{ "id": "c4a9fff1-7475-4ae2-b00e-32c6688b01b7", "created_at": "2026-04-06T00:12:52.850226Z", "updated_at": "2026-04-10T13:11:26.26144Z", "deleted_at": null, "sha1_hash": "26ece7ef66cebd696bc7b333f2296d36d3dfb343", "title": "DeathStalker targets legal entities with new Janicab variant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3690167, "plain_text": "DeathStalker targets legal entities with new Janicab variant\r\nBy GReAT\r\nPublished: 2022-12-08 · Archived: 2026-04-05 15:04:15 UTC\r\nJust to clarify, the above subheading isn’t a normal quote, but a message that Janicab malware attempted to decode\r\nin its newest use of YouTube dead-drop resolvers (DDRs).\r\nWhile hunting for less common Deathstalker intrusions that use the Janicab malware family, we identified a new\r\nJanicab variant used in targeting legal entities in the Middle East throughout 2020, possibly active during 2021\r\nand potentially extending an extensive campaign that has been traced back to early 2015 and targeted legal,\r\nfinancial, and travel agencies in the Middle East and Europe.\r\nJanicab was first introduced in 2013 as malware able to run on macOS and Windows operating systems. The\r\nWindows version has a VBscript-based implant as the final stage instead of a C#/PowerShell combo as observed\r\npreviously in Powersing samples. The VBS-based implant samples we have identified to date have a range of\r\nversion numbers, meaning it is still in development. Overall, Janicab shows the same functionalities as its\r\ncounterpart malware families, but instead of downloading several tools later in the intrusion lifecycle, as was the\r\ncase with EVILNUM and Powersing intrusions, the analyzed samples have most of the tools embedded and\r\nobfuscated within the dropper.\r\nInterestingly, the threat actor continues to use YouTube, Google+, and WordPress web services as DDRs.\r\nHowever, some of the YouTube links observed are unlisted and go back to 2015, indicating a possible\r\ninfrastructure reuse.\r\nLaw firms and financial institutions continue to be most affected by Deathstalker. However, in the intrusions\r\nanalyzed recently, we suspect that travel agencies are a new vertical that we haven’t previously seen being\r\ntargeted by this threat actor.\r\nMore information about Deathstalker is available to customers of Kaspersky Intelligence Reporting. Contact us:\r\nintelreports@kaspersky.com.\r\nWe determined that the initial infection method using a LNK-based dropper inside a ZIP archive, remained similar\r\nto previous campaigns using EVILNUM, Powersing, and PowerPepper, but each seems to focus on different\r\nphishing themes, as if each malware family is operated by different teams and/or intended for different types of\r\nvictims. In a sample Janicab case, the decoy is an industrial corporate profile (hydraulics) matching the subject of\r\na decoy used in previous PowerPepper intrusion. Based on our telemetry, the delivery mechanism remains spear-phishing.\r\nMD5 File name\r\nFile\r\nsize\r\nSID MAC address\r\nhttps://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/\r\nPage 1 of 16\n\nF1B5675E1A60049C7CD\r\n823EBA93FE977\r\nCorporate Profile\r\nHydraulica.lnk\r\n7.1\r\nMB\r\nS-1-5-21-\r\n2529457200-\r\n49751210-\r\n1696528657-1000\r\n00:50:56:c0:00:08 /\r\nVMWare\r\nhttps://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/\r\nPage 2 of 16\n\nDecoy document in LNK file\r\nhttps://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/\r\nPage 3 of 16\n\nThe LNK dropper’s metadata resembles many Powersing and Janicab implants we reported or publicly analyzed.\r\nNamely, the SID, font family, font size, screen buffer and window size, run window, and MAC address are similar.\r\nDespite Janicab and Powersing resembling each other a lot in terms of execution flow and the use of VBE and\r\nVBS, their LNKs are structured somewhat differently. In addition, newer Janicab variants have changed\r\nsignificantly in structure compared to older Janicab Windows variants from 2015. The new Janicab variants also\r\nembed a CAB archive containing several Python files and other artifacts used later in the intrusion lifecycle.\r\nBelow is a high-level comparison between Powersing and the new and old Janicab variants.\r\nPowersing\r\nJanicab 1.2.9a\r\nhttps://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/\r\nPage 4 of 16\n\nJanicab 1.1.2\r\nLNK files structure comparison\r\nThe execution flow\r\nOnce a victim is tricked into opening the malicious LNK file, a series of chained malware files are dropped. The\r\nLNK file has an embedded “Command Line Arguments” field that aims at extracting and executing an encoded\r\nVBScript loader (1.VBE). The latter will drop and execute another embedded and encoded VBScript (2.VBE) that\r\nwill extract a CAB archive (cab.cab) containing additional resources and Python libraries/tools, and conclude the\r\ninfection by extracting the last stage – a VBScript-based implant known as Janicab. The final stage will initiate\r\npersistence by deploying a new LNK file in the Startup directory and will start communicating with the DDR web\r\nservices to gather the actual C2 IP address.\r\nJanicab (1.2.9a)\r\nMD5 3f1e0540793d9b9dbd26d6fadceacb71\r\nSHA1 aacd0752289f3b0c6be3fadba368a9a71e46a228\r\nSHA256 33f9780a2f0838e43457a8190616bec9e5489e1a112501e950fc40e0a3b2782e\r\nFile type Encoded VBE script\r\nFile size 593 KB\r\nFile name %userprofile%.VBE\r\nhttps://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/\r\nPage 5 of 16\n\nJanicab is a VBS-based malware implant that is mostly similar in functionality to its counterpart malware families,\r\nPowersing and EVILNUM. All have basic functionalities such as command execution, importing registry files,\r\nand the ability to download additional tools while maintaining persistence with high anti-VM and defense evasion.\r\nSince all three malware families share strong similarities, we will only discuss the interesting differences between\r\nJanicab versions in this section.\r\nJanicab can be considered a modular, interpreted-language malware. Meaning the threat actor is able to\r\nadd/remove functions or embedded files; interpreted-language malware provides such flexibility with reasonably\r\nlow effort. For example, in older variants, SnapIT.exe, a known tool used to capture screenshots, was embedded,\r\ndropped and executed at intervals. This tool was replaced in later variants with other custom-built tools that do the\r\nsame job. We’ve also seen audio recording capabilities in older variants, but not in later variants.\r\nIn newer variants, we started seeing the threat actor embed a DLL-based keylogger or screen capture utility that is\r\ninvoked using the ‘run_dll_or_py’ function. Interestingly, according to our Kaspersky Threat Attribution Engine\r\n(KTAE), the keylogger is very similar to another keylogger used in previous Powersing intrusions we reported and\r\ncame under the name ‘AdobeUpdater.dll’. In Powersing intrusions, the DLL was fetched later in the intrusion\r\ncycle from a secondary C2 server. However, in Janicab intrusions, it was mostly embedded as a HEX bytes array,\r\nor inside CAB files as extra resources. We’re aware of eight different Janicab versions: 1.0.8, 1.1.2, 1.1.4, 1.2.5,\r\n1.2.7, 1.2.8, 1.2.9a, 1.3.2.\r\nJanicab malware evolution\r\nA further comparison of the different Janicab versions shows that additional functions were added throughout the\r\nmalware development cycle, while specific functions were maintained. The table below shows interesting new\r\nfunctions that were introduced throughout the development of several variants according to the actor’s\r\nrequirements and/or to evade security controls:\r\nFunction name Brief description\r\nFunction checkRunningProcess()\r\nChecks for a list of processes indicating malware analysis or\r\nprocess debugging\r\nFunction delFFcookies()\r\nFunction delGCcookies()\r\nFunction delIEcookies()\r\nPoints to respective browser location and deletes its cookies\r\nFunction downFile(args) Used to download files from C2 and save them to disk\r\nfunction GetKl(kl) Gets keylogger data, base64 encodes it, then sends it to C2\r\nFunction runCmd(cmd, cmdType)\r\nFunction facilitating command execution using CMD.exe or\r\nPowerShell.exe\r\nFunction run_dll_or_py(arg1, arg2) Used to execute Python or DLL files while using two arguments;\r\narg1 is the DLL path and arg2 is the DLL exported function name\r\nhttps://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/\r\nPage 6 of 16\n\n(MyDllEntryPoint)\r\nfunction\r\nadd_to_startup_manager(server,\r\ninstalledAV)\r\nfunction\r\nadd_to_startup_reg_import(startupFile,\r\nstarterFile)\r\nfunction\r\nadd_to_startup_shortcut(startupFile,\r\nstarterFile)\r\nUsed to register the victim for the first time at the C2; perform\r\npersistence actions and install Microsoft Sync Services.lnk in\r\nsystem startup folder and registry\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Winlogon\r\nFunction isMalwb()\r\nFunction to check if MalwareBytes is installed. Similar functions\r\nwere seen in other variants that check for other AV products\r\nFunction HandleCCleaner()\r\nChecks if CCleaner is installed by checking system registry, and\r\ndeletes the registry entries accordingly\r\nFunction RunIeScript()\r\nRuns ie.vbe script using CScript.exe to ensure no residual Internet\r\nExplorer instances exists after C2 communication uses IE hidden\r\nbrowser\r\nFunction getAV() Gets a list of installed AV products\r\nStarting with version 1.0.8, Janicab VBS implants had several files embedded in the form of byte arrays. These are\r\nusually registry, VBE, PE EXE, or DLL files. In recent samples, while we still see embedded byte arrays for such\r\nresources, much of the extra resources were placed inside a CAB archive file that is dropped in the Stage-1\r\nprocess.\r\nBelow are noteworthy dropped files and their descriptions:\r\nFilename Description\r\nK.dll\r\nNamed Stormwind after a directory it creates, it’s a DLL-based keylogger that enumerates\r\nsystem locale, timezone info, and sets a global hook to capture keystrokes. It writes\r\nkeystrokes with timestamps to a log file named log.log under the\r\n\\AppData\\Roaming\\Stormwind directory. It watches for killKL.txt under\r\n\\AppData\\Local\\Temp\\ReplaceData\\ for the keylogger kill switch command.\r\nPythonProxy.py\r\nAn IPv4/IPv6 capable Python-based proxy that is able to relay web traffic between the\r\nlocal target system and remote C2 server.\r\nSupport HTTP methods CONNECT, ‘OPTIONS’, ‘GET’, ‘HEAD’, ‘POST’, ‘PUT’,\r\n‘DELETE’, ‘TRACE’\r\nFtp.py Local FTP Python-based server serving on port 2121 with creds test:test.\r\nCreates directory alias to all existing drives except floppy drive, using Junction.exe (a\r\nhttps://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/\r\nPage 7 of 16\n\nsysinternals tool). Adds regkey to accept EULA since it’s a sysinternal tool asking for\r\nEULA if it’s a first time run. Then serves the “junctioned” local directories to the FTP\r\nserver.\r\nRunner.py\r\nA Python script that takes four arguments: remote SSH server, remote SSH port, remote\r\nbind port, and “ftp” or “proxy” as application options.\r\nDepending on the argument received for the application option, it runs ftp.py (if ftp in\r\nargument) or pythonproxy.py (if proxy in argument).\r\nIn both options, the script will start an SSH reverse tunnel to a remote server controlled by\r\nthe threat actor and use the tunnel as a socks proxy or as a method to browse the local\r\ndrives initialized previously with a local FTP server.\r\nIf the killrunner.txt file is found in %temp%\\ReplaceData\\, runner.py will exit.\r\nJunction.exe\r\nIt is a sysinternals tool https://docs.microsoft.com/en-us/sysinternals/downloads/junction.\r\nIt creates NTFS junction points (aliases); creates the “\\\\Drives” directory and maps it to\r\nthe local FTP server created with ftp.py and serves its content.\r\nPlink.exe\r\nKnown Windows-based CLI SSH client for pivoting and tunneling\r\nReferenced by Runner.py for reverse tunneling/file copying.\r\nInfrastructure\r\nOne of the distinctive features of Deathstalker is its use of DDRs/web services to host an encoded string that is\r\nlater deciphered by the malware implant. We consistently see YouTube being used as a DDR despite other web\r\nservice links existing in the malware settings and not being used, such as links to Google+, which was\r\ndiscontinued in April 2019.\r\nAn interesting aspect we have noticed recently is the use of unlisted old YouTube links that were used in 2021\r\nintrusions. Historically, an analyst can use search engines and YouTube search features to look up the pattern used\r\nin the respective web services. However, since the threat actor uses unlisted old YouTube links, the likelihood of\r\nfinding the relevant links on YouTube is almost zero. This also effectively allows the threat actor to reuse C2\r\ninfrastructure.\r\nInterestingly, old and new Janicab variants are still using identical function declarations for the web services –\r\nYouTubeLinks, and continue to use a constant divider in the process of converting the decimal number to backend\r\nthe C2 IP address. The most recent dividers we have seen in use are 1337 and 5362.\r\nAs for the actual C2 IP addresses, we found that two IP addresses (87.120.254[.]100, 87.120.37[.]68) were hosted\r\nin the same ASN as the C2s used in PowerPepper intrusions (e.g., PowerPepper C2 87.120.37[.]192) and are\r\nbased out of Bulgaria.\r\nThe protocol in use for C2 communication is HTTP with GET/POST methods, and the backend C2 software is\r\nPHP.\r\nIP Janicab version ASN\r\nhttps://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/\r\nPage 8 of 16\n\n176.223.165[.]196 1.3.2 47447 TTM – 23M GmbH\r\n87.120.254[.]100 1.2.9a 34224 NETERRA-AS – Neterra Ltd.\r\n87.120.37[.]68 1.1.2 4224 NETERRA-AS – Neterra Ltd.\r\nJanicab 2021 listing of DDRs\r\nJanicab 2015 listing of DDRs\r\nhttps://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/\r\nPage 9 of 16\n\nSample unlisted YouTube DDR used in recent intrusions\r\nWhile assessing one of the C2 servers, we discovered that the threat actor was hosting and calling an ICMP shell\r\nexecutable from victim machines. The ICMP shell tool named icmpxa.exe is based on an old Github project. The\r\nthreat actor has compiled icmpsh-s.c (MD5 5F1A9913AEC43A61F0B3AD7B529B397E) while changing some of\r\nits content. The uniqueness of this executable (hash and filename), allowed us to pivot and gather other previously\r\nunknown C2 servers used by the threat actor. Interestingly, we also found that the same ICMP shell executable\r\nwas used previously in PowerPepper intrusions, indicating a potential infrastructure overlap between the two\r\nmalware families.\r\nSince Janicab is a VBS-based malware, C2 commands can be easily derived from the embedded functions. The\r\nmalware makes use of VBS functions to connect to the C2 server over HTTP GET/POST requests, and to specific\r\nPHP pages. Each PHP page provides certain functionality. Since the early versions of Janicab, the PHP pages’ file\r\nname remained largely the same and indicates the backend/intended function. However, starting from version\r\n1.1.x, the threat actor started shortening the PHP pages’ file name without changing much of the intended\r\nfunction. The table below summarizes the PHP pages, their old naming, and their potential use:\r\nhttps://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/\r\nPage 10 of 16\n\nPHP page Old name Description\r\nStatus2.php Status.php Checks server status\r\na.php Alive.php Receives beacon data from victim\r\n/gid.php?\r\naction=add\r\nGenerateID.php?\r\naction=add\r\nIf this is a new victim, generates a user ID and registers system\r\nprofile info in the C2 backend; adding a victim to the database\r\nrit.php ReportIT.php\r\nRecords if a user machine is related to an IT person after\r\nassessing if the machine has any of the anti-analysis checks. In\r\nold Janicab versions, a message is also sent as (“it guy”)\r\nc.php GetCLI.php\r\nProvides system commands for execution on the victim\r\nmachine\r\nrs.php ReceiveScreenshot.php Receives screenshot data from the victim\r\nrk.php ReceiveKl.php Receives keylogger data from the victim\r\nsm.php Startup.php?data=\r\nProvides the implant with a suitable method to start its\r\nexecution flow based on available security controls\r\nd.php N/A Downloads saved files from C2 to victim\r\nThe affected entities fall within the traditional sphere of Deathstalker targeting; primarily legal and financial\r\ninvestment management (FSI) institutions. However, we have also recorded a potentially new affected industry –\r\ntravel agencies. The Middle East region and Europe were also seen as a typical workspace for Deathstalker with\r\nvarying intensity between the countries. Interestingly, this is the first time we have noted legal entities in Saudi\r\nArabia being targeted by this group.\r\nThe countries affected by the Janicab intrusions we analyzed are Egypt, Georgia, Saudi Arabia, United Arab\r\nEmirates, and the United Kingdom.\r\nAttribution\r\nWe assess with high confidence that the intrusions discussed in this report are associated with the Deathstalker\r\nthreat actor group. The attribution is based on the use of the new Janicab variant, unique TTPs, victimology, and\r\ninfrastructure used by the threat actor operators. Comparative intrusion analysis of Janicab and Powersing\r\nhighlights similarities in several phases of the cyber kill chain.\r\nIn summary:\r\nSame SID and metadata for LNK droppers used in previous Deathstalker intrusions;\r\nSimilar persistence mechanism between Janicab and Powersing using LNK in the startup folder;\r\nJanicab has a similar infection execution flow and uses interpreted-language toolsets such as VBS, VBE,\r\nand Python;\r\nhttps://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/\r\nPage 11 of 16\n\nJanicab macOS and Windows versions have Python file naming similar to EVILNUM malware (e.g.,\r\nrunner.py, serial.txt, etc.);\r\nEVILNUM runner.py for file transfer\r\nJanicab 2021 runner.py snippet for file transfer\r\nOld Janicab for MacOS runner.py for starting background service with file transfer capability\r\nThe use of Python-based toolset and libraries is common across all Deathstalker intrusions using Janicab,\r\nPowersing, EVILNUM, and PowerPepper;\r\nThe use of YouTube, among other web services/DDRs, is common across Janicab and Powersing\r\nintrusions; the method of calling and parsing YouTube and the other DDRs for C2 IP address is almost\r\nidentical in Janicab, Powersing, and EVILNUM;\r\nThe identified C2 IPs fall within ASNs seen previously with PowerPepper intrusions;\r\nhttps://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/\r\nPage 12 of 16\n\nDiverse victimology with a focus on legal and financial institutions, possibly targeted by other hacker-for-hire threat groups;\r\nBased on our KTAE similarities engine, the dll (Stormwind) keylogger being used is over 90% similar to\r\nan older variant seen in previous Powersing intrusions;\r\nIdentical code blocks in old/new Janicab and Powersing:\r\nVirtual machine detection through processes and virtual MAC addresses; the listing order for the\r\nMAC addresses are identical between both malware families, and even between the 2015 and 2021\r\nJanicab versions;\r\nAlmost identical anti-analysis process detection.\r\nJanicab 2021 virtual MAC\r\naddress listing\r\nhttps://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/\r\nPage 13 of 16\n\nPowersing virtual MAC address listing\r\nConclusion\r\nJanicab is the oldest malware family being used by Deathstalker, dating back to 2013, and it is the least publicly\r\nknown, perhaps because the associated operators have higher OPSEC standards in their practices than their\r\ncounterparts operating EVILNUM and Powersing. Despite not much public information being available, the threat\r\nactor has kept developing and updating the malware code, updating the structure of the LNK droppers and\r\nswitching the toolset to maintain stealthiness over a long period of time.\r\nBased on our telemetry, the threat actor remains focused on the Middle East and Europe as its main areas of\r\noperation, and shows a lot of interest in compromising legal and financial institutions. Despite that focus, we have\r\nhistorically seen the threat actor targeting other industries in rare situations; travel agencies are an example of this.\r\nThis once again shows the threat actor is likely a hack-for-hire group with diverse motivation.\r\nSince the threat actor operators continue to use interpreted-language-based malware such as Python, VBE and\r\nVBS across their historical and recent intrusions, and largely within their malware families, this can be used to the\r\ndefenders’ advantage since application whitelisting and OS hardening are effective techniques to block the threat\r\nactor’s intrusion attempts. Defenders should also look for Internet Explorer processes running without GUI since\r\nJanicab is using IE in hidden mode to communicate with the C2. On the network, the threat actor’s use of a C2 IP\r\naddress instead of domain names remains a prime method of bypassing DNS-based security controls. Instead, the\r\nthreat actor is still using DDRs as the method to resolve the C2 IP address; an alternate technique for DNS\r\nresolution by using authentic, mostly allowed, public web services that allow C2 communication to blend in with\r\nlegitimate traffic. This means network defenders can look for frequent visits to the DDR used, followed by HTTP\r\nsessions pointing to IP addresses instead of domain names.\r\nOutlook\r\nAs legal and financial institutions are a common target for this threat actor, we decided to provide a couple of\r\nhypotheses on the potential intent of the adversary (customer/operator). Perhaps it provides potential future\r\nvictims who fall within the affected industries a head start in proactively preparing for such intrusions and/or\r\nupdating their threat model.\r\nSummary of hypotheses for potential intent:\r\nH1: legal dispute that involves VIPs\r\nH2: legal dispute that involves financial assets\r\nH3: blackmailing VIPs\r\nH4: tracking financial assets of/for VIPs\r\nH5: competitive/business intelligence for medium/large companies\r\nH6: intelligence on medium/large mergers and acquisitions\r\nHow to protect your organization against this threat\r\nhttps://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/\r\nPage 14 of 16\n\nThe detection logic has been improved in all our solutions to ensure that our customers remain protected. We\r\ncontinue to investigate this attack using our Threat Intelligence and we will add additional detection logic once\r\nthey are required.\r\nOur products protect against this threat and detect it with the following names:\r\nHEUR:Trojan.WinLNK.Agent.gen\r\nTrojan.Win32.Agentb.jygp\r\nnot-a-virus:HEUR:RiskTool.Win32.Screenshot.gen\r\nTrojan.Win32.Agent.xadvpb\r\nHEUR:Hacktool.Win32.ICMPShell.gen\r\nIndicators of Compromise\r\nNote: We provide an incomplete list of IoCs here that are valid at the time of publication. A full IoC list is\r\navailable in our private report.\r\nFile hashes\r\nJanicab\r\nPost exploitation\r\nDDR Patterns\r\n“Dosen’t (typo by threat actor) matter how long you wait for the bus on a rainy day, (.*) seconds was\r\nenough to get wet?”\r\n“This is the (.*)th time this has happened to me”\r\n“our (.*)th psy anniversary”\r\nDomains and IPs\r\n176.223.165[.]196\r\n87.120.254[.]100\r\n87.120.37[.]68\r\nURLs\r\nhxxp://\u003cC2_ip_address\u003e/d/icmpxa.exe | ICMPShell\r\nhxxp://\u003cC2_ip_address\u003e/d/unrar.exe | rar tool\r\nhxxp://\u003cC2_ip_address\u003e/d/procdump.exe | Sysinternals procdump\r\nhxxp://\u003cC2_ip_address\u003e/d/Rar.exe | rar tool\r\nhxxp://\u003cC2_ip_address\u003e:8080/api/icmp_kaspersky/icmpxa.exe | ICMPShell\r\nhxxp://\u003cC2_ip_address\u003e:8080/api/icmpxa.exe | ICMPShell\r\nDead-drop resolvers\r\nhttps://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/\r\nPage 15 of 16\n\nhxxps[://]youtu[.]be/AApRxqOjLs4\r\nhxxps[://]youtu[.]be/Tn7L5RyRAlM\r\nhxxps[://]youtu[.]be/aZRJQdwN4-g\r\nSource: https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/\r\nhttps://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/" ], "report_names": [ "108131" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "f7aa6029-2b01-4eee-8fe6-287330e087c9", "created_at": "2022-10-25T16:07:23.536763Z", "updated_at": "2026-04-10T02:00:04.646542Z", "deleted_at": null, "main_name": "Deceptikons", "aliases": [ "DeathStalker", "Deceptikons" ], "source_name": "ETDA:Deceptikons", "tools": [ "EVILNUM", "Evilnum", "Janicab", "PowerPepper", "Powersing", "VileRAT" ], "source_id": "ETDA", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434372, "ts_updated_at": 1775826686, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/26ece7ef66cebd696bc7b333f2296d36d3dfb343.pdf", "text": "https://archive.orkl.eu/26ece7ef66cebd696bc7b333f2296d36d3dfb343.txt", "img": "https://archive.orkl.eu/26ece7ef66cebd696bc7b333f2296d36d3dfb343.jpg" } }