{ "id": "06b5ae3d-0b8d-4b8c-a506-f0c703262808", "created_at": "2026-04-06T00:13:51.309421Z", "updated_at": "2026-04-10T13:13:05.451379Z", "deleted_at": null, "sha1_hash": "a0cbaea548af7039abc38722ebb5f333a59f5e08", "title": "EVILNUM (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 66435, "plain_text": "EVILNUM (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 12:54:57 UTC\r\njs.evilnum (Back to overview)\r\nEVILNUM\r\nAccording proofpoint, EvilNum is a backdoor that can be used for data theft or to load additional payloads. The\r\nmalware includes multiple interesting components to evade detection and modify infection paths based on\r\nidentified antivirus software.\r\nReferences\r\n2022-06-27 ⋅ Zscaler ⋅ Sahil Antil, Sudeep Singh\r\nReturn of the Evilnum APT with updated TTPs and new targets\r\nEVILNUM EVILNUM\r\n2021-01-04 ⋅ ⋅ NSFOCUS ⋅ NSFOCUS\r\nSteganography, Little Fire Dragon and AGENTVX: A Detailed Analysis of APT Organization EVILNUM's\r\nNew Attack Activities\r\nEVILNUM\r\n2020-11-03 ⋅ Kaspersky Labs ⋅ GReAT\r\nAPT trends report Q3 2020\r\nWellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK\r\nDtrack LODEINFO MoriAgent Okrum PlugX POISONPLUG Rover ShadowPad SoreFang Winnti\r\n2020-08-24 ⋅ Kaspersky Labs ⋅ Ivan Kwiatkowski, Maher Yamout, Pierre Delcher\r\nLifting the veil on DeathStalker, a mercenary triumvirate\r\nEVILNUM Janicab Evilnum\r\n2020-07-10 ⋅ Github (eset) ⋅ Matías Porolli\r\nEvilnum — Indicators of Compromise\r\nEVILNUM More_eggs EVILNUM TerraStealer\r\n2020-07-09 ⋅ ESET Research ⋅ Matías Porolli\r\nMore evil: A deep look at Evilnum and its toolset\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/js.evilnum\r\nPage 1 of 2\n\nEVILNUM More_eggs EVILNUM TerraPreter TerraStealer TerraTV Evilnum\r\n2020-06-04 ⋅ ⋅ Chianxin Virus Response Center\r\n脚本系贼寇之风兴起,买卖体系堪比勒索软件\r\nEVILNUM More_eggs\r\n2020-05-06 ⋅ Prevailion ⋅ Danny Adamitis\r\nPhantom in the Command Shell\r\nEVILNUM\r\n2019-08-01 ⋅ ClearSky ⋅ ClearSky Cyber Security\r\n2019 H1 Cyber Events Summary Report\r\nEVILNUM Cardinal RAT SappyCache\r\n2019-03-19 ⋅ Palo Alto Networks Unit 42 ⋅ Josh Grunzweig, Tom Lancaster\r\nCardinal RAT Sins Again, Targets Israeli Fin-Tech Firms\r\nEVILNUM Cardinal RAT EVILNUM\r\n2018-05-24 ⋅ pwncode.io blog ⋅ c0d3inj3cT\r\nJavaScript based Bot using Github C\u0026C\r\nEVILNUM\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/js.evilnum\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/js.evilnum\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.evilnum" ], "report_names": [ "js.evilnum" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "f7aa6029-2b01-4eee-8fe6-287330e087c9", "created_at": "2022-10-25T16:07:23.536763Z", "updated_at": "2026-04-10T02:00:04.646542Z", "deleted_at": null, "main_name": "Deceptikons", "aliases": [ "DeathStalker", "Deceptikons" ], "source_name": "ETDA:Deceptikons", "tools": [ "EVILNUM", "Evilnum", "Janicab", "PowerPepper", "Powersing", "VileRAT" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434431, "ts_updated_at": 1775826785, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a0cbaea548af7039abc38722ebb5f333a59f5e08.pdf", "text": "https://archive.orkl.eu/a0cbaea548af7039abc38722ebb5f333a59f5e08.txt", "img": "https://archive.orkl.eu/a0cbaea548af7039abc38722ebb5f333a59f5e08.jpg" } }