{ "id": "d225efe6-5ff7-4207-9749-c23dc42d7d97", "created_at": "2026-04-06T00:07:37.662372Z", "updated_at": "2026-04-10T13:12:52.509126Z", "deleted_at": null, "sha1_hash": "e79f41e20c383c2a292e12ec9caf01a188c84029", "title": "Operation DarkCasino: In-Depth Analysis of Attacks by APT Group Evilnum (Part 1) - NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 485147, "plain_text": "Operation DarkCasino: In-Depth Analysis of Attacks by APT\r\nGroup Evilnum (Part 1) - NSFOCUS, Inc., a global network and\r\ncyber security leader, protects enterprises and carriers from\r\nadvanced cyber attacks.\r\nBy NSFOCUS\r\nPublished: 2022-09-19 · Archived: 2026-04-05 14:54:52 UTC\r\nOverview\r\nRecently, NSFOCUS Security Labs observed a series of phishing activities against European countries. Those\r\nactivities mainly targeted online gambling platforms as well as active online trading behaviors, aiming to steal\r\ntransaction credentials of service providers and customers for illegal profits.\r\nThe in-depth analysis revealed that it was a continuation of recent attacks staged by the ATP group Evilnum.\r\nEvilnum attackers followed their typical attack methods in this operation. Compared with previous activities, this\r\noperation adopted more diversified attack flows and more complicated attack components and used two new\r\ntrojans, DarkMe and PikoloRAT, demonstrating its high tool development ability, flow design ability, and rich\r\nexperience in offensive and defensive confrontation. It was also observed that Evilnum’s design methods and\r\nimplementations varied significantly in different attack flows, so the researchers believed that multiple attackers\r\ntook part in this operation.\r\nNSFOCUS Security Labs named this operation DarkCasino based on its attack targets and trojan programs. This\r\noperation showed that the Evilnum group still took online trading platforms as their prime targets. The group\r\ncould rapidly find cybercrime opportunities and then take actions.\r\nUntil the release of this report, the DarkCasino operation is still in progress.\r\nAbout APT Group Evilnum\r\nFirst spotted in 2018, the Evilnum group has been active in the UK and Europe, whose key targets are financial\r\ntechnology companies. The group is named after the Evilnum trojan, also called DeathStalker by Kaspersky Lab.\r\nhttps://nsfocusglobal.com/operation-darkcasino-in-depth-analysis-of-attacks-by-apt-group-evilnum-part-1/\r\nPage 1 of 6\n\nThe goal is to steal transaction credentials to gain control of the company or individual accounts for theft of funds.\r\nEvilnum’s typical attack method is to disguise malware as the client identity file to trick Fintech staff into running\r\nthe program. Then the embedded spy trojans will steal high-value information from victim hosts.\r\nThe Evilnum group has strong development abilities to design complicated attack flows and components.\r\nNSFOCUS Security Labs had ever observed and disclosed that Evilnum’s attack flows were launched with a high\r\ncompletion rate and a stub trojan, AgentVX, was used.\r\nAttacked Targets\r\nNSFOCUS’s analysis revealed that most victims of this operation were in European countries in the\r\nMediterranean region. Attacks were also observed in Canada, Singapore, and the Philippines. Its direct targets\r\ninclude online gambling platforms, consumers in various countries using such media, and other personnel related\r\nto online transactions on the platform.\r\nThe identified attack flows showed that Evilnum used the following character strings as the decoy file name.\r\nScatters Casino mentioned above is an online casino operated by Gammix Limited, a Maltese company. Decoy\r\nfiles were disguised as online transaction credentials or promotion files to attack Scatters’s operations staff, and\r\nthey were also disguised as Scatters’s promotion ads to attack customers. Evilnum attackers aimed to steal the\r\ntransaction credentials and related information stored on target hosts.\r\nThe statistics on the source of the decoy files revealed that victims were widely distributed in European countries,\r\nsuch as Malta, Poland, Cyprus, Armenia, Spain, Switzerland, France, and Ireland, as well as in non-European\r\ncountries such as Canada, Israel, even Singapore, and the Philippines.\r\nhttps://nsfocusglobal.com/operation-darkcasino-in-depth-analysis-of-attacks-by-apt-group-evilnum-part-1/\r\nPage 2 of 6\n\nDistribution of victims in Operation DarkCasino\r\nIn terms of geolocations, many victims were in Malta and a small number of victims were distributed in other\r\ncountries where Scatters’s services are available.\r\nScatters Casino was launched to the market in 2019 and has expanded rapidly. Recently, Scatters announced that\r\nits online casino service had a prize pool of 230 million euros, which may be the leading cause for being targeted\r\nby the Evilnum group.\r\nOther information indicated that DarkCasino may be only part of a more persistent, larger-scale attack campaign.\r\nCorrelation of IoC clues demonstrated that part of Evilnum’s assets could be linked to cyberattack activities\r\ntargeting cryptocurrency-related trading platforms, which started in the second half of 2021 and continued to early\r\n2022. In this operation, large numbers of signed trojans, ParallaxRAT and NetWire, were delivered to steal\r\ninformation from target hosts mainly in Europe. Although the decoys and network resources used by attackers\r\nwere associated with DarkCasino, NSFOCUS Security Labs did not obtain direct evidence to prove the Evilnum\r\ngroup staged this operation.\r\nAttack Flows\r\nEvilnum attackers constructed three different attack flows in this operation. All these flows started from sending\r\ndecoy files. The next step was to access public resources or compromised websites to obtain steganographic\r\nimages. DarkMe payloads were then extracted from these images and finally loaded and executed in one way or\r\nanother.\r\nAttack Flow A\r\nAs the first attack flow used by Evilnum attackers, it featured the most complicated components. Its key\r\ncomponents were first spotted on May 2.\r\nThe analysis of components revealed that this attack flow had two variations. Flow A1 was constructed on April\r\n28, which required downloading contents from specific network locations. Flow A2 was constructed on May 1,\r\nwhich did not require downloading content from the network. The two variations had a similar execution process.\r\nhttps://nsfocusglobal.com/operation-darkcasino-in-depth-analysis-of-attacks-by-apt-group-evilnum-part-1/\r\nPage 3 of 6\n\nDarkCasino attack flow – 1\r\nAs shown in the figure above, attack flow A was very similar to that in Operation AgentVX observed and\r\ndisclosed earlier by NSFOCUS Security Labs. It consisted of the installer generated by InstallShield, side loader,\r\nencrypted shellcode loader, steganographic images, and DarkMe trojan.\r\nAfter InstallShield disguised as a PIF file was started, the generated installer would perform a general installation\r\nprocess, dropping built-in files in the %TEMP% system directory and running the legitimate program\r\npython.exe.\r\nAfter python.exe was started, python39.dll carrying malicious code was sideloaded, leading to executing a piece\r\nof shellcode in python39.dll.\r\nThe malicious shellcode in python39.dll read the time.wav file in the same directory, decrypted and extracted the\r\nnext-stage shellcode code, then started the cmd.exe puppet process, and injected the next-stage shellcode into it.\r\nDuring the injection, an URL string read from time.ini was written to cmd.exe as the startup parameter of the\r\nshellcode.\r\nThe shellcode in the cmd.exe puppet process would obtain a steganographic image from the preceding URL,\r\nextract the third-stage shellcode from the image through the built-in image processing module, and execute it.\r\nThe third-stage shellcode would try to inject the built-in trojan DarkMe into another puppet process cmd.exe and\r\nrun it. The C\u0026C communication server with which DarkMe communicated was cspapop110.com.\r\nAttack Flow B\r\nThis attack flow was first observed on May 9, and related documents showed that the flow was constructed on\r\nMay 3.\r\nhttps://nsfocusglobal.com/operation-darkcasino-in-depth-analysis-of-attacks-by-apt-group-evilnum-part-1/\r\nPage 4 of 6\n\nDarkCasino attack flow B\r\nAs shown in the figure above, attackers also followed the Evilnum group’s common practice in attack flow B.\r\nThey delivered shortcut decoy files with a malicious mshta command, accessed the controlled WordPress website\r\nfor obtaining the subsequent instruction code, and then ran it.\r\nThe key to this flow was to obtain three files P.exe, PI.txt and IMG.jpg by visiting the second-stage site. After\r\nbeing loaded by P.exe, the main loader trojan PI.txt would extract the hidden executable file ShellRunDllVb.dll\r\nfrom IMG.jpg, and register the DLL file as a system component {A762B0C7 -5244-4B3E-ADED-D549E9CEA39E} by creating a registry file Register.reg. Then Pi.txt ran the rundll32 /sta command to execute\r\nthe component.\r\nFinally, a spy trojan DarkMe was executed, and communicated with the C\u0026C server cspapop110.com.\r\nAttack Flow C\r\nThe Evilnum attackers added a more streamlined flow on May 19.\r\nhttps://nsfocusglobal.com/operation-darkcasino-in-depth-analysis-of-attacks-by-apt-group-evilnum-part-1/\r\nPage 5 of 6\n\nDarkCasino attack flow C\r\nAs shown in the figure above, attack flow C was initiated by a loader trojan disguised as an SCR file. The trojan\r\nobtained a steganographic image by directly accessing the built-in URL link, extracted the file ShellRunDllVb.dll\r\nfrom the image, and then loaded and executed it. ShellRunDllVb.dll was also a DarkMe trojan, and\r\nkalpoipolpmi.net was used as the C\u0026C communication server.\r\n(To be continued…)\r\nSource: https://nsfocusglobal.com/operation-darkcasino-in-depth-analysis-of-attacks-by-apt-group-evilnum-part-1/\r\nhttps://nsfocusglobal.com/operation-darkcasino-in-depth-analysis-of-attacks-by-apt-group-evilnum-part-1/\r\nPage 6 of 6\n\ncomponents were The analysis of components first spotted on revealed May 2. that this attack flow had two variations. Flow A1 was constructed on April\n28, which required downloading contents from specific network locations. Flow A2 was constructed on May 1,\nwhich did not require downloading content from the network. The two variations had a similar execution process.\n Page 3 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://nsfocusglobal.com/operation-darkcasino-in-depth-analysis-of-attacks-by-apt-group-evilnum-part-1/" ], "report_names": [ "operation-darkcasino-in-depth-analysis-of-attacks-by-apt-group-evilnum-part-1" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "0bc63952-5795-4fc7-85c1-50a7f207f2f0", "created_at": "2023-11-14T02:00:07.095723Z", "updated_at": "2026-04-10T02:00:03.450401Z", "deleted_at": null, "main_name": "DarkCasino", "aliases": [], "source_name": "MISPGALAXY:DarkCasino", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f7aa6029-2b01-4eee-8fe6-287330e087c9", "created_at": "2022-10-25T16:07:23.536763Z", "updated_at": "2026-04-10T02:00:04.646542Z", "deleted_at": null, "main_name": "Deceptikons", "aliases": [ "DeathStalker", "Deceptikons" ], "source_name": "ETDA:Deceptikons", "tools": [ "EVILNUM", "Evilnum", "Janicab", "PowerPepper", "Powersing", "VileRAT" ], "source_id": "ETDA", "reports": null }, { "id": "a5bd315b-6220-441f-8ed1-39e194dcd0e3", "created_at": "2023-12-01T02:02:33.667762Z", "updated_at": "2026-04-10T02:00:04.641333Z", "deleted_at": null, "main_name": "DarkCasino", "aliases": [ "Water Hydra" ], "source_name": "ETDA:DarkCasino", "tools": [ "CloudEyE", "DarkMe", "GuLoader", "PikoloRAT", "vbdropper" ], "source_id": "ETDA", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434057, "ts_updated_at": 1775826772, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e79f41e20c383c2a292e12ec9caf01a188c84029.pdf", "text": "https://archive.orkl.eu/e79f41e20c383c2a292e12ec9caf01a188c84029.txt", "img": "https://archive.orkl.eu/e79f41e20c383c2a292e12ec9caf01a188c84029.jpg" } }