>samit_hota
Back to adversary profiles
G0120HighActive

Evilnum (G0120): Persistent Financial Threat and Evolving Espionage Actor

Samit Hota·
Suspected Origin
Unknown
Motivation
Financial Gain, Espionage
Aliases
None documented
Target Sectors
Financial Services, FinTech, Online Trading, Cryptocurrency, DeFi, Immigration Organizations, Legal and Investment Institutions, Online Gambling
Associated Malware
Evilnum (JS/C# components), PyVil RAT, TerraPreter, TerraStealer, TerraTV, More_eggs, LaZagne, DarkMe, PikoloRAT, Janicab
#threat-actor#g0120

Overview

Evilnum, tracked as MITRE ATT&CK Group G0120, is a highly adaptive and financially motivated threat group that has been operational since at least 2018. Known by aliases such as TA4563 and DeathStalker, this group has consistently focused on compromising financial technology (FinTech) companies, with a broader scope that now includes legal, investment, and even intergovernmental immigration organizations. Their primary objective is extensive data theft and espionage, aiming to exfiltrate sensitive financial information, credentials, and customer data for illicit gain.

Evilnum’s operations typically exhibit careful victim selection and highly targeted, low-volume attack campaigns. While their origin remains unconfirmed, some researchers have noted their activity, particularly shifts in targeting, can coincide with geopolitical events, and some speculation exists regarding potential links to other clusters like Ghostwriter. However, concrete attribution is still unclear. The group primarily targets entities in the UK and European Union, but has also extended its reach to countries including Australia, Canada, Israel, Malta, Poland, Cyprus, Armenia, Spain, Switzerland, France, Ireland, Singapore, and the Philippines, often reflecting the international nature of their FinTech targets.

Tactics & Techniques

Evilnum is characterized by its continuously evolving tactics, techniques, and procedures (TTPs), demonstrating a commitment to bypassing security defenses. Initial access almost invariably begins with spear-phishing campaigns. Historically, these phishing emails contained links to ZIP archives hosted on Google Drive, leading to malicious Windows Shortcut (LNK) files. These LNK files are ingeniously disguised as legitimate Know Your Customer (KYC) documents, such as driving licenses, credit cards, or utility bills, designed to trick employees of financial institutions into execution. More recently, especially since 2022, Evilnum has adapted its initial access methods to include weaponized Microsoft Office Word documents that leverage document template injection, often containing malicious macros, and even ISO file attachments.

Upon successful initial access, the group employs a multi-stage infection chain. Execution often involves malicious JavaScript files, C# components, and various scripting languages like PowerShell and Python. They have been observed using cmstp.exe to execute remote scriptlets from malicious INF files and regsvr32.exe to execute dropped OCX files, demonstrating their ability to abuse legitimate system binaries for execution and defense evasion. Persistence is commonly achieved through modifications to Registry Run keys, sometimes dynamically changing key locations based on detected antivirus products to enhance stealth.

Defense evasion is a hallmark of Evilnum’s operations. They utilize sophisticated techniques such as VBA code stomping in macro-laden documents to prevent static analysis. The group also employs modified versions of legitimate executables and crafts file system artifacts to mimic authentic Windows processes or third-party binaries, making detection challenging. Furthermore, their malware components often include anti-analysis checks, such as sandbox detection through tools like TerraLoader, and actively search for installed antivirus software. They are known to delete temporary files and folders created during the infection process and perform timestomping to obscure their tracks.

For credential access and data exfiltration, Evilnum tools are capable of stealing email credentials, browser cookies, session information, and saved passwords from web browsers like Chrome. They use open-source tools like LaZagne for password recovery. Exfiltrated data, which can include sensitive customer lists, investment details, trading operations, software licenses, and VPN configurations, is typically uploaded over encrypted C2 channels, often alongside screenshots of the compromised system.

Command and control (C2) communication is robust and adaptable. Evilnum uses HTTP and HTTPS, and notably employs legitimate web services like GitHub, DigitalPoint, and Reddit to extract C2 addresses, masking their communications within regular traffic. They have also established “dead drop” sites using remote web pages on platforms like GitLab, serving as an additional layer of obfuscation for C2 infrastructure.

Notable Campaigns

Evilnum has been consistently active since 2018, demonstrating a steady evolution of their attack methodologies. Early operations primarily involved their custom JavaScript and C# backdoors targeting FinTech companies.

In late July to early August 2022, the group launched “Operation DarkCasino,” focusing on online gambling platforms and online trading behaviors across various European countries, particularly in the Mediterranean region. This campaign notably introduced new self-developed Trojans, DarkMe and PikoloRAT, showcasing their strong development capabilities and rapid adaptation to cybercrime opportunities.

During 2020 and 2021, and continuing into 2022 and 2023, Evilnum was observed targeting legal and financial investment institutions, and even expanded its victimology to include intergovernmental organizations involved in international migration services. This shift in targeting, particularly in 2022, has been noted to coincide with geopolitical events, such as the Russia-Ukraine conflict. During these campaigns, they have updated their initial access vectors to include macro-enabled Word documents and utilized new variants of malware like Janicab, sometimes relying on public services like WordPress and YouTube for C2 infrastructure.

In late summer and early fall of 2023, ongoing campaigns were identified, still prioritizing financial services in the EU and UK, with a continued focus on exploiting KYC-related processes for initial compromise.

Associated Malware & Tools

Evilnum’s toolkit is a hybrid of custom-developed malware, commercial malware-as-a-service (MaaS) tools, and legitimate utilities abused for malicious purposes.

Their flagship custom malware, also named Evilnum, has evolved through several versions, including both JavaScript and C# components. Internally, developers have referred to the C# component as “Marvel.” This backdoor is highly capable, designed for reconnaissance, data theft, and the deployment of additional payloads.

Other custom tools developed and utilized by the group include:

  • PyVil RAT: A Python-based Remote Access Trojan with capabilities for information gathering, taking screenshots, keylogging, opening SSH shells, and deploying further tools.
  • TerraPreter, TerraStealer, TerraTV: A family of tools where TerraTV, for example, loads a malicious DLL into the legitimate TeamViewer application to enable silent remote control. TerraLoader serves as a common loader for some of these components.
  • DarkMe and PikoloRAT: New Trojans observed during the 2022 “Operation DarkCasino” campaign.
  • Janicab: A VBScript-based implant, new variants of which were observed in campaigns targeting legal and financial entities in 2020-2021.

Beyond their custom creations, Evilnum frequently integrates tools from the “Golden Chickens” Malware-as-a-Service (MaaS) provider. These purchased tools often come as ActiveX components and include the well-known JScript backdoor, More_eggs, which has also been associated with other financially motivated groups like FIN6 and Cobalt Group.

The group also leverages publicly available tools for post-exploitation activities, such as:

  • LaZagne: An open-source password recovery tool.
  • ChromeCookiesView, MailPassView, ProduKey: Utilities for extracting credentials and system information.
  • PowerShell and Python scripts: Widely used for various stages of their attacks, including UAC bypass, keylogging, and general command execution.

Current Status

Evilnum (G0120) remains an active and evolving threat. Security researchers have tracked continuous activity since its emergence in 2018, with reports in 2022 and 2023 consistently detailing updated TTPs and toolsets. Notably, a new campaign associated with Evilnum infrastructure was discovered in late summer and early fall of 2023, confirming their ongoing operations. The group continues to refine its infection chains and malware capabilities, demonstrating a high level of technical proficiency and adaptability in the face of detection efforts. Their persistent focus on high-value financial targets and their willingness to expand into new sectors like international migration services underscore their adaptability and the continuous threat they pose.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call