{ "id": "e6ec8ead-9508-45c3-827b-afc61fdcc1de", "created_at": "2026-04-06T00:22:16.669913Z", "updated_at": "2026-04-10T03:34:23.562586Z", "deleted_at": null, "sha1_hash": "365582f4dd90e8fdd94e7add55f10f01a04e2f79", "title": "PyVil RAT - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48963, "plain_text": "PyVil RAT - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-02 12:15:14 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool PyVil RAT\r\n Tool: PyVil RAT\r\nNames\r\nPyVil RAT\r\nPyVil\r\nCategory Malware\r\nType\r\nReconnaissance, Backdoor, Info stealer, Credential stealer, Keylogger, Downloader,\r\nExfiltration\r\nDescription\r\n(Cybereason) PyVil RAT possesses different functionalities, and enables the attackers to\r\nexfiltrate data, perform keylogging and the taking of screenshots, and the deployment of\r\nmore tools such as LaZagne in order to steal credentials.\r\nThe PyVil RAT has several functionalities including:\r\n• Keylogger\r\n• Running cmd commands\r\n• Taking screenshots\r\n• Downloading more Python scripts for additional functionality\r\n• Dropping and uploading executables\r\n• Opening an SSH shell\r\n• Collecting information such as:\r\no Anti-virus products installed\r\no USB devices connected\r\no Chrome version\r\nInformation \u003chttps://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/py.pyvil\u003e\r\nAlienVault OTX \u003chttps://otx.alienvault.com/browse/pulses?q=tag:PyVil%20RAT\u003e\r\nLast change to this tool card: 28 December 2022\r\nDownload this tool card in JSON format\r\nAll groups using tool PyVil RAT\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d1f93996-93c1-43a8-9893-2d2735fa1023\r\nPage 1 of 2\n\nChanged Name Country Observed\r\nAPT groups\r\n  Evilnum [Unknown] 2018-2022  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d1f93996-93c1-43a8-9893-2d2735fa1023\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d1f93996-93c1-43a8-9893-2d2735fa1023\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=d1f93996-93c1-43a8-9893-2d2735fa1023" ], "report_names": [ "listgroups.cgi?u=d1f93996-93c1-43a8-9893-2d2735fa1023" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434936, "ts_updated_at": 1775792063, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/365582f4dd90e8fdd94e7add55f10f01a04e2f79.pdf", "text": "https://archive.orkl.eu/365582f4dd90e8fdd94e7add55f10f01a04e2f79.txt", "img": "https://archive.orkl.eu/365582f4dd90e8fdd94e7add55f10f01a04e2f79.jpg" } }