{ "id": "224fc52a-7dfc-4b01-afeb-6d7c2af87a28", "created_at": "2026-04-06T00:06:30.124468Z", "updated_at": "2026-04-10T13:12:01.235016Z", "deleted_at": null, "sha1_hash": "ff1271a4190eb928bbafe0c72a111c10149de009", "title": "More evil: A deep look at Evilnum and its toolset", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1125834, "plain_text": "More evil: A deep look at Evilnum and its toolset\r\nBy Matías Porolli\r\nArchived: 2026-04-05 12:54:19 UTC\r\nESET has analyzed the operations of Evilnum, the APT group behind the Evilnum malware previously seen in\r\nattacks against financial technology companies. While said malware has been seen in the wild since at least 2018\r\nand documented previously, little has been published about the group behind it and how it operates.\r\nIn this article we connect the dots and disclose a detailed picture of Evilnum’s activities. The group's targets\r\nremain fintech companies, but its toolset and infrastructure have evolved and now consist of a mix of custom,\r\nhomemade malware combined with tools purchased from Golden Chickens, a Malware-as-a-Service (MaaS)\r\nprovider whose infamous customers include FIN6 and Cobalt Group.\r\nTargets\r\nAccording to ESET’s telemetry, the targets are financial technology companies – for example, companies that\r\noffer platforms and tools for online trading. Although most of the targets are located in EU countries and the UK,\r\nwe have also seen attacks in countries such as Australia and Canada. Typically, the targeted companies have\r\noffices in several locations, which probably explains the geographical diversity of the attacks.\r\nThe main goal of the Evilnum group is to spy on its targets and obtain financial information from both the targeted\r\ncompanies and their customers. Some examples of the information this group steals include:\r\nSpreadsheets and documents with customer lists, investments and trading operations\r\nInternal presentations\r\nSoftware licenses and credentials for trading software/platforms\r\nCookies and session information from browsers\r\nEmail credentials\r\nCustomer credit card information and proof of address/identity documents\r\nAccording to what we have seen during our investigation, the group has also gained access to IT-related\r\ninformation such as VPN configurations.\r\nOverview of the attack\r\nTargets are approached with spearphishing emails that contain a link to a ZIP file hosted on Google Drive. That\r\narchive contains several LNK (aka shortcut) files that extract and execute a malicious JavaScript component,\r\nwhile displaying a decoy document. These shortcut files have “double extensions” to try to trick the user into\r\nopening them, thinking they are benign documents or pictures (in Windows, file extensions for known file types\r\nare hidden by default). The contents of one of the ZIP files are shown in Figure 1.\r\nhttps://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/\r\nPage 1 of 21\n\nFigure 1. Malicious LNK files\r\nOnce a shortcut file is opened (it doesn’t matter which one, as they all do the same thing), it looks in the contents\r\nof its own file for lines with a specific marker and writes them to a .js file. Then this malicious JavaScript file is\r\nexecuted and it writes and opens a decoy file with the same name as the shortcut, but with the correct extension. It\r\nalso deletes the shortcut file. The documents used as decoys are mostly photos of credit cards, identity documents,\r\nor bills with proof of address, as many financial institutions require these documents from their customers when\r\nthey join, according to regulations (this is known as “Know Your Customer”). One such decoy is shown in Figure\r\n2 (blurred for privacy).\r\nhttps://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/\r\nPage 2 of 21\n\nFigure 2. Photo of the back of an ID card, used as a decoy\r\nThese decoy documents seem genuine, and we assume that they have been collected by this group during years of\r\noperation. Documents are collected actively in the group’s current operations, as it targets technical support\r\nrepresentatives and account managers, who regularly receive these kinds of documents from their customers. The\r\ngroup reuses the documents on different targets, unless the targets are from different regions.\r\nThe JavaScript component is the first stage of the attack and can deploy other malware such as a C# spy\r\ncomponent, Golden Chickens components or several Python-based tools. The name Evilnum was given to the C#\r\ncomponent by other researchers in the past, but the JS component also has been referred to as Evilnum. We have\r\nnamed the group Evilnum as that is the name of their flagship malware, and we’ll refer to the various malware\r\npieces as components. An overview of these is shown in Figure 3.\r\nhttps://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/\r\nPage 3 of 21\n\nFigure 3. Evilnum components\r\nEach of the various components has its own C\u0026C server, and each component operates independently. The\r\noperators of the malware manually send commands to install additional components and use post-compromise\r\nscripts and tools if they consider them necessary.\r\nMost servers used by the malware are referenced by IP addresses; domain names have not been used. The only\r\nexceptions are the C\u0026C servers used by the Golden Chickens components; malware purchased from a MaaS\r\nprovider, as we describe later.\r\nThose referenced by an IP address can be split into two groups, based on the hosting provider. The majority of\r\nthem are hosted with FreeHost, a Ukrainian provider. The rest are hosted in the Netherlands, with Dotsi.\r\nJS Component: First compromise\r\nThis component communicates with a C\u0026C server and acts as a backdoor without the need for any additional\r\nprogram. However, in most attacks that we have seen, the attackers deployed additional components as they saw\r\nfit and used the JS malware only as a first stage.\r\nhttps://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/\r\nPage 4 of 21\n\nThe first known mention of this JavaScript malware was in May 2018 in this pwncode article. The malware has\r\nchanged since then and we illustrate these changes in Figure 4.\r\nFigure 4. Timeline of changes in JS component\r\nDifferences between version 1.3 and the others are noteworthy, as the server-side code for the C\u0026C was changed\r\nand commands are different. In that early version it was not possible to upload files to the C\u0026C, only to download\r\nfiles to the victim’s computer. Also, as new versions appeared, the malware was extended with some Python\r\nscripts (see the Post-compromise toolset section) and external tools such as ChromeCookiesView.\r\nDespite the differences, the core functionalities remain the same in all versions, including the retrieval of the C\u0026C\r\nserver’s address from GitHub, GitLab or Reddit pages created specifically for that purpose. Figure 5 shows an\r\nexample of a Reddit page that is parsed by the malware to retrieve a C\u0026C address.\r\nhttps://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/\r\nPage 5 of 21\n\nFigure 5. Reddit page with the C\u0026C server for the JS component\r\nThis component achieves persistence through the Run registry key and has full backdoor capabilities: it can\r\ndownload and execute binaries, run arbitrary commands or upload files from the victim computer to the C\u0026C\r\nserver. We will not go into details about the technical aspects of this component, as a good analysis of the latest\r\nversion was published recently by Prevailion.\r\nC# Component: Evil, not so evil\r\nIn March 2019, Palo Alto Networks described malware with very similar functionality to the JS component, but\r\ncoded in C#. That version (2.5) obtained the address of its C\u0026C by dividing a number by 666, and was therefore\r\nnamed Evilnum by Palo Alto Networks researchers. Since then there have been new versions of the C# malware,\r\nthe latest of them being version 4.0, which we first saw in April 2020. The number 666 is not used anymore and\r\nthe PDB paths of the executables show that the developers call their malware “Marvel”. However, we will\r\ncontinue to name the malware Evilnum to avoid creating confusion.\r\nThe latest version comes bundled in an MSI file (Windows Installer) and runs independent of the JS component.\r\nFurthermore, it has different C\u0026Cs than the JS component. However, in all cases that we have seen, the C#\r\ncomponent was downloaded and executed after the JavaScript malware gained initial access. The structure of this\r\ncomponent is shown in Figure 6.\r\nhttps://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/\r\nPage 6 of 21\n\nFigure 6. Parts of the C# component\r\nWhen the MSI file is executed, three malicious components, along with some .NET Framework library files, are\r\nwritten to disk in %LOCALAPPDATA%\\Microsoft\\Mediia. The file copier is the first to be executed and its only\r\npurpose is to move the files to another location in %LOCALAPPDATA% (see the Indicators of Compromise\r\nsection for the folder names). The loader is then executed and it loads and decrypts the contents of the file\r\nSystem.Memmory.dll, which is the actual malicious payload (DLL Agent) for the C# component. AES encryption\r\nis used for the DLL and for obfuscation of the strings in the payload. The same key and initialization vector are\r\nused to encrypt the strings in all of the different versions.\r\nThe IP address of the C\u0026C server is hardcoded and in plain text. A GET request is sent for /Validate/valsrv and if\r\nthe response body contains the text youwillnotfindthisanywhare, then the server is accepted. Otherwise, a GitLab\r\npage is parsed to get the IP address of a second server.\r\nThe following capabilities are present in version 4.0:\r\nTake screenshots if the mouse has been moved in a period of time, and send them to the C\u0026C, base64\r\nencoded. The image is stored in a file called SC4.P7D\r\nRun commands\r\nRun other binaries via cmd.exe\r\nSend information such as computer name, username and antivirus installed\r\nPersist in a compromised system by creating registry keys\r\nCommands\r\nhttps://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/\r\nPage 7 of 21\n\nThe commands that can be sent to the malware are:\r\nkillme: stops the malware and removes persistence\r\nmouse: moves the mouse. With this action a screenshot will be taken\r\ncookies: sends Chrome cookies to the C\u0026C\r\npasswords: sends Chrome saved passwords. We believe they focus on Chrome not based on market share\r\n(after all, these are targeted attacks), but because of the ease of processing cookies and retrieving stored\r\npasswords\r\nOther commands to be run directly with cmd.exe\r\nVersion 2.5 was the first documented version of the C# component (first seen by ESET in December 2018). Then\r\nwe saw v2.7.1 (November 2019), v3 (December 2019) and v4.0 (April 2020). The most important differences\r\nbetween the latest version of the malware and previous ones are:\r\nThe main payload is a 32-bit DLL. Previously, it was a 64-bit EXE file.\r\nHTTPS communication in the latest version\r\nThere is no “reverse” command anymore. It was used in previous versions to open a reverse shell. This is\r\nnow done with other scripts\r\nThe JS and C# components are connected to each other: the latter takes screenshots whereas the former doesn’t,\r\nbut it has code that looks for screenshot files and sends them to its C\u0026C server. The C# component also deletes all\r\nfiles with the .lnk extension in the %LOCALAPPDATA%\\Temp folder, cleaning leftovers from the initial\r\ncompromise by the JS component. So even if the C# component has limited functionalities (it can’t download or\r\nupload files), it provides redundancy with a different C\u0026C server and extra persistence in case the JS component\r\nis detected or removed from the victim’s computer.\r\nGolden Chickens components: TerraLoader family\r\nIn a small number of cases, the Evilnum group has also deployed some tools purchased from a\r\nMalware‑as‑a‑Service provider. This term is used to describe malware authors who offer not only their malicious\r\nbinaries, but also any necessary infrastructure (such as the C\u0026C servers) and even technical support to their\r\ncriminal customers.\r\nIn this case the MaaS provider is known as Golden Chickens and has other customers (apart from this group),\r\nsuch as FIN6 and Cobalt Group. Older versions of all the components that we describe in the following sections\r\nwere seen previously, in an attack against eCommerce merchants that Visa attributed to FIN6 in February 2019.\r\nWe believe that FIN6, Cobalt Group and Evilnum group are not the same, despite the overlaps in their toolsets.\r\nThey just happen to share the same MaaS provider.\r\nThe Golden Chickens tools come as ActiveX components (OCX files) and all of them contain TerraLoader code,\r\nwhich serves as a common loader for the various payloads available to Golden Chickens’ customers. These tools\r\nare used by Evilnum as follows:\r\nThe attackers manually send a command to the JS or C# component to drop and execute a batch file from\r\none of their servers.\r\nhttps://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/\r\nPage 8 of 21\n\nThat batch file writes a malicious INF file and supplies it as a parameter to the Microsoft utility cmstp.exe,\r\nwhich executes a remote scriptlet specified in the INF file. This technique has been documented in the\r\nMITRE ATT\u0026CK knowledge base as CMSTP; an example of how this technique is used may be found\r\nhere. This technique has been used in the past by Cobalt, another financially motivated group.\r\nThe remote scriptlet contains obfuscated JS code that drops an OCX file and executes it via regsvr32.exe.\r\nThe TerraLoader code performs several integrity checks before dropping the payload. These checks implement\r\nanti-debugging techniques and try to identify anomalies to prevent execution in sandboxed environments. Some of\r\nthese techniques range from detecting incorrect parameters, filenames and extensions, to detecting hardware\r\nbreakpoints or identifying specific modules loaded into the subject process. Should these checks all pass, the\r\nactual payload is decrypted and executed.\r\nWe have seen Evilnum deploy the following Golden Chickens payloads in their attacks:\r\nMore_eggs\r\nA Meterpreter payload that we will call TerraPreter\r\nTerraStealer\r\nTerraTV\r\nResearchers from Positive Technologies recently analyzed some tools used by the Cobalt group, including\r\nMore_eggs version 6.6, which is one of the versions used by Evilnum group. They have a very good analysis of\r\nTerraLoader, so we suggest checking their report (section 4).\r\nMore_eggs\r\nMore_eggs is a JavaScript backdoor that communicates with a C\u0026C server and accepts commands. It has been\r\nused in the past by other groups targeting financial companies. Evilnum uses it in conjunction with its homemade\r\nbackdoors in order to provide redundancy and additional persistence on victim networks.\r\nWe have seen Evilnum use 32-bit ActiveX components with TerraLoader code that runs More_eggs versions 6.5,\r\n6.6 and 6.6b – the latest available versions. They do so by dropping msxsl.exe (a command line transformation\r\nutility that is a legitimate Microsoft executable) and having it execute the JavaScript code, very similar to what\r\nwas described in this article by IRIS.\r\nThe dropped JavaScript code is generated on the fly by the ActiveX component, and there are some considerations\r\nduring analysis:\r\nThe initial JS code that executes exe has a hardcoded absolute path, so executing it from another location\r\nor with another user will fail.\r\nThe final More_eggs payload is encrypted with a key that has the hostname and processor family\r\ninformation appended at the end. An example key is:\r\ncvyLMmtGSKmPMfzJjGyg552DESKTOP-FQAT01XIntel64 Family 6 Model 94 Stepping 3, GenuineIntel\r\nThe core functionalities are the same as described in the article linked above, although there is a new command,\r\nmore_time, not mentioned there. This command is similar to the documented command via_c, which executes its\r\nhttps://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/\r\nPage 9 of 21\n\nparameter with cmd.exe /v /c \u003cparameter\u003e. The difference is that it additionally sends the output back to the C\u0026C\r\n(via_c only sends whether or not the command succeeded).\r\nTerraPreter\r\nEvilnum group also uses 64-bit executables that decrypt and run a Meterpreter instance in memory. The use of\r\nMeterpreter gives them flexibility and the ability to run various payloads in a stealthy and extensible way.\r\nThe structure of these components and the integrity checks implemented were identified as TerraLoader code.\r\nThat’s why we refer to these components as TerraPreter. Decompiled code of the main malicious routine is shown\r\nin Figure 7.\r\nhttps://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/\r\nPage 10 of 21\n\nFigure 7. Decompiled code for Meterpreter Loader components\r\nThe routine labeled Dummy calls a series of APIs that don’t do anything. The RC4 function initialization brute-forces the key to use by taking a base string and appending a number to it that is incremented in each iteration. It\r\nthen decrypts a 16-byte buffer with the candidate key using RC4. If the decrypted buffer matches a hardcoded\r\nstring, then that candidate key will be the chosen RC4 key for later use. We believe this may be a time-wasting\r\ncountermeasure against emulators.\r\nAfter the embedded buffer with the payload is decrypted, the malware will finally set a callback to the\r\nGrayStringW API function, pointing to the decrypted buffer. After going through many layers of decoding,\r\nhttps://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/\r\nPage 11 of 21\n\nMeterpreter’s metsrv.dll is loaded in memory. From this point on, what we see is regular Meterpreter behavior that\r\nhas not been modified. However, we will continue to describe how communications are performed.\r\nTerraPreter communicates with a C\u0026C server using HTTPS and retrieves a series of commands. C\u0026Cs we have\r\nseen contacted are cdn.lvsys[.]com and faxing-mon[.]best. The first one was redirected to\r\nd2nz6secq3489l.cloudfront[.]net. Every time a C\u0026C receives a request, it sends different binary data XORed with\r\na random 4-byte key. The malware reads the key to be used for decryption from the first 4 bytes of a 32-byte\r\nheader that prefixes the encrypted data. Figure 8 shows an example.\r\nFigure 8. Data sent by the C\u0026C\r\nThe first command sent by the C\u0026C is core_patch_url, which changes the last part of the URL for subsequent\r\nrequests. Then core_negotiate_tlv_encryption is sent by the C\u0026C, along with its public key. From this point on,\r\nmessages will be encrypted before they are XORed.\r\nTerraStealer and TerraTV\r\nTerraStealer is also known as SONE or Stealer One. It scans for many browsers, email, FTP and file transfer\r\napplications, to steal cookies and credentials. One of the binaries we analyzed had logging activated. Part of one\r\nsuch log is shown in Figure 9.\r\nhttps://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/\r\nPage 12 of 21\n\nFigure 9. TerraStealer log\r\nAnother component used by this group is a variant of TerraTV. It runs a legitimate TeamViewer application but\r\nhides its user interface elements, so that the operators of the malware can connect to the compromised computer\r\nundetected.\r\nWhen executed, TerraTV drops several signed TeamViewer components into\r\nC:\\Users\\Public\\Public Documents\\57494E2D3850535046373333503532\\. The dropped files are shown in Figure\r\n10.\r\nhttps://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/\r\nPage 13 of 21\n\nFigure 10. TeamViewer files dropped by TerraTV\r\nACTIVEDS.dll is not signed and it is where the malicious code resides. There is a Windows DLL with that same\r\nname in the system folder, but since the malicious DLL is in the same directory as the TeamViewer executable, it\r\nis found first, and therefore is loaded instead of the Windows DLL. This is known as DLL search order hijacking.\r\nThis ACTIVEDS.dll hooks several API calls in the TeamViewer executable to hide the application’s tray icon and\r\nto capture login credentials. The part of the code where the hooks are set is shown in Figure 11.\r\nhttps://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/\r\nPage 14 of 21\n\nFigure 11. Hooks set for TeamViewer\r\nThe Windows API call DefWindowProcW (called several times by the TeamViewer executable to process\r\nmessages directed to its main window) is hooked with a routine that writes TeamViewer’s ID and password to the\r\nfile %APPDATA%\\log_CZ72kGqTdU.txt. With these credentials, and TeamViewer running with no visible tray\r\nicon or window, the operators of the malware can remotely control the computer, via its GUI, at any time.\r\nhttps://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/\r\nPage 15 of 21\n\nPost-compromise toolset\r\nThe malicious components previously mentioned are frequently extended with several additional tools in the\r\nEvilnum group’s arsenal. In most of the compromises we have seen, the attackers utilized publicly available tools,\r\nbut have also developed some custom scripts. Usually they keep their tools in password-protected archives on\r\ntheir servers and decompress them on a victim’s PC as needed.\r\nPython-based tools\r\nReverse shell over SSL script: A very short script that takes the server and port as command line\r\narguments.\r\nSSL proxy that uses PythonProxy, junction, plink and stunnel. It can also connect to an FTP server or use\r\npysoxy. We have seen the script being used with the “proxy” setting and 185.62.189[.]210 as the server.\r\nLaZagne to retrieve stored passwords\r\nIronPython along with libraries for taking screenshots, keylogging and recording DirectSound audio\r\nOther publicly available tools\r\nPowerShell scripts: for example, Bypass-UAC\r\nSeveral NirSoft utilities; for example, Mail PassView, to retrieve passwords from email clients, and\r\nProduKey, to get Microsoft Office and Windows Licenses\r\nConclusion\r\nThe Evilnum group has been operating for at least two years and was active at the time of this writing. It has an\r\ninfrastructure for its operations with several different servers: one for communications with the JS component,\r\nanother for the C# component, a different one for storing its tools and exfiltrated data, proxy server, and so on.\r\nThis group targets fintech companies that provide trading and investment platforms for their customers. The\r\ntargets are very specific and not numerous. This, and the group’s use of legitimate tools in its attack chain, have\r\nkept its activities largely under the radar. Thanks to our telemetry data we were able to join the dots and discover\r\nhow the group operates, uncovering some overlaps with other known APT groups. We think this and other groups\r\nshare the same MaaS provider, and the Evilnum group cannot yet be associated with any previous attacks by any\r\nother APT group.\r\nA comprehensive list of Indicators of Compromise (IoCs) and samples can be found in our GitHub repository.\r\nFor any inquiries, or to make sample submissions related to the subject, contact us at threatintel@eset.com.\r\nSpecial thanks to Ignacio Sanmillan for his help with the analysis of the Golden Chickens components.\r\nMITRE ATT\u0026CK techniques\r\nhttps://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/\r\nPage 16 of 21\n\nTactic ID Name Description\r\nInitial\r\nAccess\r\nT1192 Spearphishing Link\r\nEmails contain a link to download a\r\ncompressed file from an external server.\r\nExecution\r\nT1191 CMSTP\r\ncmstp.exe is used to execute a remotely\r\nhosted scriptlet that drops a malicious\r\nActiveX file.\r\nT1059 Command-Line Interface\r\ncmd.exe is used to execute commands\r\nand scripts.\r\nT1129\r\nExecution through Module\r\nLoad\r\nThe malicious payload for the version\r\n4.0 C# component is loaded from a\r\nDLL. TerraTV loads a malicious DLL to\r\nenable silent use of TeamViewer.\r\nT1061 Graphical User Interface\r\nTerraTV malware allows remote control\r\nusing TeamViewer.\r\nT1086 PowerShell\r\nEvilnum group executes LaZagne and\r\nother PowerShell scripts after their JS\r\ncomponent has compromised a target.\r\nT1117 Regsvr32\r\nEvilnum group uses regsvr32.exe to\r\nexecute their Golden Chickens tools.\r\nT1064 Scripting\r\nInitial compromise and post-compromise use several JavaScript,\r\nPython and PowerShell scripts.\r\nT1218\r\nSigned Binary Proxy\r\nExecution\r\nmsiexec.exe is used to install the\r\nmalicious C# component.\r\nT1204 User Execution\r\nVictims are lured to open LNK files that\r\nwill install a malicious JS component.\r\nT1047\r\nWindows Management\r\nInstrumentation\r\nWMI is used by the JS component to\r\nobtain information such as which\r\nantivirus product is installed.\r\nT1220 XSL Script Processing\r\nMore_eggs malware uses msxsl.exe to\r\ninvoke JS code from an XSL file.\r\nPersistence\r\nT1060\r\nRegistry Run Keys / Startup\r\nFolder\r\nRegistry Run keys are created in order\r\nto persist by the JS and C# components,\r\nas well as More_eggs\r\nhttps://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/\r\nPage 17 of 21\n\nTactic ID Name Description\r\nT1108 Redundant Access\r\nEvilnum components are independent\r\nand provide redundancy in case one of\r\nthem is detected and removed.\r\nT1179 Hooking\r\nTerraTV malware hooks several API\r\ncalls in TeamViewer.\r\nDefense\r\nEvasion\r\nT1038 DLL Search Order Hijacking\r\nTerraTV malware has TeamViewer load\r\na malicious DLL placed in the\r\nTeamViewer directory, instead of the\r\noriginal Windows DLL located in a\r\nsystem folder.\r\nT1088 Bypass User Access Control\r\nA PowerShell script is used to bypass\r\nUAC.\r\nT1116 Code Signing\r\nSome of the Golden Chickens\r\ncomponents are malicious signed\r\nexecutables. Also, Evilnum group uses\r\nlegitimate (signed) applications such as\r\ncmstp.exe or msxsl.exe as a defense\r\nevasion mechanism.\r\nT1090 Connection Proxy\r\nConnection to a proxy server is set up\r\nwith post-compromise scripts.\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nEncryption, encoding and obfuscation\r\nare used in many Evilnum malware\r\ncomponents.\r\nT1107 File Deletion\r\nBoth JS and C# components delete\r\ntemporary files and folders created\r\nduring the initial compromise.\r\nT1143 Hidden Window\r\nTerraTV runs TeamViewer with its\r\nwindow and tray icon hidden.\r\nT1036 Masquerading\r\nThe C# component has its payload in\r\nsystem.memmory.dll , which\r\nmasquerades as a benign .NET\r\nFramework DLL.\r\nT1112 Modify Registry Evilnum modifies the registry for\r\ndifferent purposes, mainly to persist in a\r\nhttps://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/\r\nPage 18 of 21\n\nTactic ID Name Description\r\ncompromised system (for example, by\r\nusing a registry's Run key).\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nEncryption, encoding and obfuscation is\r\nused in many Evilnum malware\r\ncomponents.\r\nT1497\r\nVirtualization/Sandbox\r\nEvasion\r\nThe Golden Chickens components\r\nimplement several integrity checks and\r\nevasion techniques.\r\nCredential\r\nAccess\r\nT1003 Credential Dumping\r\nScripts and tools such as LaZagne are\r\nused to retrieve stored credentials.\r\nT1503\r\nCredentials from Web\r\nBrowsers\r\nThe C# component retrieves stored\r\npasswords from Chrome.\r\nT1056 Input Capture\r\nCustom Python scripts have been used\r\nfor keylogging.\r\nT1539 Steal Web Session Cookie\r\nEvilnum malware steals cookies from\r\nChrome.\r\nDiscovery\r\nT1012 Query Registry\r\nMore_eggs queries the registry to know\r\nif the user has admin privileges.\r\nT1063 Security Software Discovery\r\nBoth the JS and C# components search\r\nfor installed antivirus software.\r\nT1518 Software Discovery\r\nTerraStealer malware looks for specific\r\napplications.\r\nT1082\r\nSystem Information\r\nDiscovery\r\nInformation about the system is sent to\r\nthe C\u0026C servers.\r\nCollection\r\nT1074 Data Staged\r\nData is stored in a temporary location\r\nbefore it is sent to the C\u0026C.\r\nT1005 Data from Local System\r\nThe JS component (v2.1) has code to\r\nexfiltrate Excel files from the local\r\nsystem.\r\nT1114 Email Collection\r\nTerraStealer malware targets email\r\napplications.\r\nhttps://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/\r\nPage 19 of 21\n\nTactic ID Name Description\r\nT1056 Input Capture\r\nKeystrokes are logged with a Python\r\nscript.\r\nT1113 Screen Capture\r\nScreenshots are taken by some Evilnum\r\nmalware components.\r\nCommand\r\nand Control\r\nT1043 Commonly Used Port\r\nHTTP and HTTPS are used for C\u0026C\r\ncommunication.\r\nT1132 Data Encoding\r\nSome of the data sent to the C\u0026C is\r\nbase64-encoded.\r\nT1008 Fallback Channels\r\nThe JS and C# components can obtain a\r\nnew C\u0026C by parsing third-party\r\nwebpages if the original C\u0026C is down.\r\nT1104 Multi-Stage Channels\r\nEvilnum malware uses independent\r\nC\u0026C servers for its various components.\r\nT1219 Remote Access Tools\r\nTerraTV malware uses TeamViewer to\r\ngive control of the compromised\r\ncomputer to the attackers.\r\nT1105 Remote File Copy\r\nFiles are uploaded to/downloaded from\r\na C\u0026C server.\r\nT1071\r\nStandard Application Layer\r\nProtocol\r\nHTTP and HTTPS are used for C\u0026C.\r\nT1032\r\nStandard Cryptographic\r\nProtocol\r\nMore_eggs malware uses RC4 to\r\nencrypt data to be sent to the C\u0026C.\r\nT1102 Web Service\r\nGitHub, GitLab, Reddit and other\r\nwebsites are used to store C\u0026C server\r\ninformation.\r\nExfiltration T1022 Data Encrypted\r\nSome Evilnum components encrypt data\r\nbefore sending it to the C\u0026C.\r\nT1048\r\nExfiltration\r\nOver\r\nAlternative\r\nProtocol\r\nScripts are manually\r\ndeployed by the malware\r\noperators to send data to an\r\nFTP server.\r\nT1041 Exfiltration\r\nOver\r\nData is exfiltrated over the\r\nsame channel used for C\u0026C.\r\nhttps://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/\r\nPage 20 of 21\n\nTactic ID Name Description\r\nCommand and\r\nControl\r\nChannel\r\nSource: https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/\r\nhttps://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia", "MISPGALAXY", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" ], "report_names": [ "more-evil-deep-look-evilnum-toolset" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f5c90ccc-0f18-4e07-a246-b62101ab2f6f", "created_at": "2023-01-06T13:46:38.854407Z", "updated_at": "2026-04-10T02:00:03.122844Z", "deleted_at": null, "main_name": "GC02", "aliases": [ "Golden Chickens", "Golden Chickens02", "Golden Chickens 02" ], "source_name": "MISPGALAXY:GC02", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "88802a4b-5b3d-42ee-99e6-8a4f5fd231f6", "created_at": "2023-01-06T13:46:38.851345Z", "updated_at": "2026-04-10T02:00:03.121861Z", "deleted_at": null, "main_name": "GC01", "aliases": [ "Golden Chickens", "Golden Chickens01", "Golden Chickens 01" ], "source_name": "MISPGALAXY:GC01", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "7a257844-df90-4bd4-b0f1-77d00ff82802", "created_at": "2022-10-25T16:07:24.376356Z", "updated_at": "2026-04-10T02:00:04.964565Z", "deleted_at": null, "main_name": "Venom Spider", "aliases": [ "Golden Chickens", "TA4557", "Venom Spider" ], "source_name": "ETDA:Venom Spider", "tools": [ "More_eggs", "PureLocker", "SONE", "SpicyOmelette", "StealerOne", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Taurus Loader Reconnaissance Module", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraCrypt", "TerraLogger", "TerraPreter", "TerraRecon", "TerraStealer", "TerraTV", "TerraWiper", "ThreatKit", "VenomKit", "VenomLNK", "lite_more_eggs" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433990, "ts_updated_at": 1775826721, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ff1271a4190eb928bbafe0c72a111c10149de009.pdf", "text": "https://archive.orkl.eu/ff1271a4190eb928bbafe0c72a111c10149de009.txt", "img": "https://archive.orkl.eu/ff1271a4190eb928bbafe0c72a111c10149de009.jpg" } }