{ "id": "d9768815-f3cb-4434-8fea-1c45c0a0a9bb", "created_at": "2026-04-06T00:11:55.644152Z", "updated_at": "2026-04-10T03:34:23.526819Z", "deleted_at": null, "sha1_hash": "5e1d21199db8a6bc3719592317723f165ecce9a1", "title": "Rewterz Threat Alert – Evilnum APT Group - Active IOCs - Rewterz", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 142829, "plain_text": "Rewterz Threat Alert – Evilnum APT Group - Active IOCs -\r\nRewterz\r\nPublished: 2022-06-30 · Archived: 2026-04-05 18:13:50 UTC\r\nSeverity\r\nHigh\r\nAnalysis Summary\r\nAPT group Evilnum aka Jointworm has been seen targeting the financial sector with malicious emails. The group\r\nfirst seen in 2018 with the motivation of information theft and espionage has been active recently in an attempt to\r\nrob users of their credentials and gaining sensitive information for their gain. The Evilnum APT group has mostly\r\ntargeted FinTech (financial services) sector, particularly those in the UK and Europe that deal with trading and\r\ncompliance. However, in March, 2022, the group targets Intergovernmental organizations that offer assistance\r\nrelated to international migration.\r\nEVILNUM is a JavaScript-based malware family. A heavily obfuscated JavaScript was used in recent campaigns\r\nfor dropping the payloads and decryption. Compared to previous versions used by EvilNum APT, this JavaScript\r\nhas significant improvements in the obfuscation technique. \r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-evilnum-apt-group-active-iocs-7\r\nPage 1 of 3\n\nImpact\r\nExposure of Sensitive Data\r\nInformation Theft and Espionage\r\nIndicators of Compromise\r\nDomain Name\r\ntravinfor[.]com\r\nwebinfors[.]com\r\nkhnga[.]com\r\nnetwebsoc[.]com\r\ninfcloudnet[.]com\r\nbgamifieder[.]com\r\nbunflun[.]com\r\nrefinance-ltd[.]com\r\nbook-advp[.]com\r\nMD5\r\n0b4f0ead0482582f7a98362dbf18c219\r\n4406d7271b00328218723b0a89fb953b\r\n61776b209b01d62565e148585fda1954\r\n6d329140fb53a3078666e17c249ce112\r\ndb0866289dfded1174941880af94296f\r\nf0d3cff26b419aff4acfede637f6d3a2\r\n79157a3117b8d64571f60fe62c19bf17\r\nSHA-256\r\nf0e89639e3796a7b7d5ced50e84d770753e72885df7413cd5204a41b1fd6cfbe\r\n4ad43986f7130d8d1a40f0377e0c1ada1115fae3e972b339f728d0e794b4a20f\r\n531e1e4e076fc0e5a792b60bd138209105f22b2e7b9818aff5efc0ff9f616917\r\n78c6c33ebb8d5311c85c58817a1cce7bd126aa9457155962e7d5d2ffcc74c805\r\nc4cedf78bf239c28e49e43a21c723ec66ffaca48a7b2c4767f73437325c7cc0d\r\nbb975fed53a9fa18a4234b90ffbd489429ea03a91245dad030fe4053f465ec28\r\n29f5aba55197172be28be0fabe2bd9d89ccff73393dc10fd8f2f6bd74287af7e\r\nSHA-1\r\n75c0a948fc341177d0da16da19407bd41da183a5\r\n9172ef18ad1d0e5aa0e947321dbd2ed38bd7755d\r\n49b65b553ad506ce6fb20b84468a543208aa0691\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-evilnum-apt-group-active-iocs-7\r\nPage 2 of 3\n\n7ebcc05d39ff25ad7814ed2ad081b7e8ec5a5003\r\n9d692fc1ee6ea146d70d6bb307e3c0fed6c5bd24\r\naf6ee983a8e085fec67b19bfa3a0a042658a3740\r\n038dae3c3d738a5a2da3650cbf1dbfac8655f004\r\nRemediation\r\nSearch for IOCs in your environment.\r\nBlock all threat indications at their respective controls.\r\nSource: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-evilnum-apt-group-active-iocs-7\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-evilnum-apt-group-active-iocs-7\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-evilnum-apt-group-active-iocs-7" ], "report_names": [ "rewterz-threat-alert-evilnum-apt-group-active-iocs-7" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434315, "ts_updated_at": 1775792063, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5e1d21199db8a6bc3719592317723f165ecce9a1.pdf", "text": "https://archive.orkl.eu/5e1d21199db8a6bc3719592317723f165ecce9a1.txt", "img": "https://archive.orkl.eu/5e1d21199db8a6bc3719592317723f165ecce9a1.jpg" } }