{ "id": "2f58aca8-0a9a-40c5-bcae-56dd126ba068", "created_at": "2026-04-06T00:07:10.294084Z", "updated_at": "2026-04-10T13:12:40.582922Z", "deleted_at": null, "sha1_hash": "bc6be50bde10e6b89fb56f2c9cb6aa76dd03ab85", "title": "Buy, Sell, Steal, EvilNum Targets Cryptocurrency, Forex, Commodities | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 898911, "plain_text": "Buy, Sell, Steal, EvilNum Targets Cryptocurrency, Forex,\r\nCommodities | Proofpoint US\r\nBy Bryan Campbell, Pim Trouerbach, Selena Larson and the Proofpoint Threat Research Team\r\nPublished: 2022-07-20 · Archived: 2026-04-05 13:18:48 UTC\r\nKey Findings\r\nTA4563 is a threat actor leveraging EvilNum malware to target European financial and investment entities,\r\nespecially those with operations supporting foreign exchanges, cryptocurrency, and decentralized finance\r\n(DeFi).\r\nEvilNum is a backdoor that can be used for data theft or to load additional payloads.\r\nThe malware includes multiple interesting components to evade detection and modify infection paths based\r\non identified antivirus software.\r\nOverview\r\nSince late 2021 through the present, Proofpoint Threat Research observed the group Proofpoint calls TA4563\r\ntargeting various European financial and investment entities with the malware known as EvilNum. The actor\r\nexclusively targeted entities in the Decentralized Finance (DeFi) industry in recently observed campaigns. The\r\nactivity Proofpoint associates with TA4563 has some overlap with activity publicly associated with a group\r\nreferred to as DeathStalker and EvilNum. The activity described in this report has some overlap with EvilNum\r\nactivity publicly reported by Zscaler in June 2022.  \r\nThe identified campaigns delivered an updated version of the EvilNum backdoor using a varied mix of ISO,\r\nMicrosoft Word and Shortcut (LNK) files in late 2021 and early 2022, presumably as a method of testing the\r\nefficacy of the delivery methods. This malware can be used for reconnaissance, data theft, and to deploy\r\nadditional payloads.\r\nCampaign Details\r\n2021 \r\nProofpoint observed the first campaign in December 2021. The messages purported to be related to financial\r\ntrading platform registration or related documents. The initial campaign observed included the attempted delivery\r\nof Microsoft Word documents responsible for the attempted installation of the updated version of the EvilNum\r\nbackdoor.\r\nThese messages used a remote template document that analysts observed attempting to communicate with\r\ndomains to install several LNK loader components, leveraging wscript to load the EvilNum payload, and a\r\nhttps://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities\r\nPage 1 of 9\n\nJavaScript payload that was ultimately installed on the user's host. These lures contained a financial theme,\r\nsuggesting on one occasion that the intended victim needed to submit “proof of ownership of missing documents”.\r\nProofpoint identified the following post-infection related domains:\r\nmailgunltd[.]com\r\nazuredllservices[.]com\r\nofficelivecloud[.]com\r\nEarly 2022 \r\nThe group continued to target financial entities with a variation on the original email campaign, attempting to\r\ndeliver multiple OneDrive URLs that contained either an ISO or .LNK attachment. In identified campaigns, the\r\nactor used financial lures to get the recipient to launch the EvilNum payload. Messages purported to be, for\r\nexample:\r\n           From: “Viktoria Helle” \u003cviktoria.helle79@zingamail[.]uk\u003e\r\n            Subject: Re: Reminder to submit your proof of identity and address\r\nCampaigns continued to target specific European financial and investment entities.\r\nSubsequent campaigns included the delivery of a compressed .LNK file directly as an additional attempt to install\r\nEvilNum.\r\nMid 2022\r\nhttps://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities\r\nPage 2 of 9\n\nAs the threat actor maintained consistent targeting and victimology, the methodology again changed. In mid-2022\r\ncampaigns, TA4563 delivered Microsoft Word documents to attempt to download a remote template.\r\nMessages purported to be, for example:\r\nFrom: \"19steeven \" \u003carfeuille19@gmail[.]com\u003e\r\nSubject: Fwd: KOT4X - Proof of ownership (urgent missing document)\r\nAttachment: steve kot4x.docx\r\nThe attached document was responsible for generating traffic to http://outlookfnd[.]com, a likely actor-controlled\r\ndomain responsible for the EvilNum payload.\r\nFigure 1: Attached Word document delivering EvilNum.\r\nEvilNum Details\r\nhttps://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities\r\nPage 3 of 9\n\nPrevious versions of EvilNum publicly reported by security organizations include both a JavaScript component\r\nand C# component of the backdoor. Proofpoint did not observe a JavaScript component in recent campaigns and\r\nanalyzed the C# component observed in multiple recent campaigns.  \r\nEach campaign is highly fenced; the malware only allows one download per IP address to ensure only the target\r\nhost can retrieve the final payload. The initial stage LNK loader is responsible for executing PowerShell via\r\ncmd.exe, this then downloads two different payloads from the initial host (e.g. infntio[.]com).\r\nThe first payload is responsible for executing two PowerShell scripts.\r\nFigure 2: PowerShell script examples.\r\nThe first is used to decrypt a PNG and follows logic to restart the infection chain. The second, larger PowerShell\r\nscript loads C# code dynamically and sends screenshots to a command-and-control server (C2). This C#\r\napplication then executes another PowerShell command:\r\nhttps://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities\r\nPage 4 of 9\n\n/c start /min \\”\\” powershell -inputformat none -outputformat none -windowstyle hidden -c \\”\u0026hpfde.exe” –v=\r\n[Random]\r\nSeveral applications are executed depending on what antivirus software – either Avast, AVG, or Windows\r\nDefender – is found on the host. The malware will try and call multiple executables likely already on the host\r\nmachine (e.g. TechToolkit.exe and nvapiu.exe). The malware execution chain will change to best evade detection\r\nfrom the identified antivirus engine.\r\nFigure 3: Executables called depending on the antivirus engine identified.\r\nThe second payload contains two encrypted blobs. The first is decrypted to an executable, (e.g. hpfde.exe) and the\r\nsecond to a TMP file (e.g. devXYXY5.tmp). The initial executable reads and decrypts the TMP file to load a\r\n53KB shellcode file resulting in a final decrypted and decompressed PE file.\r\nThe EvilNum backdoor can be used for reconnaissance and data theft activity and to load follow-on payloads.\r\nConclusion\r\nhttps://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities\r\nPage 5 of 9\n\nEvilNum malware and the TA4563 group poses a risk to financial organizations. Based on Proofpoint analysis,\r\nTA4563’s malware is under active development. Although Proofpoint did not observe follow-on payloads\r\ndeployed in identified campaigns, third-party reporting indicates EvilNum malware may be leveraged to distribute\r\nadditional malware including tools available via the Golden Chickens malware-as-a-service. TA4563 has adjusted\r\ntheir attempts to compromise the victims using various methods of delivery, whilst Proofpoint observed this\r\nactivity and provided detection updates to thwart this activity, it should be noted that a persistent adversary will\r\ncontinue to adjust their posture in their compromise attempts.\r\nIndicators Of Compromise\r\n2851693 - ETPRO MALWARE EvilNum Related Domain in DNS Lookup (malware.rules)\r\n2851694 - ETPRO MALWARE EvilNum Related Domain in DNS Lookup (malware.rules)\r\n2851695 - ETPRO MALWARE EvilNum Related Domain in DNS Lookup (malware.rules)\r\n2851696 - ETPRO MALWARE EvilNum Related Domain in DNS Lookup (malware.rules)\r\n2851697 - ETPRO MALWARE EvilNum Related Domain in DNS Lookup (malware.rules)\r\nIndicator Description\r\nhxxp://officelivecloud[.]com\r\nPayload Domain December\r\n2021\r\nhxxp://mailgunltd[.]com\r\nPayload Domain December\r\n2021\r\nhxxp://officelivecloud[.]com\r\nPayload Domain December\r\n2021\r\nhxxp://visitaustriaislands[.]com\r\nCommand and Control\r\nDomain May 2022\r\nhxxp://outlookfnd[.]com\r\nCommand and Control\r\nDomain June 2022\r\nhxxp://infntio[.]com/save/user.php Payload URL March 2022\r\nhttps://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities\r\nPage 6 of 9\n\nhxxp://advflat[.]com/save/user.php\r\nCommand and Control URL\r\nMarch 2022\r\nhxxp://pngdoma[.]com/admin/index.php\r\nCommand and Control URL\r\nMarch 2022\r\nhxxp://goalrom[.]com/admin/settings.php\r\nCommand and Control URL\r\nMarch 2022\r\nhxxp://elitefocuc[.]com/save/user.php\r\nCommand and Control URL\r\nMarch 2022\r\nhxxp://hubflash[.]co/configuration.php\r\nCommand and Control URL\r\nApril 2022\r\nbookingitnow[.]org\r\nCommand and Control\r\nDomain\r\nbookaustriavisit[.]com\r\nCommand and Control\r\nDomain\r\nmoretraveladv[.]com\r\nCommand and Control\r\nDomain\r\nestoniaforall[.]com\r\nCommand and Control\r\nDomain\r\nef1a660ee8b11bbcf681e8934c5f16e4a249ba214d743bbf8b1f8043296b6ffc\r\nWord Doc SHA256 June\r\n2022\r\nda642cc233ea3595d8aaf8daf6129c59682b19462d5d5abb1f494042d4c044f4\r\nWord Doc SHA256 Sample\r\nJune 2022\r\nhttps://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities\r\nPage 7 of 9\n\n53ade63ba9938fd97542a0a725d82045f362766f24f0b1f414f4693d9919f631\r\nLNK SHA256 Sample\r\nMarch 2022\r\nf0a002c7d2174f2a022d0dfdb0d83973c1dd96c4db86a2b687d14561ab564daa\r\nLNK SHA256 Sample\r\nMarch 2022\r\n53ade63ba9938fd97542a0a725d82045f362766f24f0b1f414f4693d9919f631\r\nWord Doc SHA256 Sample\r\nDecember 2021\r\n649183519d59ea332d687a01c37040b91da69232aadb0c1215c36a5b87ad2ec7\r\nWord Doc SHA256 Sample\r\nDecember 2021\r\nviktoria.helle79@zingamail[.]uk Sender Email March 2022\r\npaul@christiesrealestate[.]uk\r\nSender Email December\r\n2021\r\nsherry@schalapartners[.]com Sender Email March 2022\r\narfeuille19@gmail[.]com Sender Email June 2022\r\narole@delaware-north[.]com Sender Email May 2022\r\nhxxps://onedrive.live[.]com/download?resid=\r\n680BC877518B4D11%21388\u0026authkey=!AMMjaIOZSltiS_Q\r\nOneDrive URL March 2022\r\nhxxps://onedrive.live[.]com/download?resid=\r\n680BC877518B4D11!531\u0026authkey=!ADr0ziYEPBJJK9w\r\nOneDrive URL March 2022\r\nhxxps://onedrive.live[.]com/download?resid=\r\n680BC877518B4D11!426\u0026authkey=!AB60IPFY2E-XMXs\r\nOneDrive URL March 2022\r\nhttps://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities\r\nPage 8 of 9\n\nSource: https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities\r\nhttps://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities" ], "report_names": [ "buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "f5c90ccc-0f18-4e07-a246-b62101ab2f6f", "created_at": "2023-01-06T13:46:38.854407Z", "updated_at": "2026-04-10T02:00:03.122844Z", "deleted_at": null, "main_name": "GC02", "aliases": [ "Golden Chickens", "Golden Chickens02", "Golden Chickens 02" ], "source_name": "MISPGALAXY:GC02", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "88802a4b-5b3d-42ee-99e6-8a4f5fd231f6", "created_at": "2023-01-06T13:46:38.851345Z", "updated_at": "2026-04-10T02:00:03.121861Z", "deleted_at": null, "main_name": "GC01", "aliases": [ "Golden Chickens", "Golden Chickens01", "Golden Chickens 01" ], "source_name": "MISPGALAXY:GC01", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null }, { "id": "7a257844-df90-4bd4-b0f1-77d00ff82802", "created_at": "2022-10-25T16:07:24.376356Z", "updated_at": "2026-04-10T02:00:04.964565Z", "deleted_at": null, "main_name": "Venom Spider", "aliases": [ "Golden Chickens", "TA4557", "Venom Spider" ], "source_name": "ETDA:Venom Spider", "tools": [ "More_eggs", "PureLocker", "SONE", "SpicyOmelette", "StealerOne", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Taurus Loader Reconnaissance Module", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraCrypt", "TerraLogger", "TerraPreter", "TerraRecon", "TerraStealer", "TerraTV", "TerraWiper", "ThreatKit", "VenomKit", "VenomLNK", "lite_more_eggs" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434030, "ts_updated_at": 1775826760, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bc6be50bde10e6b89fb56f2c9cb6aa76dd03ab85.pdf", "text": "https://archive.orkl.eu/bc6be50bde10e6b89fb56f2c9cb6aa76dd03ab85.txt", "img": "https://archive.orkl.eu/bc6be50bde10e6b89fb56f2c9cb6aa76dd03ab85.jpg" } }