall configuration changes. Relationship context indicates use by Lazarus Group, but detections should remain behavior-based rather than relying only on group or malware naming.

Likely telemetry

  • Windows endpoint process execution and command-line telemetry
  • Windows Registry modification events
  • Windows host firewall configuration and rule-change logs
  • Outbound network connection metadata including destination, port, protocol, and process context
  • Proxy, firewall, DNS, and web gateway logs for egress analysis

Detection direction

  • Validate alerts for Windows Registry changes associated with persistence, defense impairment, or unusual network configuration changes.
  • Tune for protocol and port mismatches, such as traffic that appears to impersonate common services or uses non-standard protocol/port pairings.
  • Correlate outbound network connections with initiating processes to reduce false positives from legitimate proxy, update, or administrative tools.
  • Look for suspicious Windows firewall disablement, profile suppression, or rule additions, especially when paired with new outbound connectivity.
  • Monitor discovery activity that collects system or network configuration details, but tune carefully because many administrative tools can produce similar events.

Mitigation priorities

  • Confirm Windows endpoint protection, logging, and response controls are enabled and centrally monitored.
  • Restrict and monitor unauthorized Registry and Windows firewall changes, with administrative change control where practical.
  • Enforce egress filtering and proxy controls so unusual outbound destinations, ports, and protocol mismatches are visible and reviewable.
  • Maintain network segmentation and least-privilege administration to limit the value of host and network discovery.
  • Use incident response playbooks that include containment of suspicious outbound command-and-control, preservation of endpoint evidence, and review of local firewall and Registry changes.
Analyst notes and limits

The ATT&CK object identifies BADCALL as a Trojan malware variant and provides a relationship showing Lazarus Group uses it. The most useful defensive interpretation comes from the linked techniques, which point to Windows host changes and command-and-control tradecraft. Treat this as a behavior coverage and readiness review item, not proof of current activity in any specific environment.

Official detection guidance is not provided for BADCALL in the supplied fields. The malware platform is listed as Windows, while some related techniques have broader platform applicability; this take limits platform-specific recommendations to Windows where tied to the object or Windows-specific relationships. Local baselines are required to distinguish malicious activity from legitimate administration, proxy use, software updates, and firewall management.

Official MITRE ATT&CK definition

BADCALL

BADCALL is a Trojan malware variant used by the group Lazarus Group. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

8 rows
Domain ID Name Relationship / procedure
Enterprise T1686.003 Windows Host Firewall Sub-technique

BADCALL disables the Windows firewall before binding to a port.CitationUS-CERT BADCALL
Enterprise T1573.001 Symmetric Cryptography Sub-technique

BADCALL encrypts C2 traffic using an XOR/ADD cipher.CitationUS-CERT BADCALL
Enterprise T1001.003 Protocol or Service Impersonation Sub-technique

BADCALL uses a FakeTLS method during C2.CitationMalware Analysis Report 10135536-G
Enterprise T1090 Proxy

BADCALL functions as a proxy server between the victim and C2 server.CitationUS-CERT BADCALL
Enterprise T1112 Modify Registry

BADCALL modifies the firewall Registry key SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfileGloballyOpenPorts\\List.CitationUS-CERT BADCALL
Enterprise T1082 System Information Discovery

BADCALL collects the computer name and host name on the compromised system.CitationUS-CERT BADCALL
Enterprise T1571 Non-Standard Port

BADCALL communicates on ports 443 and 8000 with a FakeTLS method.CitationUS-CERT BADCALL
Enterprise T1016 System Network Configuration Discovery

BADCALL collects the network adapter information.CitationUS-CERT BADCALL
Associated objects

Groups, software, and campaigns

Group Enterprise

G0032: Lazarus Group

Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]

North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]

Relationship explorer

All related ATT&CK context

uses · Technique T1686.003: Windows Host Firewall Enterprise uses · Group G0032: Lazarus Group Enterprise uses · Technique T1573.001: Symmetric Cryptography Enterprise uses · Technique T1001.003: Protocol or Service Impersonation Enterprise uses · Technique T1090: Proxy Enterprise uses · Technique T1112: Modify Registry Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1571: Non-Standard Port Enterprise uses · Technique T1016: System Network Configuration Discovery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
052d1162385f5439...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 052d1162385f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    US-CERT BADCALL

    US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.

    Open source URL
  2. [2]
    BADCALL

    (Citation: US-CERT BADCALL)

  3. [3]
    mitre-attack S0245
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use