{ "id": "27c67bbe-e4b6-440f-89b2-876491df707a", "created_at": "2026-04-06T00:08:21.063027Z", "updated_at": "2026-04-10T03:34:23.588624Z", "deleted_at": null, "sha1_hash": "ecf85f00941e85215bdd9456e6167f6f8db39e9e", "title": "Technical analysis: The silent torrent of VileRAT - Stairwell", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 866506, "plain_text": "Technical analysis: The silent torrent of VileRAT - Stairwell\r\nBy By Threat Research\r\nArchived: 2026-04-05 18:28:13 UTC\r\nAuthors: Silas Cutler, Evelyne Diaz Araque, Vincent Zell, Alex Hegyi, Matt Richard, and Chris St. Myers\r\nOn 26 January 2024, Stairwell’s Threat Research team identified a new variant of VileRAT that has been in use\r\nsince at least August 2023. Based on public reports and observed filenames, we believe that this variant is being\r\ndistributed through fake software piracy sites in order to broadly infect systems.\r\nThe following report will provide background information on the activities of the group thought to be behind\r\nVileRAT, a technical overview of this recently observed activity (including details of two modified installers of\r\nthe Nulloy media player that have been used to execute the malware), as well as indicators of compromise and a\r\nPython decoder script.\r\nWho is behind VileRAT?\r\nVileRAT is a Python-based malware family believed to be unique to the Evilnum threat group (also tracked as\r\nDeathStalker). This malware is consistently seen being deployed by an accompanying loader known as\r\nVileLoader, used to run VileRAT in-memory, limiting on-disk artifacts. The functionality of VileRAT is consistent\r\nwith traditional remote access tools, providing attackers with the ability to remotely capture keystrokes, execute\r\ncommands, and harvest information. VileRAT is modular and extensible, allowing actors to deploy additional\r\nfunctionality through the framework.\r\nPublic reporting has assessed Evilnum operates as a mercenary, hack-for-hire service with a history of targeting\r\ngovernments, law firms, financial firms, and cryptocurrency-related entities in the Americas, UK, EU, and the\r\nMiddle East. Kaspersky researchers have linked the group to the Powersing, Janicab, and PowerPepper campaigns\r\n– Powersing being the first, detected in 2018.\r\nEvilnum’s past tactics, techniques, and procedures (TTPs) have included sending emails designed to deliver\r\nmalicious LNK attachments, Word documents, and links to executable files, as well as utilizing companies’ public\r\nchatbots. The group is known to avoid direct financial gain and focus instead on the collection of sensitive\r\nbusiness information (investment and trading info, software licenses and platform credentials, credit cards, proof\r\nof identity documents, VPN configuration, and more) to potentially function as an “information broker” in\r\nfinancial forums.\r\nVileRAT technical analysis\r\nStairwell has observed new activity and has identified new variants of VileRAT being deployed by modified\r\nversions of legitimate installers that contain VileLoader. This appears to be a new TTP in contrast with their past\r\nhttps://stairwell.com/resources/technical-analysis-the-silent-torrent-of-vilerat/\r\nPage 1 of 7\n\nuse of malicious documents and LNK files. The diagram from the 2022 Kaspersky report and a version showing\r\nrecent activity by Stairwell is shown below:\r\nFigure 1: Comparison of VileRAT deployment in 2023 and 2022\r\nAnalysis in this report is based on a malicious installer for the Nulloy media player used to deploy VileLoader\r\nnamed install.exe (SHA256 hash: 21ae1d88e675c9a2d51a2f68beadf24a21c1b16f58fc042ff97ad8e52501300d ).\r\nThis NSIS Installer was signed on 13 August 2023 13:21:00 UTC from GLOSUB LLC.\r\nVileLoader is packaged inside the Nulloy installer under the name Plugins/platforms/NvStTest.exe (SHA256\r\nhash: 552f9c111bdf18479b2195933649b8dbf80d65113b6d8743ecc9562a4e065a77 ) and started by the NSIS install\r\nscript when the installer is run. The relevant section of the NSIS install script is shown below:\r\n SetOutPath $_OUTDIR\r\n StrCpy $0 $INSTDIR\\Plugins\\platforms\\NvStTest.exe\r\n Exec \"$\\\"$0$\\\" Ri28\"\r\n Pop $0\r\nThis copy of VileLoader (NvStTest.exe) is a modified version of a legitimate NVIDIA 3D Vision Test Application\r\n(SHA256 hash: d799c32ddea3e0fa8219563d0b662cfe759231cfb90b23e60bf75a53f1391cd1 ). When executed, it\r\nvalidates the passed command line argument (Ri28 is passed by default from the installer) before dynamically\r\nresolving imports related to file loading and process execution. This tradecraft is consistent with VileLoader\r\nsamples originating back to 2020.\r\nThe VileRAT payload is contained in a second file written by the NDIS installer to\r\nPlugins/platforms/wctSBWZ.tmp (SHA256 hash:\r\n76f93a5d5a1b6bacb6ce474e8388819a3fdb50be51b0ee59bafdfabf5cc6cbb6 ). This payload and its filename are both\r\nobfuscated using XOR-based encoding methods, denoted in previous public reporting by Kaspersky as the Type B\r\nhttps://stairwell.com/resources/technical-analysis-the-silent-torrent-of-vilerat/\r\nPage 2 of 7\n\nXOR algorithm. An example Python function to decode the payload filename within NvStTest is included in the\r\nAppendix.\r\nVileRAT’s core component is stored in a compressed, Xored, and base64 encoded buffer, within the payload\r\nunpacked from VileLoader. Within the decoded output is a JSON configuration for the implant, that contains the\r\ntime VileRAT was started, control servers, and the encryption key for C2 communication.\r\n{\r\n \"aidm\": 1706308776,\r\n \"u\": \"259364724529279232\",\r\n \"did\": \"bHNjb3deRlpcQVhEUVtCXkpRWE5eQFETTlpHWl1HEEJUX0FfQ1tYT1wPEBoVBRc=\",\r\n \"is\": 1706308780,\r\n \"mas\": \"GtFm\",\r\n \"lfs\": 0,\r\n \"dl\": [\r\n \"eriegentsfsepara.com\",\r\n \"licncesispervicear.com\",\r\n \"naightdecipientc.com\",\r\n \"nscormationw.com\",\r\n \"yclearneriegen.com\"\r\n ]\r\n}\r\nAssessment\r\nPrior activity from Evilnum has reportedly leveraged spear phishing as the primary method for gaining access to\r\ntargets and focused on collecting sensitive financial information.\r\nBased on the number of submissions to public malware repositories for the installers, reports of pirated games\r\nopening Nulloy, and feedback from our industry peers, Stairwell assessed the total number of systems infected by\r\nthis variant of VileRAT is between 1k – 10k.\r\nDespite the increased exposure risk, the piracy ecosystem is highly temporal; file-sharing sites are regularly shut\r\ndown due to copyright violations or removed from search engine results. This regularly changing landscape\r\npresents a challenge for tracking actor activity. While sophisticated threat actors such as OnionDuke and APT37\r\nhave previously leveraged software piracy for broad exploitation campaigns, the observed by Evilnum is a\r\ndistinctive shift in tactics from their publicly documented history.\r\nAppendix\r\nFiles Indicators\r\nhttps://stairwell.com/resources/technical-analysis-the-silent-torrent-of-vilerat/\r\nPage 3 of 7\n\nNetwork indicators\r\nhttps://stairwell.com/resources/technical-analysis-the-silent-torrent-of-vilerat/\r\nPage 4 of 7\n\nPython string decoder\r\nA copy of this script is available on the Stairwell Threat Research GitHub page.\r\n#!/usr/bin/env python3\r\n# Author: Silas Cutler (Silas@Stairwell.com)\r\nimport sys\r\ndef type_b_decode(indata):\r\n res = \"\"\r\n data_offset = indata[0] + 5\r\n key = indata[1:data_offset-2]\r\n for index, data in enumerate(indata[data_offset:]):\r\n if data == 0:\r\nhttps://stairwell.com/resources/technical-analysis-the-silent-torrent-of-vilerat/\r\nPage 5 of 7\n\nbreak\r\n r = (data ^ key[index % len(key)]) \u0026 0xFF\r\n res += chr(r)\r\n return res\r\nif __name__ == \"__main__\":\r\n import base64\r\n indata = base64.b64decode('GdMhue0p3M7PzXkPvSwB9cIHTEWiCOZvNMYYAAAApCHa7V3cnc+PeVi9dgHbwnNMKKJ45m80AAAA')\r\n decode(indata)\r\nYARA rules\r\nrule VileLoader\r\n{\r\nmeta:\r\nauthor= \"Silas Cutler (Silas@Stairwell.com)\"\r\ndescription = \"Detection for VileLoader observed in 2023-2014\"\r\nhash = \"552f9c111bdf18479b2195933649b8dbf80d65113b6d8743ecc9562a4e065a77\"\r\nstrings:\r\n// Stack clearing at the start of WinMain()\r\n$ = { 81 EC 98 04 00 00 8B 45 08 C7 84 24 E4 00 00 00 00 00 00 00 C7 84 24 68 01 00 00 00 00 0\r\n// Setup before import resolve:\r\n$ = { 8B 45 08 89 04 24 C7 44 24 04 68 42 00 00 E8 }\r\n// Argument check\r\n$ = { 8B 84 24 88 00 00 00 8B 8C 24 C0 00 00 00 83 E9 01 0F B7 04 48 83 F8 22 }\r\ncondition:\r\nall of them\r\n}\r\nrule VileRAT_encoded_payload\r\n{\r\n meta:\r\n author= \"Stairwell Research Team\"\r\n description = \"Detection for VileLoader tmp file containing VileRat, observed in 2023-2014\"\r\n hash = \"a9c46388c5a118e90f767992ba23516505f9ed0acd2a4ede11f60cc274912f88\"\r\n hash = \"76f93a5d5a1b6bacb6ce474e8388819a3fdb50be51b0ee59bafdfabf5cc6cbb6\"\r\n condition:\r\n uint32(0x0) \u003c 0x3290 and uint32(0x0) \u003e 0x3000 and uint16(0x2) == 0x0 and uint32(uint8(4) + 5) \u003c uint32(0\r\n}\r\nhttps://stairwell.com/resources/technical-analysis-the-silent-torrent-of-vilerat/\r\nPage 6 of 7\n\nSource: https://stairwell.com/resources/technical-analysis-the-silent-torrent-of-vilerat/\r\nhttps://stairwell.com/resources/technical-analysis-the-silent-torrent-of-vilerat/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://stairwell.com/resources/technical-analysis-the-silent-torrent-of-vilerat/" ], "report_names": [ "technical-analysis-the-silent-torrent-of-vilerat" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "f7aa6029-2b01-4eee-8fe6-287330e087c9", "created_at": "2022-10-25T16:07:23.536763Z", "updated_at": "2026-04-10T02:00:04.646542Z", "deleted_at": null, "main_name": "Deceptikons", "aliases": [ "DeathStalker", "Deceptikons" ], "source_name": "ETDA:Deceptikons", "tools": [ "EVILNUM", "Evilnum", "Janicab", "PowerPepper", "Powersing", "VileRAT" ], "source_id": "ETDA", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434101, "ts_updated_at": 1775792063, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ecf85f00941e85215bdd9456e6167f6f8db39e9e.pdf", "text": "https://archive.orkl.eu/ecf85f00941e85215bdd9456e6167f6f8db39e9e.txt", "img": "https://archive.orkl.eu/ecf85f00941e85215bdd9456e6167f6f8db39e9e.jpg" } }