{ "id": "d6926267-c083-4a4e-8abc-bf5ab23dabd5", "created_at": "2026-04-06T00:21:25.898312Z", "updated_at": "2026-04-10T13:12:54.808286Z", "deleted_at": null, "sha1_hash": "da2926873269b85062d782f1f777ad0c42e4f71d", "title": "Rewterz Threat Alert - Evilnum APT Group Targeting Financial Sector - Rewterz", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 36064, "plain_text": "Rewterz Threat Alert - Evilnum APT Group Targeting Financial\r\nSector - Rewterz\r\nPublished: 2020-12-23 · Archived: 2026-04-05 17:45:12 UTC\r\nSeverity\r\nHigh\r\nAnalysis Summary\r\nAPT group Evilnum aka Jointworm has been seen targeting financial sector with malicious emails. The group first\r\nseen in 2018 with the motivation of information theft and espionage has been active recently in attempt to rob\r\nusers off their credentials and gaining sensitive information for their gain. The group has primarily targeted fintech\r\norganizations based in Israel. These attacks have possible relationship between Cardinal RAT and another\r\nmalware family named EVILNUM. EVILNUM is a JavaScript-based malware family that is used in attacks\r\nagainst similar organizations.\r\nImpact\r\nInformation theft\r\nExposure of sensitive data \r\nIndicators of Compromise\r\nFilename\r\nAccount compliance[.] zip\r\nMD5\r\n178c15b02451a29f3bed0a068adc2049\r\nSHA-256\r\n3c7def980dfdebc0e03d8a3d3e2ee8367268ea676050e767e3c6ad77b8f9219e\r\nSHA1\r\n93f5b77065216f6d1eebed5ee3fe1b56937d9835\r\nURL\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-evilnum-apt-group-targeting-financial-sector\r\nPage 1 of 2\n\nhttp[:]//community-approch[.]com/\r\nRemediation\r\nBlock all threat indicators at your respective controls.\r\nAlways be suspicious about emails sent by unknown senders. \r\nNever click on links/attachments sent by unknown senders.\r\nSource: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-evilnum-apt-group-targeting-financial-sector\r\nhttps://www.rewterz.com/rewterz-news/rewterz-threat-alert-evilnum-apt-group-targeting-financial-sector\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-evilnum-apt-group-targeting-financial-sector" ], "report_names": [ "rewterz-threat-alert-evilnum-apt-group-targeting-financial-sector" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434885, "ts_updated_at": 1775826774, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/da2926873269b85062d782f1f777ad0c42e4f71d.pdf", "text": "https://archive.orkl.eu/da2926873269b85062d782f1f777ad0c42e4f71d.txt", "img": "https://archive.orkl.eu/da2926873269b85062d782f1f777ad0c42e4f71d.jpg" } }