{ "id": "5099e821-a85e-4ee7-8014-9ac0a930c018", "created_at": "2026-04-06T00:10:10.659098Z", "updated_at": "2026-04-10T13:11:52.694948Z", "deleted_at": null, "sha1_hash": "b7c844373188c350dea9bd8bb436edfeb884b21a", "title": "Operation DarkCasino: In-Depth Analysis of Attacks by APT Group Evilnum (Part 2) - NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 716326, "plain_text": "Operation DarkCasino: In-Depth Analysis of Attacks by APT Group\r\nEvilnum (Part 2) - NSFOCUS, Inc., a global network and cyber security\r\nleader, protects enterprises and carriers from advanced cyber attacks.\r\nBy NSFOCUS\r\nPublished: 2022-09-20 · Archived: 2026-04-05 16:29:06 UTC\r\nOperation DarkCasino: In-Depth Analysis of Attacks by APT Group Evilnum (Part 1)\r\nComponents\r\nEvilnum mainly used a new customized trojan in this operation. NSFOCUS Security Labs named it DarkMe based on the\r\nparticular string in the trojan program.\r\nNSFOCUS Security Labs also discovered another new trojan program that had a close connection to this operation and\r\nnamed it PikoloRAT, also based on the particular string in the program.\r\n1. DarkMe\r\nDarkMe is a VisualBasic spy trojan developed by Evilnum attackers and is used in various attack flows. The initial version\r\nof DarkMe appeared on September 25, 2021, and five iteration versions have been released so far.\r\nThe communication ability of DarkMe is implemented through the public module WinSock32\r\n(http://leandroascierto.com/blog/winsock32/). This module creates a window named SOCKET_WINDOW to implement\r\nsocket communication with the server.\r\nOn the basis of this module, a significant number of functional codes are gradually added to DarkMe, allowing it to evolve\r\nfrom a downloader trojan into a stub spy trojan.\r\nFunctions\r\nDifferent versions of DarkMe have different functional codes. Here, we will describe the trojan program version 5,\r\nShellRunDllVb.dll, that appeared in this operation.\r\nAfter ShellRunDllVb.dll is executed, it will collect host information and send it to the C\u0026C server. DarkMe collects the\r\nfollowing host information, including the geolocation abbreviation, country name, computer name, user name, antivirus\r\nsoftware list, trojan mark, and the title of the foreground window. These items are separated by a fixed separator 0x3F, and\r\nprepended with a fixed string “92”. The resulting register information is then sent to the C\u0026C server.\r\nhttps://nsfocusglobal.com/operation-darkcasino-in-depth-analysis-of-attacks-by-apt-group-evilnum-part-2/\r\nPage 1 of 11\n\nRegister traffic of DarkMe\r\nDarkMe has multiple modules to support different espionage functions. clsfile is a major module used to implement file\r\noperations under C\u0026C control. The C\u0026C instruction is contained in the first six bytes of the communication content. The\r\nfunction of each instruction is described as follows:\r\nDescription of DarkMe instructions\r\nIn addition, DarkMe has been integrated with a set of public codes to achieve the screenshot function.\r\nScreenshot function implemented by DarkMe (right) and public code (left)\r\nDarkMe also provides persistence and self-updating functions as well as the keylogging function in some versions.\r\nVersions\r\nWith a deeper look at samples in the wild, NSFOCUS Security Labs found DarkMe had a history of more than half a year,\r\nand was already available in multiple versions. The version iteration timeline of DarkMe is as follows:\r\nhttps://nsfocusglobal.com/operation-darkcasino-in-depth-analysis-of-attacks-by-apt-group-evilnum-part-2/\r\nPage 2 of 11\n\nVersion iteration of DarkMe\r\nIt can be seen that during its lifecycle, DarkMe has evolved from a loader trojan to a spy trojan, and then to a stub payload\r\nintegrated into complex attack flows. DarkMe version 4 and DarkMe version 5 both have complete code functions and can\r\nbe used as a primary stealing tool or as a loader for other tools, so they were widely adopted by Evilnum attackers in recent\r\nattacks.\r\n2. PikoloRAT\r\nNSFOCUS discovered another new remote control trojan, PikoloRAT, during the in-depth analysis of the relevant\r\ninformation of this operation. PikoloRAT comes with typical remote control functions and can use built-in components to\r\nimplement more complex control operations.\r\nSince the built-in C\u0026C addresses of PikoloRAT were found to coincide with the addresses used in this operation and\r\nPikoloRAT could complement the above-mentioned DarkMe, NSFOCUS Security Labs believed that PikoloRAT was used\r\nas an extension component by Evilnum attackers in the later stage of this operation.\r\nThe discovered cases demonstrated that PikoloRAT was delivered via a downloader trojan or packaged as a compressed file.\r\nFunctions\r\nPikoloRAT is a typical RAT trojan program written in C#.\r\nMain frame of PikoloRAT\r\nAfter PikoloRAT runs, it first collects and uploads the host information. The collected contents include the trojan mark, user\r\nname, computer name, geolocation, operating system version, trojan running time, trojan version, and antivirus software\r\ninformation. PikoloRAT uses a “|” to separate the preceding items, prepends them with a fixed string “654321”, and then\r\nsends it to the C\u0026C server.\r\nhttps://nsfocusglobal.com/operation-darkcasino-in-depth-analysis-of-attacks-by-apt-group-evilnum-part-2/\r\nPage 3 of 11\n\nOnline traffic of PikoloRAT\r\nIt can be seen that the content and format of the online traffic of PikoloRAT are similar to those of the above-mentioned\r\nDarkMe.\r\nThen PikoloRAT enters the controlled state to control host behaviors by obtaining instructions from C\u0026C servers. The\r\nsupported remote control instructions are as follows:\r\nDescription of PikoloRAT instructions\r\nIn addition to basic remote control functions, PikoloRAT can perform more sophisticated remote control by dropping the\r\nbuilt-in PEGASUS HVNC module, a recently leaked hVNC tool.\r\nTechniques and Tactics\r\nhttps://nsfocusglobal.com/operation-darkcasino-in-depth-analysis-of-attacks-by-apt-group-evilnum-part-2/\r\nPage 4 of 11\n\nOverwriting Files While Sideloading\r\nIn attack flow A, Evilnum attackers delivered a malicious file python39.dll and sideloaded it through a legitimate file\r\npython.exe. Different from common sideloading build logics, python39.dll was obtained by directly overwriting the\r\noriginal python39.dll. Evilnum attackers directly wrote a piece of shellcode to the location of the function\r\nPyImport_AddModuleObject of the original python39.dll so that the shellcode was started when python39.dll was loaded.\r\nThe benefits of this design are:\r\nEasy to operate. It is not required to compile a separate DLL program to implement the export.\r\nWide applicability. In theory, any legitimate DLL file can be overwritten in a similar way to build a sideloading\r\nshellcode attack chain.\r\nStrong concealment. The new DLL file is so similar to the original DLL file that it is not easy to locate.\r\nOverwritten PyImport_AddModuleObject function in python39.dll\r\nShellcode Framework\r\nIn attack flow A, Evilnum attackers used different shellcodes at different stages. Since these shellcodes had similar code\r\nimplementation logic, NSFOCUS Security Labs believed that they originated from the same shellcode programming\r\nframework. The overall composition and code complexity in this operation were improved compared to previous Evilnum\r\nactivities.\r\nntdll Mapping\r\nIn the shellcode used in this operation, Evilnum attackers still adopted two modules, kernel32 and ntdll, to build the main\r\nattack flow. To avoid API detection for such behaviors, the attackers used the following method to map the ntdll file and use\r\nthe API of the mapped file.\r\nMapping logic of the ntdll module in the shellcode\r\nIn the implementation, the attacker reloaded the ntdll module through file mapping, and obtained the API base address of the\r\nmapped API by calculating the offset of the base address of the API in the original ntdll file. Then the shellcode used the\r\nmapped API to implement corresponding behaviors, thus avoiding original API call behaviors and preventing key\r\nparameters from being monitored and recorded.\r\nX64call\r\nIn attack flow A, Evilnum attackers used X64call to call key APIs while injecting cmd.exe.\r\nhttps://nsfocusglobal.com/operation-darkcasino-in-depth-analysis-of-attacks-by-apt-group-evilnum-part-2/\r\nPage 5 of 11\n\nThe injected shellcode firstly detected the process environment and the host CPU model. If the requirements were satisfied,\r\nit would call their 64-bit implementations while using key injection APIs such as NtAllocateVirtualMemory and\r\nNtWriteVirtualMemory.\r\nX64call calling logic in the shellcode injection code\r\nX64call calling code\r\nThis technique can also bypass API detection.\r\nImage Steganography\r\nEvilnum attackers used two types of steganographic images in this operation.\r\nIn attack flow B, the image IMG.jpg used redundant steganography that deposited the malicious code at the end of the file\r\nand used a fixed string ($HEH$E) as the separator.\r\nSteganographic information in IMG.jpg.\r\nIn attack flow A, the image carrying the payload used the RGB color image steganography scheme that deposited the\r\nmalicious code in the R color pixel.\r\nRGB values in the steganographic image sKr93I.png (right) and extracted compressed data content (left)\r\nThis construction could make blue-green dots show in white areas and red dots show in black areas in the steganographic\r\nimage.\r\nhttps://nsfocusglobal.com/operation-darkcasino-in-depth-analysis-of-attacks-by-apt-group-evilnum-part-2/\r\nPage 6 of 11\n\nAppearance of the steganographic image sKr93I.png\r\nAppearance of the steganographic image Fruit.png\r\nSocket Window\r\nIn this operation, the trojan DarkMe used SOCKET_WINDOW communication, an old VisualBasic socket programming\r\ntechnique that hooks winsock messages through a SOCKET_WINDOW window and handles event messages passed by\r\nWSAAsyncSelect in the window callback function. For the original framework, refer to here.\r\nCOM Component Execution\r\nSome DarkMe trojans were delivered as COM components in this operation. Evilnum attackers wrote the registry operation\r\nlogic to the preloaded trojan payload, allowing it to generate and execute the file Register.reg that contained the following\r\ncontents.\r\nContents of Register.reg\r\nThen the preloaded trojan payload started DarkMe via a cmd command in the form like rundll /sta [CLSID] ‘Hello’. This\r\ncould avoid direct calls to DarkMe, reducing exposure risks to a certain extent.\r\nConclusion\r\nhttps://nsfocusglobal.com/operation-darkcasino-in-depth-analysis-of-attacks-by-apt-group-evilnum-part-2/\r\nPage 7 of 11\n\nOperation DarkCasino is a series of ongoing APT attacks targeting cash flows in online trading. The Evilnum group adopted\r\na variety of ever-improving attack techniques and tools, demonstrating its keen sense of confrontation.\r\nThe analysis showed that the attack scope of Operation DarkCasino was not limited to Europe. Under the operation of the\r\nEvilnum attackers, this attack was extended to some Asian countries, which may cause unexpected damage.\r\nTo effectively prevent this operation, online financial platform users should pay special attention to files of LNK, PIF, SCR,\r\nand COM types transmitted through various channels and be more vigilant of files with keywords such as offer, visa, and\r\ncasino to avoid Evilnum attacks, which may cause direct economic losses.\r\nIndicators of Compromise (IoCs)\r\nDecoy files of attack flow A\r\n43eda4ff53eef4513716a5b773e6798653ee29544b44a9ae16aa7af160a996f2\r\noffer deal visa\r\n2022.lnk\r\nDecoy files of attack flow B\r\n5fb252474237a4ca96cc0433451c7d7a847732305d95ceeaeb10693ecef2eeee\r\nScatters Casino offers\r\nDaily Promotions.pif\r\n8e4a4c5e04ff7ebacb5fe8ff6b27129c13e91a1acc829dbb3001110c84dc8633 new casino crypto.com\r\nd0899cb4b94e66cb8623e823887d87aa7561db0e9cf4028ae3f46a7b599692b9\r\nPromo CPL CPA\r\nTraffic.com\r\nDecoy files of attack flow C\r\n4ffa29dead7f6f7752f2f3b0a83f936f270826d2711a599233dc97e442dee85f 333TER.exe\r\n9cf7f8a93c409dd61d019ca92d8bc43cc9949e244c9080feba5bfc7aac673ac3 d33v3TER.exe\r\n259cebed2cd89da395df2a3588fadde82cd6542bc9ff456890f7ee2087dc43c9 d333TER.exe\r\n0cdf27bb8c0c90fc1d60fb07bd30b7e97b16d15e3f58fb985350091ecad51ba6 ed333TER.exe\r\n5ba84191a873d823ccf336adfa219cc191a004e22b56b99c6d0e1642144129b8 wed333TER.exe\r\n15a076c7bb6a38425d96aa08b8a15e9a838c9697d57c835aaca92fd01607b07a PayRedeemUpdateIntegration19052022.scr\r\n3329f5e3a67d13bd602dca5bbe8e2d0b5d3b5cb7cb308965fb2599a66668c207 offer crypto casino.scr\r\n8a49a7f6c95fade72ef86455794cdedfca9129aa0f5281e09929dfebfb3417c4\r\nDOCUMENTATION AGREEMENTS S CONSULTING\r\nINTEGRATION.pif\r\nDownloader Trojan\r\n864dccbeda7d88cad91336b5ae9efd50972508d1d8044226e798d039a0bc1da2 AONNRJP.exe\r\nPikoloRAT Trojan\r\neb5e42c726c7b125564455d56a02b9d42672ca061575ff911672b9165e8e309d stub1.exe\r\nhttps://nsfocusglobal.com/operation-darkcasino-in-depth-analysis-of-attacks-by-apt-group-evilnum-part-2/\r\nPage 8 of 11\n\nbe544a1f9f642bb35a9bd0942ae16a7a6e58a323d298a408a00fa4c948e8ea17 Stub1.exe\r\nDarkMe Trojan\r\na826570f878def28b027f6e6b2fcd8be1727e82666f8b65175d917144f5d0569 Project1.exe\r\n7b478cd8b854c9046f45f32616e1b0cbdc9436fa078ceddb13ce9891b24b30a5 Project1.exe\r\ne72337c08d6b884b64fd9945c5a01557ccf40db93af866c00c48d36b6605f3a0 Project1.exe\r\n414a11e8eabb64add97a866502edcd7e54108bd247f4ae12fe07feeae4e549f6 Projec3.exe\r\n7913cdf40cc17a28487a71ab0d7724b8bf3646a2a53e3905798ce23a657061b8 Project1.exe\r\n3a6694567e9d722357b8e92153d9c878bbcab55a2f65cd0f9a2e6579fbeb935a Projec3.exe\r\na6a70c85b8c40932678c413fde202a55fcfc9d9cae23822708be5f28f9d5b6d2 Projec3.exe\r\nc50ebe13972e6e378248d80d53478d8e01e754c5d87113d9b6f93bf3b84380b4 Project1.exe\r\n1ac7715b1762788b5dc1f5f2fc35243a072fe77053df46101ce05413cca62666 Projec3.exe\r\n4ecc2925cfb073323314611a3892d476a58ff2f6b510b434996686e2f0ac3af7 Projec3.exe\r\n541b3011953a3ce1a3a4a22c8c4f58c6a01df786a7cc10858649f8f70ee0a2f3 Projec3.exe\r\nf25cbc53d0cc14b715ee83e51946d5793e4e86e71e96f68e9b6c839b514e8cb8 Projec3.exe\r\n4244f274a12f4672f2dda1190559d96c5a9631c9ee573b853c89e30701819b63 Projec24.pif\r\n1f0d908c677fb3ec5b9422eb5f7d2a2b3ffa01659521afc07cc4dfaea27aa532 Nuovo.pif\r\n028057e54a2e813787a14b7d33e6a2caa91485ed879ef1bbcb94df0e1cf91356 bvo.exe\r\n0a9c183f0b5a225228da5e8589fac8b3affe2e51c790a08148ef72481de610c4 bvo.exe\r\n3eb84676249cb26dd3d1962cfca2a9fde442d0feaa1b0351f6331313f3ac1138 bvo.exe\r\n46fbfc263959084d03bd72c5b6ee643711f79f7d76b391d4a81f95b2d111b44e bvofinal.pif\r\n5e04dd49b82320eca63b483e87453d2a68a9f4873f47d37e5080d537bc811d0e pppppesst.exe\r\ndc8190279dcea4f9a36208ba48b14e6c8313ef061252027ef8110b2d0bd84640 pppppesst.exe\r\n4959cdba7edee68b5116cc1b8ef5016978d3dff2016f027a4f76b080b7c3849a faster.exe\r\n24ace8fd73b2a5a13f3e5b459f0764dd4b5bda2cea2b0e13bbf88a88afe0cdac fastest.exe\r\nc66e6ee55e9799a8a32b7a2c836c26bb7ebea98d09c1535ad9ae59e9628835fb fastest.exe\r\n32ce8d0dcbfcc2517480d0e08f8896ab4f6ea13ccb0eefe7205cd352c7b359c3 h5a.exe\r\nc192684d296ea587e93457d060cbef900143cf1a11301e6c2e34e264e3e55ef6 h5a.exe\r\n1d01b143a56eba431387b9b973790d174deb48c2e3445d96b131a7d8e0a9d4ef vvt1.exe\r\nb8ba2c0478649dc099d0a869755a7e205173a9b0d15fad920317a89d07eaa930 vvt1.exe\r\nhttps://nsfocusglobal.com/operation-darkcasino-in-depth-analysis-of-attacks-by-apt-group-evilnum-part-2/\r\nPage 9 of 11\n\nd95853e6e16d90c00fd72aaeaca9885b953dae14d7d6aa7fedcc6150fb788667 656.exe\r\n7add6700c6e1aa1ac8782fdd26a11283d513302c672e3d62f787572d8ad97a21 ShellRunDllVb.dll\r\n17fe047b9a3695d4fd8ad9d2f7f37486c0bc85db0f9770471442d31410ff26a1 ShellRunDllVb.dll\r\n2665a09ec5b4ca913f9f3185df62495f13611831dba9073779a36df088db143b ShellRunDllVb.dll\r\n7c06a03d712be8c0df410bea5d1c2004c6247bcde5a46ce51746f18de9621ac1 ShellRunDllVb.dll\r\nURL\r\nhttps[:]//puccino.altervista.org/wp-content/uploads/2022/05/6h.txt\r\nhttps[:]//storangefilecloud.vip/IMG.jpg\r\nhttps[:]//storangefilecloud.vip/PI.txt\r\nhttps[:]//storangefilecloud.vip/PRGx.jpg\r\nhttps[:]//bukjut11.com/FRIGO.JPG\r\nhttps[:]//bukjut11.com:443/AEVC.JPG\r\nhttps[:]//imagizer.imageshack.com/img922/1527/sKr93I.png\r\nhttps[:]//imagizer.imageshack.com/img923/7651/jMwIGI.png\r\nhttps[:]//i.imgur.com/fkNiY9Z.png\r\nhttps[:]//laurentprotector.com/LRGBPFV.bin\r\nhttps[:]//laurentprotector.com/NnQFqsOEUtkezvIEcLpfa.bin\r\nDarkme C\u0026C\r\naka7newmalp23.com\r\ncsmmmsp099q.com\r\nmuasaashishaj.com\r\ncspapop110.com\r\n938jss.com\r\n8as1s2.com\r\nkalpoipolpmi.net\r\npallomnareraebrazo.com\r\n185.236.231.74\r\nPikoloRAT C\u0026C\r\n51.195.57.232\r\nhttps://nsfocusglobal.com/operation-darkcasino-in-depth-analysis-of-attacks-by-apt-group-evilnum-part-2/\r\nPage 10 of 11\n\nSource: https://nsfocusglobal.com/operation-darkcasino-in-depth-analysis-of-attacks-by-apt-group-evilnum-part-2/\r\nhttps://nsfocusglobal.com/operation-darkcasino-in-depth-analysis-of-attacks-by-apt-group-evilnum-part-2/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://nsfocusglobal.com/operation-darkcasino-in-depth-analysis-of-attacks-by-apt-group-evilnum-part-2/" ], "report_names": [ "operation-darkcasino-in-depth-analysis-of-attacks-by-apt-group-evilnum-part-2" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "0bc63952-5795-4fc7-85c1-50a7f207f2f0", "created_at": "2023-11-14T02:00:07.095723Z", "updated_at": "2026-04-10T02:00:03.450401Z", "deleted_at": null, "main_name": "DarkCasino", "aliases": [], "source_name": "MISPGALAXY:DarkCasino", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a5bd315b-6220-441f-8ed1-39e194dcd0e3", "created_at": "2023-12-01T02:02:33.667762Z", "updated_at": "2026-04-10T02:00:04.641333Z", "deleted_at": null, "main_name": "DarkCasino", "aliases": [ "Water Hydra" ], "source_name": "ETDA:DarkCasino", "tools": [ "CloudEyE", "DarkMe", "GuLoader", "PikoloRAT", "vbdropper" ], "source_id": "ETDA", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434210, "ts_updated_at": 1775826712, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b7c844373188c350dea9bd8bb436edfeb884b21a.pdf", "text": "https://archive.orkl.eu/b7c844373188c350dea9bd8bb436edfeb884b21a.txt", "img": "https://archive.orkl.eu/b7c844373188c350dea9bd8bb436edfeb884b21a.jpg" } }