{ "id": "989c4c7f-8215-4727-ba3a-83175c23de42", "created_at": "2026-04-06T00:09:07.019663Z", "updated_at": "2026-04-10T03:34:23.570656Z", "deleted_at": null, "sha1_hash": "611e8a04fc3fb54fb5b6f6a2da37885a6672dd5e", "title": "What did DeathStalker hide between two ferns?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1580924, "plain_text": "What did DeathStalker hide between two ferns?\r\nBy Pierre Delcher\r\nPublished: 2020-12-03 · Archived: 2026-04-02 11:12:19 UTC\r\nDeathStalker is a threat actor that’s been active since at least 2012, and we exposed most of their past activities in\r\na previous article, as well as during a GREAT Ideas conference in August 2020. The actor drew our attention in\r\n2018 because of distinctive attack characteristics that didn’t fit in with the usual cybercrime or state-sponsored\r\nactivities, leading us to believe DeathStalker is a hack-for-hire group..\r\nDeathStalker has leveraged several malware strains and delivery chains over the years, from the Python- and\r\nVisualBasic-based Janicab to the PowerShell-based Powersing and the JavaScript-based Evilnum. The actor\r\nconsistently used what we call “dead-drop resolvers” (DDRs), which is obfuscated content hosted on major public\r\nweb services like YouTube, Twitter or Reddit; once decoded by malware this content reveals a command-and-control (C2) server address. DeathStalker also consistently leveraged anti-detection and antivirus evasion\r\ntechniques, as well as intricate delivery chains that drop lots of files to the target’s filesystems. To kick-start an\r\ninfection, DeathStalker usually relies on spear-phishing emails with attachments, or links to public file sharing\r\nservices, as well as script execution based on Windows shortcuts. We have identified how DeathStalker’s malware\r\ncompromises in clusters or targets various types of entities in all parts of the world, with a possible focus on law\r\nand consultancy offices, as well as FINTECH companies, but without a clearly identifiable or consistent interest.\r\nThe targeting does not seem to be politically or strategically defined and doesn’t appear to be the usual financially\r\nmotived crime. Because of this, we conclude that DeathStalker is a cyber-mercenary organization.\r\nWhile tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown\r\nimplant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this\r\nnew malware PowerPepper. We first spotted a variant of PowerPepper in the wild in mid-July 2020, dropped from\r\na Word document that had been submitted on a public multiscanner service. Since then, the PowerPepper implant\r\nand the associated delivery chain has been continuously operating and developing.\r\nMeet PowerPepper: the spicy implant that your bland scripts setup needed\r\nPowerPepper implant\r\nPowerPepper is a Windows in-memory PowerShell backdoor that can execute remotely sent shell commands. In\r\nstrict accordance with DeathStalker’s traditions, the implant will try to evade detection or sandboxes execution\r\nwith various tricks such as detecting mouse movements, filtering the client’s MAC addresses, and adapting its\r\nexecution flow depending on detected antivirus products.\r\nhttps://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/\r\nPage 1 of 14\n\nThe implant’s C2 logic stands out, as it is based on communications via DNS over HTTPS (DoH), using\r\nCloudFlare responders. PowerPepper first tries to leverage Microsoft’s Excel as a Web client to send DoH requests\r\nto a C2 server, but will fall back to PowerShell’s standard web client, and ultimately to regular DNS\r\ncommunications, if messages cannot get through.\r\nC2 communications content between the implant and servers is encrypted. We noticed that PowerPepper and the\r\npreviously described Powersing use an almost identical PowerShell implementation of AES encryption, with only\r\nthe AES padding mode and a function input format being changed.\r\nPowerPepper DNS command and control\r\nPowerPepper regularly polls a C2 server for commands to execute. In order to do so, the implant sends TXT-type\r\nDNS requests (with DoH or plain DNS requests if the former fails) to the name servers (NS) that are associated\r\nwith a malicious C2 domain name. If the target which runs the implant is validated (we cover that later), the server\r\nreplies with a DNS response, embedding an encrypted command. Both requests and responses contain patterns\r\nthat can be easily detected with network intrusion detection systems, but the patterns have been changed across\r\nimplant variants.\r\nThe command execution results are sent back to the server through a batch of variable-length A-type DNS\r\nrequests, where queried hostnames contain an identifier, data length, and encrypted data.\r\n# Command result feedback initialization DNS request hostname:\r\nhttps://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/\r\nPage 2 of 14\n\n\u003cidentifier\u003e.be.0.0.1.0.0.0.0.\u003cdomain\u003e\r\n# Command result feedback data slices DNS requests hostnames:\r\n\u003cidentifier\u003e.ef.1.0.1.3.BDA2ADBE3C79C9EF6630.DDD4B8D4504FEC348C9C.2F53BFB60C1890585CF7.\r\n\u003cdomain\u003e\r\n\u003cidentifier\u003e.ef.2.0.1.3.72DE8DDB802C4829B2DE.40CB7163E83DE0B4A002.6B6C2E555A931721A525.\r\n\u003cdomain\u003e \u003cidentifier\u003e.ef.3.0.1.2.1699380DBABAB113D32B.7869501E5FEDD524304B.0.\u003cdomain\u003e\r\n# Command result feedback termination DNS request hostname:\r\n\u003cidentifier\u003e.ca.4.0.1.00.0.0.0.\u003cdomain\u003e\r\nDuring the course of our investigations, we noticed that the PowerPepper C2 name servers were actually open\r\nDNS resolvers that always resolved arbitrary hostnames with the same IP addresses: 128.49.4.4 (a US Navy-owned server), 91.214.6.100 and 91.214.6.101 (HSBC UK-owned servers). Using this fact and historical reverse\r\nDNS resolutions data, we have been able to preemptively identify the PowerPepper C2 domains.\r\nPowerPepper signaling and target validation\r\nOn top of the DNS C2 communication logic, PowerPepper also signals successful implant startup and execution\r\nflow errors to a Python backend, through HTTPS. Such signaling enables target validation and implant execution\r\nlogging, while preventing researchers from interacting further with the PowerPepper malicious C2 name servers.\r\nIt has also been used directly from some of the malicious documents that were involved in PowerPepper delivery,\r\nthrough the “Links to Files” feature in Office documents.\r\nThe signaling Python backends were hosted on a public and legitimate content hosting web service named\r\nPythonAnywhere that allows users to build websites. The discovered Python backend endpoints were shut down\r\nby PythonAnywhere in coordination with us. As a result, DeathStalker tried to adapt the signaling feature by\r\nremoving it from most PowerPepper delivery documents (but keeping it in the implant itself), and by adding a\r\nlegitimate but compromised WordPress website as a reverse-proxy between implants and backends.\r\nPowerPepper delivery chains: a surprising journey into mercenary tricks, from\r\nRussian dolls to plant-covered steganography\r\nhttps://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/\r\nPage 3 of 14\n\nThe macro-based delivery chain: when you are way too much into this whole Russian dolls idea\r\nThe first type of PowerPepper delivery (or infection) chain we encountered, back in July 2020, is based on a\r\nmalicious Word document. Although we couldn’t confirm how this document had been distributed to targets, the\r\ninfection trails and documents we analyzed showed that the item is either embedded as a spear-phishing email\r\nbody, or downloaded from a malicious link in a spear-phishing email. This infection chain varied slightly between\r\nJuly and November 2020: some dropped file names, integrated code or remote links changed, but the logic stayed\r\nthe same.\r\nWe won’t dive deep into the details of the delivery workflow, as the main tricks are addressed later. It should,\r\nhowever, be noted that the delivery chain is based on a monolithic document that embeds all required malicious\r\nitems. Notably, this document contains decoy content, and the malicious logic is handled by Visual Basic for\r\nApplication (VBA) macros, which ultimately run PowerPepper and set up its persistence.\r\nThe LNK-based delivery chain: your direct shortcut to spiciness\r\nThis infection chain is based on a Windows shortcut file, with a misleading .docx.lnk double extension, and\r\nconstitutes a more modular approach to PowerPepper delivery.\r\nhttps://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/\r\nPage 4 of 14\n\nThe delivery chain is very similar to the macro-based one, but implements two major changes:\r\nthe malicious macros logic is moved to malicious PowerShell scripts, and the first one is directly\r\nembedded in the shortcut file, so there are no more VBA macros;\r\nthe Word document from this chain is just a decoy and malicious files storage pack, and is downloaded\r\nfrom a remote location (a public file sharing service) instead of directly embedded somewhere.\r\nThe malicious LNK files were most likely distributed as ZIP attachments within spear-phishing emails and, of\r\ncourse, the files dropped from this delivery chain differ across variants as well.\r\nA quick look at the decoy contents\r\nSome malicious documents that we managed to retrieve contained a social engineering banner asking users to\r\nenable macros execution. This explains how the malicious logic from the macro-based delivery chain could\r\nactually be triggered when macros are disabled by default on most modern Office settings.\r\nThe decoy contents we retrieved varied: the first we found in the wild were about carbon emissions regulations,\r\nbut we also identified a fake travel booking form for a very specific event that’s planned next year in Turkey, and\r\nhttps://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/\r\nPage 5 of 14\n\nof course some are about the coronavirus.\r\nWe were able to link most of the decoy contents back to the original contents published on the internet by their\r\ninitial authors, meaning DeathStalker did not craft them, but instead picked out appropriate ready-made material\r\nthat was available on the internet. One of the decoy components impersonated a legitimate travel agent but\r\nincluded altered contact details.\r\nA compilation of PowerPepper tricks\r\nPowerPepper delivery chains leverage a lot of obfuscation, execution and masquerading tricks to hinder detection,\r\nor deceive targets that are curious about what is happening on their computers. So, we thought we should describe\r\nhttps://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/\r\nPage 6 of 14\n\nsome.\r\nTrick #1: hide things in Word embedded shape properties (and make macro comments fun again)\r\nDeathStalker hides strings in Word embedded shape and object (OLE packages) properties, like the “hyperlink”\r\nproperty, to obfuscate the malicious execution workflow, as well as reconstruct and execute commands or scripts.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\nbell = \"JohnSnow123\"\r\n…\r\nDocuments.Open FileName:=best \u0026 FName, PasswordDocument:=CStr(bell), Visible:=False\r\nDocuments.Item(FName).Activate\r\nWith Application:\r\n            .Run \"boat\", belt\r\n…\r\n' this function is totally legit and if you are an av you should totally let us pass\r\nFunction boat(both)\r\n…\r\n' checks if the type is 7\r\nIf .Type = 7 Then\r\n…\r\nIf .OLEFormat.Application = \"Microsoft Word\" And .OLEFormat.ClassType = \"Package\" Then\r\n            band = Split(.Hyperlink.Address, \"ps://\")\r\n            …\r\n            ball = ball \u0026 band(1)\r\nNotably, these properties are leveraged as a second stage PowerShell script in the LNK-based delivery chain: the\r\nfirst stage PowerShell script, which is embedded in a malicious LNK file, will parse downloaded Word document\r\ncontents to extract and run a second PowerShell script. These property artifacts can also contain parts of URLs,\r\ndropped files paths, or commands that are directly leveraged by macros in the macro-based delivery chain.\r\nWe can also see from the code extract above that DeathStalker uses macros to open another subdocument that is\r\nembedded in the first malicious document from the macro-based delivery chain. Last but not least, the comments\r\nhttps://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/\r\nPage 7 of 14\n\nare very helpful.\r\nTrick #2: use Windows Compiled HTML Help (CHM) files as archives for malicious files\r\nIn the course of their PowerPepper delivery workflows, DeathStalker leverages CHM files as containers to better\r\nevade detection, and uses a Windows built-in tool called “hh” to unpack content, from VBA macros or an LNK-embedded PowerShell script.\r\nAll the files that are dropped on targeted computers from delivery chains and that are necessary to run\r\nPowerPepper are contained in these archives. The CHM files are embedded in the malicious Word (sub)document\r\nof the delivery chains.\r\nTrick #3: masquerade and obfuscate persistent files\r\nDeathStalker uses a Visual Basic Script (VBS) loader to start PowerPepper execution. The loader is launched\r\nimmediately after delivery, and then at each computer startup, thanks to a companion launcher shortcut which is\r\nplaced in a Windows startup folder.\r\n' Copyright (c) GlobalSign Corporation. All rights reserved.\r\n'\r\n' Abstract:\r\n' licenseverification.vbs - Verify the GlobalSign software\r\n'\r\n' Usage:\r\n' licenseverify [-software]\r\n…\r\nconst L_Help_Help_General05_Text   = \"-a     - add a port\"\r\nhttps://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/\r\nPage 8 of 14\n\nconst L_Help_Help_General06_Text   = \"-d     - delete the specified port\"\r\n…\r\nconst L_Help_Help_General34_Text   = \"417079070765161B1C0eeeeeef610520C0F69331…\r\n…\r\nCreateObject(DelPort(L_Text_Msg_Port01_Text)).Run …+DelPort(L_Help_Help_General34_Text \u0026\r\n\"7260D3…\r\nThis VBS loader masquerades as a GlobalSign verification tool with comments as well as deceptive variables or\r\nhelp strings. Furthermore, the script’s malicious content is obfuscated by a custom encryption function.\r\nTrick #4: hide your implant between two ferns…\r\nAnd here come our plants…. The previously described VBS loader will basically do one thing: deobfuscate and\r\nrun a PowerShell script against a picture file that was dropped earlier from the delivery chain.\r\nBut the picture is actually a steganography image (of ferns…) that will be decoded by the VBS loader-embedded\r\nscript, and contains the PowerPepper implant. In the first delivery chains that were discovered, the steganography\r\nimage actually displayed peppers, hence the “PowerPepper” name.\r\nhttps://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/\r\nPage 9 of 14\n\nTrick #5: get lost in Windows shell command translation\r\nThe Windows shortcut (LNK) file from the LNK-based delivery chain actually starts a Windows shell with an\r\nobfuscated command argument. The command is a specific form of a “FOR” Windows shell loop that generates\r\nthe “PowerShell” string from an “assoc” shell built-in result.\r\nThe malicious LNK file will fire a PowerShell script as a result, which in turn will recompose a second stage\r\nscript from a downloaded Word document, as seen in Trick #1.\r\nTrick #6: kick start it all with a signed binary proxy execution\r\nWhether it’s at the end of macros execution (for the macro-based delivery chain) or as a last step of the shortcut-embedded scripts (for the LNK-based delivery chain), DeathStalker leveraged a signed binary proxy execution to\r\nstart up PowerPepper for the first time.\r\n$ttss=Join-Path -path $src -ChildPath ('Startup'+[char]92+'StartPrinter.url');\r\nhttps://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/\r\nPage 10 of 14\n\nstart-process -filepath 'rundll32.exe' -argumentlist\r\n('ieframe.dll,openurl '.replace('openurl',('o').toupper()+'pen'+('url').toupper())+$ttss)\r\nWhile the first (macro-based) delivery chain we retrieved fired the malicious VBS loader with “rundll32.exe\r\nieadvpack.dll, RegisterOCX wscript.exe \u003cscript file\u003e \u003cscript argument\u003e pexe”, more recent ones use a\r\n“rundll32.exe ieframe.dll, OpenURL \u003cInternet shortcut\u003e” alternative combo. The very latest rely on a dropped\r\ninternet shortcut file (.url), which simply opens an LNK launcher with a “file://” URL. The LNK launcher in turn\r\nruns the VBS loader (see Trick #3).\r\nGeography of PowerPepper’s targets\r\nWe of course cannot get a comprehensive view of all PowerPepper’s targets, but having tracked this implant since\r\nMay 2020, we managed to get a partial view of targeted countries before August 2020, as well as in November\r\n2020.\r\nDue to the very partial information we sometimes get for such research, and despite our efforts to filter as much as\r\nwe can, we cannot rule out that some identified targets could actually be fellow researchers investigating the\r\nthreat, or DeathStalker’s own testing infrastructure.\r\nWe could not precisely identify PowerPepper targets, but law and consultancy firms have been frequent targets of\r\nthe actor.\r\nPrevention and protection leads\r\nIn order to prevent successful PowerPepper execution or delivery, or to protect against related infection chains, we\r\ncould not but underline these standard defense measures:\r\nContent hosts can regularly scan hosted files for malicious content, where regulations allow. They can\r\nprotect their hosting infrastructure with endpoint protection software and traffic monitoring. They can also\r\nstack protection on privileged and remote access, with client network address filtering, multi-factor\r\nauthentication (MFA), and auditing of authentication logs.\r\nWebsite owners and editors need to frequently and responsively update their CMS backends as well as\r\nassociated plugins. They can also stack protection on privileged and remote access, with client network\r\nhttps://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/\r\nPage 11 of 14\n\naddress filtering, MFA and access logging on all backend endpoints.\r\nEnterprise IT services need to restrict script engine (i.e., PowerShell) use on end-user computers with\r\nenforced execution policies. They need to set up endpoint protection software on end-user computers and\r\ncontent servers. They should allow DNS requests to corporate-managed resolvers and relays only, while\r\nfiltering HTTP and DNS traffic at the perimeter. Last but not least, they need to train employees not to\r\nopen attachments and links in emails from unknown senders.\r\nIndividuals should never open Windows shortcuts that were downloaded from a remote location or\r\nattached to an email, open attachments or click links in emails from unknown senders, or enable macros in\r\ndocuments from unverified sources.\r\nConclusion\r\nIt only seems fair to write that DeathStalker tried hard to develop evasive, creative and intricate tools with this\r\nPowerPepper implant and associated delivery chains. There is nothing particularly sophisticated about the\r\ntechniques and tricks that are leveraged, yet the whole toolset has proved to be effective, is pretty well put\r\ntogether, and shows determined efforts to compromise various targets around the world.\r\nThis is consistent with previous knowledge of the DeathStalker actor, which has demonstrated continuous\r\ncapabilities to compromise targets since 2012, and has been fast to develop new implants and toolchains. We\r\ndiscovered the PowerPepper implant in May 2020, and it has been improved or adapted regularly since then. At\r\nthe same time, we also uncovered another previously unknown malware strain that we strongly believe is from the\r\nsame actor, though we haven’t identified any Powersing-related activity since our previous article on DeathStalker\r\nin August 2020.\r\nThe DeathStalker threat is definitely a cause for concern, with the victimology for its various malware strains\r\nshowing that any corporation or individual in the world can be targeted by their malicious activities, provided\r\nsomeone has decided they are of interest and passed on the word to the threat actor. Luckily for defenders,\r\nDeathStalker has, until now, relied on a rather limited set of techniques to design its delivery chains, and\r\nimplementing counter-measures is an attainable goal for most organizations.\r\nIndicators of compromise\r\nFile hashes\r\nFile paths\r\nIOC Description\r\n%PROGRAMDATA%\\Support\\licenseverification.vbs Malicious VBS Loader\r\n%PROGRAMDATA%\\Support\\licenseverify.vbs Malicious VBS Loader\r\n%PROGRAMDATA%\\MyPrinter\\NewFile.vbs Malicious VBS Loader\r\n%PROGRAMDATA%\\Printers\\NewFile.vbs Malicious VBS Loader\r\nhttps://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/\r\nPage 12 of 14\n\n%APPDATA %\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\System.lnk\r\nMalicious startup\r\nlauncher LNK\r\n%PROGRAMDATA%\\MyPrinter\\Web.lnk\r\nMalicious startup\r\nlauncher LNK\r\n%PROGRAMDATA%\\Printers\\Web.lnk\r\nMalicious startup\r\nlauncher LNK\r\n%APPDATA%\\Roaming\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\StartUp\\StartPrinter.url\r\nMalicious startup\r\nlauncher URL\r\nDomain and IPs\r\nIOC Description\r\nallmedicalpro[.]com PowerPepper C2 domain name\r\nmediqhealthcare[.]com PowerPepper C2 domain name\r\ngofinancesolutions[.]com PowerPepper C2 domain name\r\nmailsigning.pythonanywhere[.]com PowerPepper Signaling hostname (legitimate host and root domain)\r\nmailsignature.pythonanywhere[.]com PowerPepper Signaling hostname (legitimate host and root domain)\r\nmailservice.pythonanywhere[.]com PowerPepper Signaling hostname (legitimate host and root domain)\r\nmailservices.pythonanywhere[.]com PowerPepper Signaling hostname (legitimate host and root domain)\r\nfootersig.pythonanywhere[.]com PowerPepper Signaling hostname (legitimate host and root domain)\r\nglobalsignature.pythonanywhere[.]com PowerPepper Signaling hostname (legitimate host and root domain)\r\nURLs\r\nIOC Description\r\nhxxps://www.gsn-nettoyage[.]com/wp-snapshots/btoken.php\r\nPowerPepper Signaling hostname\r\n(legitimate but compromised\r\nwebsite)\r\nhttps://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/\r\nPage 13 of 14\n\nhxxps://www.gsn-nettoyage[.]com/wp-snapshots/etoken.php\r\nhxxps://www.gsn-nettoyage[.]com/wp-snapshots/1.docx\r\nhxxps://www.gsn-nettoyage[.]com/wp-snapshots/Quote 16 db\r\nroom.docx\r\nMalicious documents download\r\nlocation (legitimate but\r\ncompromised website)\r\nhxxps://outlookusers.page[.]link/\r\nMalicious documents download\r\nlocation (legitimate host and root\r\ndomain)\r\nhxxps://1drv[.]ws/w/s!AvXRHBXCKmvYdifkocKujNavvjY?\r\ne=hhuBV8\r\nMalicious document remote location\r\n(legitimate host and root domain)\r\nhxxps://1drv[.]ws/w/s!AvXRHBXCKmvYdcbz1YwTJRkOxP4?\r\ne=u5wtbX\r\nMalicious document remote location\r\n(legitimate host and root domain)\r\nhxxps://1drv[.]ws/w/s!AvXRHBXCKmvYd1921tVEMKWaCUs?\r\ne=MyoVNF\r\nMalicious document remote location\r\n(legitimate host and root domain)\r\nhxxps://1drv[.]ws /w/s!AvXRHBXCKmvYeFdjVtZN0Quljs4?\r\ne=dnA6GG\r\nMalicious document remote location\r\n(legitimate host and root domain)\r\nhxxps://1drv[.]ws/w/s!AvXRHBXCKmvYeePNerfsAWK0qVY?\r\ne=e4SsYM\r\nMalicious document remote location\r\n(legitimate host and root domain)\r\nhxxps://1drv[.]ws/w/s!AvXRHBXCKmvYejBpdekg1WUCM9M?\r\ne=UkhU10\r\nMalicious document remote location\r\n(legitimate host and root domain)\r\nhxxps://1drv[.]ws/w/s!AvXRHBXCKmvYe1ulhtazjNVvCqY?\r\ne=WptVTC\r\nMalicious document remote location\r\n(legitimate host and root domain)\r\nMail addresses\r\nIOC Description\r\na.christy_inbox@outlook[.]com Suspected malicious spear-phishing email sender (legitimate root domain)\r\nSource: https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/\r\nhttps://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/" ], "report_names": [ "99616" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "f7aa6029-2b01-4eee-8fe6-287330e087c9", "created_at": "2022-10-25T16:07:23.536763Z", "updated_at": "2026-04-10T02:00:04.646542Z", "deleted_at": null, "main_name": "Deceptikons", "aliases": [ "DeathStalker", "Deceptikons" ], "source_name": "ETDA:Deceptikons", "tools": [ "EVILNUM", "Evilnum", "Janicab", "PowerPepper", "Powersing", "VileRAT" ], "source_id": "ETDA", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434147, "ts_updated_at": 1775792063, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/611e8a04fc3fb54fb5b6f6a2da37885a6672dd5e.pdf", "text": "https://archive.orkl.eu/611e8a04fc3fb54fb5b6f6a2da37885a6672dd5e.txt", "img": "https://archive.orkl.eu/611e8a04fc3fb54fb5b6f6a2da37885a6672dd5e.jpg" } }