ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > Deceptikons, DeathStalker

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Deceptikons, DeathStalker

NamesDeceptikons (Kaspersky)
DeathStalker (Kaspersky)
Country[Unknown]
MotivationInformation theft and espionage
First seen2012
Description(Kaspersky) In this blog post, we’ll be focusing on DeathStalker: a unique threat group that appears to target law firms and companies in the financial sector (although we’ve occasionally seen them in other verticals as well). As far as we can tell, this actor isn’t motivated by financial gain. They don’t deploy ransomware, steal payment information to resell it, or engage in any type of activity commonly associated with the cybercrime underworld. Their interest in gathering sensitive business information leads us to believe that DeathStalker is a group of mercenaries offering hacking-for-hire services, or acting as some sort of information broker in financial circles.

DeathStalker first came to our attention through a PowerShell-based implant called Powersing. By unraveling this thread, we were able to identify activities dating back to 2018, and possibly even 2012.

There is activity overlap with Evilnum.
ObservedSectors: Financial and law firms.
Countries: Argentina, China, Cyprus, India, Israel, Jordan, Lebanon, Russia, Switzerland, Taiwan, Turkey, UAE, UK.
Tools usedEvilnum, Janicab, PowerPepper, Powersing, VileRAT.
Operations performed2020DeathStalker targets legal entities with new Janicab variant
<https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/>
May 2020Meet PowerPepper: the spicy implant that your bland scripts setup needed
<https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/>
Jun 2020VileRAT: DeathStalker’s continuous strike at foreign and cryptocurrency exchanges
<https://securelist.com/vilerat-deathstalkers-continuous-strike/107075/>
Information<https://securelist.com/deathstalker-mercenary-triumvirate/98177/>
<https://securelist.com/apt-trends-report-q2-2020/97937/>

Last change to this card: 27 December 2022

Download this actor card in PDF or JSON format

Previous: DarkUniverse
Next: Desert Falcons

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]