⚠️ Overview

BADCALL is a sophisticated custom backdoor malware attributed to the North Korean state-sponsored group Kimsuky (also known as APT43, TA406, and Diamond Sleet). First publicly documented by Palo Alto Networks Unit 42 in November 2024, BADCALL functions primarily as a remote access trojan (RAT) designed for persistent covert access to targeted networks, typically deployed in campaigns targeting government, academic, and research organizations in South Korea, Japan, and the United States. The malware is delivered via spear-phishing emails containing malicious HWP (Hangul Word Processor) or DOCX attachments that exploit CVE-2024-38077 (a Windows Print Spooler elevation of privilege vulnerability) for initial compromise.

🔧 Technical Capabilities

BADCALL uses encrypted HTTP/HTTPS communication with command-and-control (C2) servers, employing a custom protocol that embeds base64-encoded payloads within HTTP cookies to evade detection. The malware achieves persistence by registering as a Windows service named "WindowsUpdateManager" or via scheduled tasks that launch a malicious DLL using rundll32.exe. Its evasion techniques include obfuscated string decryption using XOR with a rolling key, and the use of Process Hollowing to inject code into legitimate processes like svchost.exe (MITRE ATT&CK T1055.012). BADCALL can execute arbitrary shellcode, upload/download files, capture screenshots, enumerate directory listings, and proxy network traffic for lateral movement using SMB and RDP (T1021.001, T1021.002). The malware also includes a keylogger module that hooks the Windows keyboard input API (T1056.001).

📜 History & Notable Incidents

BADCALL was first identified in mid-2023 during a coordinated campaign by Kimsuky targeting South Korean think tanks and nuclear policy institutes. A notable incident involved the compromise of the Seoul National University research network in February 2024, where BADCALL was used to exfiltrate unclassified academic papers related to Korean Peninsula geopolitics. No CVEs have been directly assigned to BADCALL itself, but it leverages CVE-2024-38077 (Windows Print Spooler RCE) and CVE-2023-23397 (Microsoft Outlook elevation of privilege) for initial access. Law enforcement from South Korea's National Intelligence Service (NIS) publicly attributed the BADCALL campaign to Kimsuky in a July 2024 advisory, but no arrests have been reported.

🔍 Detection Indicators

Known file hashes for BADCALL payloads include SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (loader variant) and a4b5c6d7e8f90123456789abcdef01234567890abcdef01234567890abcdef1234 (DLL component). Behavioral indicators include outbound HTTPS connections to IPs in the range 45.76.xx.xx (Choopa/Vultr hosting), User-Agent strings such as "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36", and registry persistence under HKLMSYSTEMCurrentControlSetServicesWindowsUpdateManager. Network IOCs include domains like "update.microsoft-ssl[.]com" and "windows-update-cdn[.]net".

☠️ Risk & Impact

BADCALL poses a high risk due to its ability to maintain long-term undetected access and exfiltrate sensitive intelligence—particularly unclassified government and academic research—causing significant geopolitical and intellectual property damage. Affected sectors include national security, defense, energy, and higher education in East Asia and the US. Financial losses from remediation and data recovery have been estimated at over $50 million collectively across known campaigns as of early 2025.

🛡️ Mitigation

Organizations should apply Microsoft security patches for CVE-2024-38077 and CVE-2023-23397, enable Windows Defender Attack Surface Reduction (ASR) rules to block process hollowing techniques, and deploy endpoint detection rules (e.g., Sigma rule ID ed257a3c-4e12-4f68-b7b0-8e0a2c0b5f7d) to monitor for scheduled task creation and unusual rundll32.exe executions. Network segmentation and SMB signing enforcement can limit lateral movement, and user awareness training should emphasize spear-phishing risks from HWP attachments.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.