{ "id": "dc0aadbe-69a3-49f0-b814-09d827729263", "created_at": "2026-04-06T00:19:13.770423Z", "updated_at": "2026-04-10T03:36:08.332955Z", "deleted_at": null, "sha1_hash": "e4b5b31040f55a65614e2ce4f97db7a56bf878b7", "title": "No Rest for the Wicked: Evilnum Unleashes PyVil RAT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5242688, "plain_text": "No Rest for the Wicked: Evilnum Unleashes PyVil RAT\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 15:48:51 UTC\r\nOver the course of the last few months, the Cybereason Nocturnus team has been investigating the activity of the\r\nEvilnum group. The group first emerged in 2018, and since then, Evilnum’s activity has been varied, with recent\r\nreports using different components written in Javascript and C# as well as tools bought from the Malware-as-a-Service provider Golden Chickens.\r\nThe group’s operations appear to be highly targeted, as opposed to a widespread phishing operation, with a focus\r\non the FinTech market by way of abusing the Know Your Customer regulations (KYC), documents with\r\ninformation provided by clients when business is undertaken. Since its first discovery, the group’s mainly targeted\r\ndifferent companies across the UK and EU.\r\nIn recent weeks, the Nocturnus team has observed new activity by the group, including several notable changes\r\nfrom tactics observed previously. These variations include a change in the chain of infection and persistence, new\r\ninfrastructure that is expanding over time, and the use of a new Python-scripted Remote Access Trojan (RAT)\r\nNocturnus dubbed PyVil RAT. \r\nPyVil RAT possesses different functionalities, and enables the attackers to exfiltrate data, perform keylogging and\r\nthe taking of screenshots, and the deployment of more tools such as LaZagne in order to steal credentials.\r\nIn this write-up, we dive into the recent activity of the Evilnum group and explore its new infection chain and\r\ntools.\r\nKey Findings\r\nEvilnum: The Cybereason Nocturnus team is tracking the operations of the Evilnum group, which has\r\nbeen active for the past two years, using a variety of tools.\r\nTargeting the Financial Sector: The group is known to target FinTech companies, and is abusing the\r\nusage of the Know Your Customer( KYC) procedure in order to start the infection.\r\nNew Tricks: In this research, we see a deviation from the infection chain, persistence, infrastructure, and\r\ntools observed previously, including:\r\nModified versions of legitimate executables employed in an attempt to remain undetected by\r\nsecurity tools.\r\nInfection chain shift from a JavaScript Trojan with backdoor capabilities to a multi-process\r\ndelivery procedure of the payload. \r\nA newly discovered Python-scripted RAT dubbed PyVil RAT that was compiled with py2exe,\r\nwhich has the capability to download new modules to expand functionality. \r\ntable of contents\r\nhttps://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat\r\nPage 1 of 25\n\nKey Findings\r\nOverview of the Group\r\nNew Infection Chain\r\nTrojanized Program\r\nFunctionality\r\nfplayer.exe\r\nPyVil: A New Python RAT\r\nExpanding Infrastructure\r\nConclusion\r\nMitre Attack Breakdown\r\nIndicators of Compromise\r\nOverview of the Group\r\nThe Evilnum group has been reported to target financial technology companies, mostly located in the UK and\r\nother EU countries. The main goal of the group is to spy on its infected targets and steal information such as\r\npasswords, documents, browser cookies, email credentials and more.\r\nAside from the group’s own proprietary tools, Evilnum has been observed deploying Golden Chickens tools in\r\nsome cases, as reported in the past. Golden Chickens is a Malware-as-a-Service (MaaS) provider that is known to\r\nhave been used by groups such as FIN6 and Cobalt Group. Among the tools used by the Evilnum group are\r\nMore_eggs, TerraPreter, TerraStealer, and TerraTV.\r\nThe Evilnum group’s activity was first identified in 2018, when they used the first version of their infamous\r\nJavaScript Trojan. The script extracts C2 addresses from sites like GitHub, DigitalPoint and Reddit by querying\r\nspecific pages created for this purpose. This technique enables the attackers to change the C2 address of deployed\r\nagents easily while keeping the communications masked as requests are made to legitimate known sites. \r\nSince then, the group has been mentioned several times, in different attacks, each time upgrading its toolset with\r\nnew capabilities as well as adding new tools to the group’s arsenal.\r\nThe initial infection vector of Evilnum typically begins with spear phishing emails, with the goal of delivering ZIP\r\narchives that contain LNK files masquerading as photos of different documents such as driving licenses, credit\r\ncards, and utility bills. These documents are likely to be stolen and belong to real individuals.\r\nOnce an LNK file is opened, it deploys the JavaScript Trojan, which in turn replaces the LNK file with a real\r\nimage file, making this whole operation invisible to the user.\r\nUp to this date, as described in this publication, six different iterations of the JavaScript trojan have been observed\r\nin the wild, each with small changes that don’t alter the core functionality. The JavaScript agent has functionalities\r\nsuch as upload and download files, steal cookies, collect antivirus information, execute commands and more. \r\nIn addition to the JavaScript component, as described in a previous research, the group has been observed\r\ndeploying a C# Trojan, that possesses similar functionality to the former JavaScript component.\r\nhttps://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat\r\nPage 2 of 25\n\nPrevious infection chain\r\nNew Infection Chain\r\nIn the past, Evilnum’s infection chain started with spear phishing emails, delivering zip archives that contain LNK\r\nfiles masquerading as images. These LNK files will drop a JavaScript Trojan with different backdoor capabilities\r\nas described above. \r\nIn recent weeks, we observed a change in this infection procedure: first, instead of delivering four different LNK\r\nfiles in a zip archive that in turn will be replaced by a JPG file, only one file is archived. This LNK file\r\nmasquerades as a PDF whose content includes several documents, such as utility bills, credit card photos, and\r\nDrivers license photos:\r\nLNK file in ZIP\r\nhttps://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat\r\nPage 3 of 25\n\nWhen the LNK file is executed, asin previous versions, a JavaScript file is written to disk and executed, replacing\r\nthe LNK file with a PDF:\r\nExample KYC documents from the PDF\r\nUnlike previous versions that possessed an array of functionalities, this version of the JavaScript acts mainly as a\r\ndropper and lacks any C2 communication capabilities. This JavaScript is the first stage in this new infection chain,\r\nculminating with the delivery of the payload, a Python written RAT compiled with py2exe that Nocturnus\r\nresearchers dubbed PyVil RAT:\r\nInitial infection process tree\r\nhttps://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat\r\nPage 4 of 25\n\nIn Cybereason, we are able to view the process tree and the extraction of the JavaScript from the LNK file:\r\nInitial infection process tree in Cybereason\r\nThe JavaScript is extracted by outputting all lines that contain the string “END2” (commented out in the script) to\r\na file named “0.js” in the temp folder and the LNK is copied to the temp folder as “1.lnk”:\r\nExtraction of the embedded JS script\r\nThe JavaScript file is using a similar path to previous versions to drop binaries\r\n(\"%localappdata%\\\\Microsoft\\\\Credentials\\\\MediaPlayer\\\\”):\r\nhttps://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat\r\nPage 5 of 25\n\nSnippet from JS file\r\nAfter the script replaces the LNK file with the real PDF, the JS file is copied to\r\n“%localappdata%\\Microsoft\\Credentials\\MediaPlayer\\VideoManager\\media.js” and is executed again.\r\nIn this second execution of the script, an executable file named “ddpp.exe” that is embedded inside the LNK file is\r\nextracted and saved to \"%localappdata%\\Microsoft\\Credentials\\MediaPlayer\\ddpp.exe\".\r\nUnlike previous versions where the malware used the Run registry key for persistence, in this new version, a\r\nscheduled task named “Dolby Selector Task” for ddpp.exe is created instead:\r\nddpp.exe scheduled task\r\nWith this scheduled task, the second stage of retrieving the payload begins:\r\nhttps://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat\r\nPage 6 of 25\n\nDownloaders process tree\r\nIn Cybereason, we see the attempted credential dump by the payload:\r\nDownloaders process tree in Cybereason\r\nddpp.exe: Tojanzed Program\r\nThe ddpp.exe executable appears to be a version of “Java(™) Web Start Launcher” modified to execute malicious\r\ncode:\r\nhttps://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat\r\nPage 7 of 25\n\nddpp.exe icon\r\nWhen comparing the malware executable with the original Oracle executable, we can see the similar metadata\r\nbetween the files. The major difference at first sight, is that the original Oracle executable is signed, while the\r\nmalware is not:\r\nddpp.exe file properties \r\nhttps://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat\r\nPage 8 of 25\n\nOriginal javaws.exe file properties \r\nAccording to Intezer engine there is huge amount of shared code between the malware executable and the\r\nlegitimate Oracle Corporation file:\r\nddpp.exe code reuse in Intezer \r\nddpp.exe Functionality\r\nThe ddpp.exe executable functions as a downloader for the next stages of the infection.\r\nIt is executed by the scheduled task with three arguments:\r\nThe encoded UUID of the infected machine\r\nAn encoded list of installed Anti-virus products\r\nThe number 0\r\nddpp.exe scheduled task arguments\r\nWhen ddpp.exe is executed, it unpacks shellcode:\r\nhttps://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat\r\nPage 9 of 25\n\nddpp.exe passing execution to shellcode\r\nThe shellocode connects to the C2 using a GET request, sending in the URI the three parameters received that\r\nwere described above. In turn, the malware receives back another encrypted executable, which is saved to disk as\r\n“fplayer.exe” and is executed using a new scheduled task: \r\nddpp.exe C2 communication over HTTP\r\nfplayer.exe\r\nfplayer.exe functions as another downloader. The downloaded payload is then loaded by fplayer.exe to memory\r\nand serves as a fileless RAT. The file is saved in “%localappdata%\\microsoft\\media player\\player\\fplayer.exe” and\r\nis executed with a scheduled task named “Adobe Update Task”: \r\nhttps://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat\r\nPage 10 of 25\n\nfplayer.exe scheduled task\r\nFplayer.exe is executed with several arguments as well:\r\nThe encoded UUID of the infected machine\r\nThree arguments that will be used by the PyVil RAT at a later stage:\r\n“-m”: The name of the scheduled task\r\n“-f”: tells the PyVil RAT to parse the rest of the arguments\r\n“-t”: update the scheduled task\r\nfplayer.exe scheduled task arguments\r\nSimilarly to ddpp.exe, fplayer.exe appears to be a modified version of “Stereoscopic 3D driver Installer”:\r\nfplayer.exe icon\r\nIn here as well, we can see the similar metadata between the files with the difference being that the original\r\nNvidia  executable is signed, while the malware is not:\r\nhttps://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat\r\nPage 11 of 25\n\nfplayer.exe file properties\r\nOriginal nvStinst.exe file properties \r\nThis time as well, according to Intezer engine there are high percentage of code similarities with Nvidia\r\nCorporation:\r\nhttps://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat\r\nPage 12 of 25\n\nfplayer.exe code reuse in Intezer \r\nWhen fplayer.exe is executed, it also unpacks shellcode:\r\n fplayer.exe passing execution to shellcode\r\nThe shellcode connects to the C2 using a GET request, this time sending in the URI the only the encoded UUID. \r\nfplayer.exe was observed to receive another encrypted executable, which is saved as\r\n‘%localappdata%\\Microsoft\\Media Player\\Player\\devAHJE.tmp’:\r\nhttps://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat\r\nPage 13 of 25\n\nfplayer.exe C2 communication\r\nThe process decrypts the received executable, and maps it to memory, passing it the execution.\r\nThe decrypted file is a compiled py2exe executable. py2exe is a Python extension which converts Python scripts\r\ninto Microsoft Windows executables.\r\nPyVil: A New Python RAT\r\nThe Python code inside the py2exe is obfuscated with extra layers, in order to prevent decompilation of the\r\npayload using existing tools. Using a memory dump, we were able to extract the first layer of Python code. The\r\nfirst piece of code decodes and decompresses the second layer of Python code:\r\nhttps://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat\r\nPage 14 of 25\n\nThe first layer of deobfuscation code \r\nThe second layer of Python code decodes and loads to memory the main RAT and the imported libraries:\r\nSnippet from the second layer of code: extraction of Python libraries\r\nThe PyVil RAT has several functionalities including:\r\nKeylogger\r\nRunning cmd commands\r\nTaking screenshots\r\nhttps://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat\r\nPage 15 of 25\n\nDownloading more Python scripts for additional functionality \r\nDropping and uploading executables\r\nOpening an SSH shell\r\nCollecting information such as: \r\nAnti-virus products installed\r\nUSB devices connected\r\nChrome version\r\nPyVil RAT’s Global variables give a clear understanding of the malware’s capabilities:\r\nGlobal variables showing PyVil RAT's functionality\r\nhttps://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat\r\nPage 16 of 25\n\nPyVil RAT has a configuration module that holds the malware’s version, C2 domains, and user agents to use when\r\ncommunicating with the C2:\r\nConfiguration module\r\nPyVil RAT’s C2 communications are done via POST HTTP requests and are RC4 encrypted using a hardcoded\r\nkey encoded with base64:\r\nRC4 key\r\ndata exfiltration from the infected machine being sent to the C2\r\nThis encrypted data contains a Json of different data collected from the machine and configuration:\r\nhttps://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat\r\nPage 17 of 25\n\nOne of the decrypted JSONs sent to the C2 \r\nField Usage\r\ntype Not clear\r\nxmode Not clear\r\nreq_type Request type\r\nsvc_ver Malware version in the configuration\r\next_ver\r\nA version of an executable the malware may download (-2 means the  executables folder does\r\nnot exist)\r\next_exists Checks for the existence of a particular executable \r\nsvc_name Appears to be a name used to identify the malware by the C2.\r\next_uuid Encoded machine UUID\r\nsvc_uuid machine UUID\r\nhost Hostname\r\nuname User name\r\nhttps://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat\r\nPage 18 of 25\n\nia Is user admin\r\nwv Windows version\r\ndt Current date and time\r\navs List of installed anti-virus products\r\ngc Dictionary of different configuration\r\nsc_secs_min Minimum sleep time between sending screenshots\r\nsc_secs_max Maximum sleep time between sending  screenshots\r\nkl_secs_min Minimum sleep time between sending keylogging data\r\nkl_secs_max Maximum sleep time between sending keylogging data\r\nkl_run Is keylogger activated\r\nklr Is keylogger activated\r\ntc Is USB connected\r\ncr Is chrome.exe is running\r\nct Type of downloaded  module to run: executable or Python module\r\ncn Module name corresponding to “ct”\r\nhttps://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat\r\nPage 19 of 25\n\nimp Execute the downloaded module (corresponds with “ct”)\r\npwds Extracted passwords\r\ncooks Cookies information\r\nFields used in C2 communication\r\nDuring the analysis of PyVil RAT, on several occasions, the malware received from the C2 a new Python module\r\nto execute. This Python module is a custom version of the LaZagne Project which the Evilnum group has used in\r\nthe past. The script will try to dump passwords and collect cookie information to send to the C2:\r\nDecrypted LaZagne output sent to the C2 \r\nExpanding Infrastructure\r\nIn previous campaigns of the group, Evilnum’s tools avoided using domains in communications with the C2, only\r\nusing IP addresses. In recent weeks, we encountered an interesting trend with Evilnum’s growing infrastructure. \r\nBy tracking Evilnum’s new infrastructure that the group has built in the past few weeks, a trend of expansion can\r\nbe seen. While the C2 IP address changes every few weeks, the list of domains associated with this IP address\r\nkeeps growing. A few weeks ago, three domains associated with the malware were resolved to the same IP\r\naddress:\r\nDomains Resolved IP\r\ncrm-domain[.]net\r\ntelecomwl[.]com 5.206.227[.]81\r\nleads-management[.]net\r\nhttps://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat\r\nPage 20 of 25\n\nShortly thereafter, the C2 IP address of all three domains changed. In addition, three new domains were registered\r\nwith the same IP address and were used by the malware:\r\nDomains Resolved IP\r\ncrm-domain[.]net\r\n185.236.230[.]25\r\ntelecomwl[.]com\r\nleads-management[.]net\r\nvoipssupport[.]com\r\nvoipasst[.]com\r\nvoipreq12[.]com\r\nA few weeks later, this change occurred again. The resolution address of all domains changed in the span of a few\r\ndays, with the addition of three new domains:\r\nDomains Resolved IP\r\ncrm-domain[.]net 193.56.28[.]201\r\ntelecomwl[.]com\r\nleads-management[.]net\r\nvoipssupport[.]com\r\nhttps://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat\r\nPage 21 of 25\n\nvoipasst[.]com\r\nvoipreq12[.]com\r\ntelefx[.]net\r\nfxmt4x[.]com\r\nxlmfx[.]com\r\nEvilnum’s Infrastructure\r\nConclusion\r\nIn this write-up, we examined a new infection chain by the Evilnum group - threat actors who have started to\r\nmake a name for themselves. Since the first reports in 2018 through today, the group’s TTPs have evolved with\r\ndifferent tools while the group has continued to focus on  FinTech targets. \r\nThe Evilnum group employed different types of tools along its career, including JavaScript and C# Trojans,\r\nmalware bought from the malware-as-a-service Golden Chickens, and other existing Python tools. With all these\r\ndifferent changes, the primary method of gaining initial access to their FinTech targets stayed the same: using fake\r\nKnow your customer (KYC) documents to trick employees of the finance industry to trigger the malware. \r\nhttps://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat\r\nPage 22 of 25\n\nIn recent weeks we observed a significant change in the infection procedure of the group, moving away from the\r\nJavaScript backdoor capabilities, instead utilizing it as a first stage dropper for new tools down the line. During\r\nthe infection stage, Evilnum utilized modified versions of legitimate executables in an attempt to stay stealthy and\r\nremain undetected by security tools.\r\nThe group deployed a new type of Python RAT that Nocturnus researchers dubbed PyVil RAT which possesses\r\nabilities to gather information, take screenshots, keylog data, open an SSH shell and deploy new tools. These tools\r\ncan be a Python module such as LaZagne or an executable, and thus adding more functionality for the attack as\r\nrequired. This innovation in tactics and tools is what allowed the group to stay under the radar, and we expect to\r\nsee more in the future as the Evilnum group’s arsenal continues to grow.\r\nMitre ATT\u0026CK BREAKDOWN\r\nInitial Access Execution Persistence\r\nPrivilege\r\nEscalation\r\nDefense Evasion\r\nSpearphishing\r\nLink\r\nUser Execution\r\nScheduled\r\nTask\r\nScheduled\r\nTask\r\nDeobfuscate/Decode Files or\r\nInformation\r\n \r\nWindows Command\r\nShell\r\n    Masquerading\r\n  JavaScript/JScript    \r\nObfuscated Files or\r\nInformation\r\nCredential Access Discovery Collection\r\nCommand and\r\nControl\r\nExfiltration\r\nCredentials from\r\nPassword Stores\r\nProcess Discovery Keylogging Data Encoding\r\nExfiltration Over\r\nC2 Channel\r\nCredentials from Web\r\nBrowsers\r\nSecurity Software\r\nDiscovery\r\nScreen\r\nCapture\r\nIngress Tool\r\nTransfer\r\n \r\nhttps://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat\r\nPage 23 of 25\n\nOS Credential\r\nDumping\r\nSystem Information\r\nDiscovery\r\n \r\nApplication Layer\r\nProtocol\r\n \r\nKeylogging    \r\nEncrypted\r\nChannel\r\n \r\nSteal Web Session\r\nCookie\r\n       \r\nINDICATORS OF COMPROMISE\r\nClick here to download this campaign's IOCs (PDF)\r\nClick here to read the threat alert for PyVil RAT.\r\nTom Fakterman \r\nTom Fakterman, Cyber Security Analyst with the Cybereason Nocturnus Research Team, specializes in protecting\r\ncritical networks and incident response. Tom has experience in researching malware, computer forensics and\r\ndeveloping scripts and tools for automated cyber investigations.\r\nhttps://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat\r\nPage 24 of 25\n\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government\r\nintelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing\r\nnew attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The\r\nCybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit\r\ncyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nSource: https://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat\r\nhttps://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat\r\nPage 25 of 25", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat" ], "report_names": [ "no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f5c90ccc-0f18-4e07-a246-b62101ab2f6f", "created_at": "2023-01-06T13:46:38.854407Z", "updated_at": "2026-04-10T02:00:03.122844Z", "deleted_at": null, "main_name": "GC02", "aliases": [ "Golden Chickens", "Golden Chickens02", "Golden Chickens 02" ], "source_name": "MISPGALAXY:GC02", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "88802a4b-5b3d-42ee-99e6-8a4f5fd231f6", "created_at": "2023-01-06T13:46:38.851345Z", "updated_at": "2026-04-10T02:00:03.121861Z", "deleted_at": null, "main_name": "GC01", "aliases": [ "Golden Chickens", "Golden Chickens01", "Golden Chickens 01" ], "source_name": "MISPGALAXY:GC01", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "7a257844-df90-4bd4-b0f1-77d00ff82802", "created_at": "2022-10-25T16:07:24.376356Z", "updated_at": "2026-04-10T02:00:04.964565Z", "deleted_at": null, "main_name": "Venom Spider", "aliases": [ "Golden Chickens", "TA4557", "Venom Spider" ], "source_name": "ETDA:Venom Spider", "tools": [ "More_eggs", "PureLocker", "SONE", "SpicyOmelette", "StealerOne", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Taurus Loader Reconnaissance Module", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraCrypt", "TerraLogger", "TerraPreter", "TerraRecon", "TerraStealer", "TerraTV", "TerraWiper", "ThreatKit", "VenomKit", "VenomLNK", "lite_more_eggs" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434753, "ts_updated_at": 1775792168, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e4b5b31040f55a65614e2ce4f97db7a56bf878b7.pdf", "text": "https://archive.orkl.eu/e4b5b31040f55a65614e2ce4f97db7a56bf878b7.txt", "img": "https://archive.orkl.eu/e4b5b31040f55a65614e2ce4f97db7a56bf878b7.jpg" } }