{
	"id": "936e2dac-71e0-4d5d-b0bf-4a30a3e99855",
	"created_at": "2026-04-06T00:17:19.266744Z",
	"updated_at": "2026-04-10T03:21:09.244043Z",
	"deleted_at": null,
	"sha1_hash": "5ff2ae12b17e38eeda3bfd320839aec594010a5b",
	"title": "EvilExtractor – All-in-One Stealer | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4612474,
	"plain_text": "EvilExtractor – All-in-One Stealer | FortiGuard Labs\r\nBy Cara Lin\r\nPublished: 2023-04-20 · Archived: 2026-04-05 14:15:18 UTC\r\nAffected platforms: Windows\r\nImpacted parties: Any organization\r\nImpact: Controls victim’s device and collects sensitive information\r\nSeverity level: Critical\r\nEvilExtractor (sometimes spelled Evil Extractor) is an attack tool designed to target Windows operating systems\r\nand extract data and files from endpoint devices. It includes several modules that all work via an FTP service. It\r\nwas developed by a company named Kodex, which claims it is an educational tool. However, research conducted\r\nby FortiGuard Labs shows cybercriminals are actively using it as an info stealer.\r\nBased on our traffic source data to the host, evilextractor[.]com, malicious activity increased significantly in\r\nMarch 2023. FortiGuard Labs observed this malware in a phishing email campaign on 30 March, which we traced\r\nback to the samples included in this blog. It usually pretends to be a legitimate file, such as an Adobe PDF or\r\nDropbox file, but once loaded, it begins to leverage PowerShell malicious activities. It also contains environment\r\nchecking and Anti-VM functions. Its primary purpose seems to be to steal browser data and information from\r\ncompromised endpoints and then upload it to the attacker’s FTP server.\r\nWe recently reviewed a version of the malware that was injected into a victim’s system and, as part of that\r\nanalysis, identified that most of its victims are located in Europe and America. The developer released its project\r\nin October 2022 (Figure 1) and has kept updating it to increase its stability and strengthen its module.\r\nThis article will examine the initial attack method used to deliver EvilExtractor and its functions.\r\nhttps://www.fortinet.com/blog/threat-research/evil-extractor-all-in-one-stealer\r\nPage 1 of 13\n\nFigure 1. EvilExtractor for sale on the web\r\nInitial Access\r\nThe phishing email with the malicious attachment is shown in Figure 2. It is disguised as an account confirmation\r\nrequest. The attacker also tricks the victim by using an Adobe PDF icon for the decompressed file. The PE header\r\nis shown in Figure 3.\r\nhttps://www.fortinet.com/blog/threat-research/evil-extractor-all-in-one-stealer\r\nPage 2 of 13\n\nFigure 2. The phishing email\r\nFigure 3. File header of \"Account_Info.exe\"\r\nThe execution file is a Python program packaged by PyInstaller. We extracted it with pyinstxtractor and found that\r\nthe “PYARMOR” string in its main code file “contain.pyc”, shown in Figure 4, is an obfuscating tool for Python\r\nscript that makes the malware harder to be analyzed and detected. We extracted the key and iv from\r\n_pytransform.dll and decrypted the “contain.pyc” using AES-GCM.\r\nFigure 4. Code in \"contain.pyc\"\r\nhttps://www.fortinet.com/blog/threat-research/evil-extractor-all-in-one-stealer\r\nPage 3 of 13\n\nIn addition to the Python program, we observed a .NET loader that can extract EvilExtractor. Figure 5 is part of\r\nthe code. It contains Base64-encoded data, which is a PowerShell script. This execution file is generated from the\r\ntool “PS2EXE-GUI”, which can convert PowerShell scripts to EXE Files.\r\nFigure 5. .Net Code for EvilExtractor\r\nEvilExtractor\r\nAfter decrypting the pyc file, we get the primary code of EvilExtractor. It is a PowerShell script that contains the\r\nfollowing modules:\r\nDate time checking\r\nAnti-Sandbox\r\nAnti-VM\r\nAnti-Scanner\r\nFTP server setting\r\nSteal data\r\nUpload Stolen data\r\nClear log\r\nIt first checks whether the system’s date is between 2022-11-09 and 2023-04-12. If not, it uses the following\r\ncommand to delete the data in PSReadline and terminate:\r\nhttps://www.fortinet.com/blog/threat-research/evil-extractor-all-in-one-stealer\r\nPage 4 of 13\n\nDEL \\\"$env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadline\\*\\\" -Force –Recurse\r\nIt then compares the product model to see if it matches any of the following: VirtualBox, VMWare, Hyper-V,\r\nParallels, Oracle VM VirtualBox, Citrix Hypervisor, QEMU, KVM, Proxmox VE, or Docker, as shown in Figure\r\n6. It also checks the victim’s hostname against 187 names from VirusTotal machines or other scanner/virtual\r\nmachines, as shown in Figure 7.\r\nFigure 6. EvilExtractor comparing product model for match\r\nhttps://www.fortinet.com/blog/threat-research/evil-extractor-all-in-one-stealer\r\nPage 5 of 13\n\nFigure 7. Virtual environment and scanner/virtual machine checking\r\nAfter passing the environment check, EvilExtractor downloads three components from http://193[.]42[.]33[.]232\r\nused for stealing data. These files are also Python programs that are obfuscated using PyArmor. The first is\r\n“KK2023.zip”, which is used for stealing browser data and saving it in the folder “IMP_Data”. It can extract\r\ncookies from Google Chrome, Microsoft Edge, Opera, and Firefox. It also collects browser history and passwords\r\nfrom the following browsers:\r\nThe second file is “Confirm.zip”. It is a key logger that saves data in the “KeyLogs” folder. The last file,\r\n“MnMs.zip”, is a webcam extractor. Its corresponding code is shown in Figure 8.\r\nhttps://www.fortinet.com/blog/threat-research/evil-extractor-all-in-one-stealer\r\nPage 6 of 13\n\nFigure 8. Download components for the Keylogger and Webcam Snapshot functions\r\nEvilExtractor also collects system information by PowerShell script, shown in Figure 9. Figure 10 shows the\r\nconcatenated data in a text file called “Credentials.txt”.\r\nFigure 9. PowerShell script for collecting system information\r\nhttps://www.fortinet.com/blog/threat-research/evil-extractor-all-in-one-stealer\r\nPage 7 of 13\n\nFigure 10. Content of “Credentials.txt”\r\nEvilExtractor downloads files with specific extensions from the Desktop and Download folders, including jpg,\r\npng, jpeg, mp4, mpeg, mp3, avi, txt, rtf, xlsx, docx, pptx, pdf, rar, zip, 7z, csv, xml, and html. It also uses the\r\ncommand “CopyFromScreen” to capture a screenshot. The code is shown in Figure 11.\r\nhttps://www.fortinet.com/blog/threat-research/evil-extractor-all-in-one-stealer\r\nPage 8 of 13\n\nFigure 11. Downloading files and getting a screenshot\r\nAfter EvilExtractor extracts all the data from the compromised endpoint, it uploads it to the attacker’s FTP server,\r\nshown in Figure 12. The developer of EvilExtractor also provides an FTP server for those who purchase its\r\nmalware.\r\nFigure 12. Upload file to attacker’s FTP server\r\nhttps://www.fortinet.com/blog/threat-research/evil-extractor-all-in-one-stealer\r\nPage 9 of 13\n\nKodex Ransomware\r\nEvilExtractor also has a ransomware function. It is called “Kodex Ransomware”, as shown in Figure 13. We\r\nextracted this PowerShell script from the .Net loader mentioned in the previous section, and the script for its\r\nransomware is similar to the one for its stealer.\r\nFigure 13. Introduction form evilextracom[.]com\r\nIt downloads “zzyy.zip” from evilextractor[.]com. Details of the unzipped file, a 7-zip standalone console, are\r\nshown in Figure 14. Figure 15 shows it leverages “7za.exe” to encrypt files with the parameter “-p”, which means\r\nzipping files with a password. It also generates a ransom-demanding message saved in “KodexRansom”, shown in\r\nFigure 16.\r\nhttps://www.fortinet.com/blog/threat-research/evil-extractor-all-in-one-stealer\r\nPage 10 of 13\n\nFigure 14. File in \"zzyy.zip\"\r\nhttps://www.fortinet.com/blog/threat-research/evil-extractor-all-in-one-stealer\r\nPage 11 of 13\n\nFigure 15. PowerShell script for Kodex Ransomware\r\nFigure 16. Kodex ransomware's note\r\nConclusion\r\nEvilExtractor is being used as a comprehensive info stealer with multiple malicious features, including\r\nransomware. Its PowerShell script can elude detection in a .NET loader or PyArmor. Within a very short time, its\r\ndeveloper has updated several functions and increased its stability. This blog explains how threat actors launch an\r\nattack via phishing mail and what files are leveraged to extract the EvilExtracrtor PowerShell script. We also\r\ndetailed what functions are included, what data can be collected by EvilExtractor, and how the Kodex\r\nRansomware works. Users should be aware of this new info stealer and continue to be cautious about suspicious\r\nmail.\r\nFigure 17. Attack Chain\r\nFortinet Protections\r\nThe malware described in this report are detected and blocked by FortiGuard Antivirus as:\r\nhttps://www.fortinet.com/blog/threat-research/evil-extractor-all-in-one-stealer\r\nPage 12 of 13\n\nW32/EvilExtractor.A!tr\r\nW32/Infostealer.A!tr\r\nW32/Keylogger.A!tr\r\nThe FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR, and the\r\nFortinet AntiVirus engine is a part of each of those solutions. Customers running current AntiVirus updates are\r\nprotected.\r\nThe FortiGuard Web Filtering Service blocks the malicious URL and IP address.\r\nIf you think this or any other cybersecurity threat has impacted your organization, contact our Global FortiGuard\r\nIncident Response Team.\r\nIOCs\r\nIP Address:\r\n45[.]87[.]81[.]184\r\n193[.]42[.]33[.]232\r\nFiles:\r\n352efd1645982b8d23a841107007c8b4b024eb6bb5d6b312e5783ce4aa62b685\r\n023548a5ce0de9f8b748a2fd8c4d1ae6c924c40acbde32e9599c868115d11f4e\r\n75688c32a3c1f04df0fc02491180c8079d7fdc0babed981f5860f22f5e118a5e\r\n826c7c112dd1ae80469ef81f5066003d7691a349e6234c8f8ca9637b0984fc45\r\nb1ef1654839b73f03b73c4ef4e20ce4ecdef2236ec6e1ca36881438bc1758dcd\r\n17672795fb0c8df81ab33f5403e0e8ed15f4b2ac1e8ac9fef1fec4928387a36d\r\nSource: https://www.fortinet.com/blog/threat-research/evil-extractor-all-in-one-stealer\r\nhttps://www.fortinet.com/blog/threat-research/evil-extractor-all-in-one-stealer\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/evil-extractor-all-in-one-stealer"
	],
	"report_names": [
		"evil-extractor-all-in-one-stealer"
	],
	"threat_actors": [],
	"ts_created_at": 1775434639,
	"ts_updated_at": 1775791269,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5ff2ae12b17e38eeda3bfd320839aec594010a5b.pdf",
		"text": "https://archive.orkl.eu/5ff2ae12b17e38eeda3bfd320839aec594010a5b.txt",
		"img": "https://archive.orkl.eu/5ff2ae12b17e38eeda3bfd320839aec594010a5b.jpg"
	}
}