BADCALL
BADCALL is a malware family associated with North Korean government activity, referred to by the U.S. Government as HIDDEN COBRA and linked in later reporting to Lazarus operations. It has been described primarily as a proxy/backdoor family that turns compromised systems into proxy servers between the victim and command-and-control (C2) infrastructure. Reported Windows variants are 32-bit executables/DLLs that use a FakeTLS method for C2, communicate on ports including 443 and 8000, and encrypt C2 traffic with an XOR/ADD cipher. The malware has been observed disabling the Windows firewall before binding to a port and modifying the firewall-related Registry key SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List to allow inbound access. BADCALL can collect host information including the computer name, host name, and network adapter information. A documented Windows DLL variant uses GetComputerNameW, gethostbyname, and GetAdaptersInfo for host discovery. DHS/FBI/DoD reporting described hard-coded authentication and proxy-control strings in analyzed samples, including authentication values such as "1qazXSDC23we" and "qwertyuiop". The same reporting noted use of embedded public SSL certificates from legitimate domains to mimic TLS handshakes without using real TLS end-to-end. A loader sample decrypted an embedded ZIP via RC4 to deploy an additional proxy DLL, and one sample attempted to read configuration from SOFTWARE\Microsoft\windows\CurrentVersion\NetConfigs. The family also has Linux coverage: reporting stated that sysnetd is a Linux variant of the group’s Windows backdoor BADCALL, and later research identified a new Linux Badcall variant, previously seen in the 3CX supply-chain attack, with enhanced logging that writes timestamped numeric operation codes to /tmp/sslvpn.log. Additional reporting notes BADCALL has been used in Lazarus Operation DreamJob activity and that the malware family also includes an Android RAT variant analyzed in U.S. government reporting, which listened on port 60000 and supported capabilities including call recording, screenshots/camera capture, contact access, file upload/download, command execution, and Wi-Fi scanning.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
9 distinct techniques documented for this family, organized by ATT&CK tactic.
Persistence
1 technique
Persistence
Defense Impairment
1 technique
Defense Impairment
Discovery
2 techniques
Discovery
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Command and Control
5 techniques
Command and Control
"APT41 used a tool called CLASSFON to covertly proxy network communications." / "BADCALL functions as a proxy server between the victim and C2 server." / "Sandworm Team's BCS-server tool can create an internal proxy server to redirect traffic..."
"3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode..."; "APT33 has used AES for encryption of command and control traffic."; "Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode)."; "Duqu ... data stream can be encrypted with AES-CBC."; "PoisonIvy uses the Camellia cipher to encrypt communications."
Recent activity
19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Badcall is a backdoor malware family used by North Korean threat actors, notably Lazarus, for persistent access and control of compromised systems. The new Linux variant features enhanced logging for operational monitoring and has been linked to infrastructure used in global campaigns.
BADCALL is a malware used by Lazarus Group, notable for having both Windows and Linux versions, and is used in targeted attacks for data exfiltration and espionage.
Backdoor that disables Windows Firewall prior to opening a listening port.
Lazarus backdoor family referenced across Windows and Linux. The Linux sample sysnetd is assessed as a Linux variant based on code/configuration similarities (including fake TLS front domains and shared crypto artifacts such as an A5/1 implementation/keys referenced in the report).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.