S0642: BADFLICK
Analyst context for executives and security teams
BADFLICK is a Windows backdoor that ATT&CK reports was used by Leviathan in spearphishing campaigns against U.S. engineering and maritime industries. Its practical significance is not just the malware name: the related behaviors span phishing attachment execution, host and network discovery, local data collection, archiving, tool transfer, deobfuscation, and time-based anti-analysis checks. For leaders, this makes BADFLICK a useful planning case for whether phishing defenses, endpoint visibility, SOC triage, and incident response can connect the initial email event to post-compromise discovery and data staging activity.
Executive priority
Prioritize this as an espionage-style intrusion readiness issue where intellectual property, engineering data, maritime operations, regulated information, and partner trust may be at stake. Executives should ask whether the organization can prove coverage across the chain: targeted email delivery, user execution of malicious files, Windows endpoint behavior, command-and-control file transfer, discovery commands, local data access, and archive creation. The decision value is in validating resilience and audit evidence before an incident, not assuming a specific current threat to the organization.
Technical view
For SOC, detection engineering, and IR teams, use the ATT&CK relationships as the validation map. BADFLICK is associated with Windows and uses behaviors mapped to Spearphishing Attachment, Malicious File execution, System Information Discovery, System Network Configuration Discovery, File and Directory Discovery, Data from Local System, Ingress Tool Transfer, Deobfuscate/Decode Files or Information, Time Based Checks, and Archive via Library. Because ATT&CK provides no official detection text for this malware object, teams should not rely on a BADFLICK-specific signature alone. Validate whether telemetry can correlate suspicious attachment execution with subsequent discovery, file enumeration, local data access, archive creation, decoding/deobfuscation activity, and inbound tool transfer on the same host or user session.
Likely telemetry
- Email security logs for spearphishing attachments, attachment metadata, sender context, and delivery/disposition outcomes
- Endpoint process creation and command-line telemetry on Windows hosts
- File system telemetry for suspicious enumeration, access to sensitive local paths, and archive creation
- Network telemetry for command-and-control-like file transfer or external ingress of tools
- Endpoint events showing decoding, deobfuscation, or execution of newly introduced files
Detection direction
- Build correlation from malicious or suspicious attachment execution to near-term host discovery, network configuration discovery, and file/directory discovery events.
- Tune for sequences of local data access followed by archive creation, especially when tied to a user process spawned from an email-delivered file.
- Validate visibility for ingress tool transfer rather than only outbound exfiltration; the relationship to T1105 means post-compromise tool delivery is part of the behavior set.
- Account for false positives from legitimate administration, software deployment, compression utilities, and help desk troubleshooting by requiring unusual parent-child process chains, user context, destination reputation, or timing after attachment execution.
- Because no official ATT&CK detection guidance is supplied for BADFLICK, treat detections as behavior-based hypotheses that require local baselining and testing.
Mitigation priorities
- Reduce spearphishing attachment risk with attachment inspection, safe handling controls, and user reporting workflows aligned to targeted phishing scenarios.
- Harden Windows endpoints to restrict unnecessary execution from user-writable and email download locations where feasible.
- Ensure endpoint detection and response collects process, file, and network evidence needed to reconstruct discovery, staging, and tool transfer behaviors.
- Limit user access to sensitive local engineering, maritime, or business data so local collection activity has less reach if a workstation is compromised.
- Prepare IR playbooks that connect email investigation, endpoint containment, malware triage, and data access review for backdoor incidents.
Analyst notes and limits
The ATT&CK object identifies BADFLICK as a backdoor used by Leviathan in spearphishing campaigns first reported in 2018 and targeting U.S. engineering and maritime industries. The most useful defensive interpretation is relationship-driven: the malware’s mapped techniques indicate a path from phishing attachment execution to discovery, data collection, archive preparation, deobfuscation, anti-analysis timing checks, and tool transfer. Organizations in adjacent sectors should use this as a control validation scenario, while avoiding unsupported assumptions about current exposure or activity.
ATT&CK provides no official detection field for BADFLICK and the supplied object lists only Windows as the malware platform. The technique relationships provide behavioral context but do not include full procedure-level detail, indicators, hashes, infrastructure, or guaranteed detection logic. Local telemetry, asset criticality, email flow, endpoint configuration, and normal administrative behavior are required to turn this into reliable detections or risk conclusions.
BADFLICK
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | BADFLICK has captured victim computer name, memory space, and CPU details.CitationAccenture MUDCARP March 2019 |
| Enterprise | T1560.002 | Archive via Library Sub-technique | BADFLICK has compressed data using the aPLib compression library.CitationAccenture MUDCARP March 2019 |
| Enterprise | T1083 | File and Directory Discovery | BADFLICK has searched for files on the infected host.CitationAccenture MUDCARP March 2019 |
| Enterprise | T1204.002 | Malicious File Sub-technique | BADFLICK has relied upon users clicking on a malicious attachment delivered through spearphishing.CitationAccenture MUDCARP March 2019 |
| Enterprise | T1005 | Data from Local System | BADFLICK has uploaded files from victims' machines.CitationAccenture MUDCARP March 2019 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | BADFLICK has been distributed via spearphishing campaigns containing malicious Microsoft Word documents.CitationAccenture MUDCARP March 2019 |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | BADFLICK has delayed communication to the actor-controlled IP address by 5 minutes.CitationAccenture MUDCARP March 2019 |
| Enterprise | T1016 | System Network Configuration Discovery | BADFLICK has captured victim IP address details.CitationAccenture MUDCARP March 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | BADFLICK has download files from its C2 server.CitationAccenture MUDCARP March 2019 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | BADFLICK can decode shellcode using a custom rotating XOR cipher.CitationAccenture MUDCARP March 2019 |
Groups, software, and campaigns
G0065: Leviathan
Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b7a5f4d02acd… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye Periscope March 2018
FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
Open source URL -
[2]
Accenture MUDCARP March 2019
Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
Open source URL -
[3]
mitre-attack S0642Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.