ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Evilnum

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Evilnum

NamesEvilnum (Palo Alto)
Jointworm (Symantec)
TA4563 (Proofpoint)
MotivationInformation theft and espionage
First seen2018
Description(Palo Alto) We witnessed attacks targeting the financial technology (FinTech) sector, primarily focused on organizations based in Israel. While researching these attacks, we discovered a possible relationship between Cardinal RAT and another malware family named EVILNUM. EVILNUM is a JavaScript-based malware family that is used in attacks against similar organizations.

There is overlap between this group and Deceptikons, DeathStalker.
ObservedSectors: Financial, Government.
Countries: Albania, Australia, Belgium, Canada, Cyprus, Czech, Israel, Italy, UK, Ukraine.
Tools usedBypass-UAC, Cardinal RAT, ChromeCookiesView, Evilnum, IronPython, LaZagne, MailPassView, More_eggs, ProduKey, PyVil RAT, TerraPreter, TerraStealer, TerraTV.
Operations performedMay 2020Operation “Phantom in the [Command] Shell”
Prevailion’s Tailored Intelligence Team has detected two new criminal campaigns targeting the global financial industry with the EVILNUM malware, one of which became active on May 3rd 2020.
Aug 2020In recent weeks, the Nocturnus team has observed new activity by the group, including several notable changes from tactics observed previously.
Dec 2021Buy, Sell, Steal, EvilNum Targets Cryptocurrency, Forex, Commodities
2022Return of the Evilnum APT with updated TTPs and new targets

Last change to this card: 30 December 2022

Download this actor card in PDF or JSON format

Previous: Evil Eye
Next: FamousSparrow

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]