Home > List all groups > Evilnum

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Evilnum

NamesEvilnum (Palo Alto)
Jointworm (Symantec)
MotivationInformation theft and espionage
First seen2018
Description(Palo Alto) We witnessed attacks targeting the financial technology (FinTech) sector, primarily focused on organizations based in Israel. While researching these attacks, we discovered a possible relationship between Cardinal RAT and another malware family named EVILNUM. EVILNUM is a JavaScript-based malware family that is used in attacks against similar organizations.
ObservedSectors: Financial.
Countries: Albania, Australia, Belgium, Canada, Cyprus, Czech, Israel, Italy, UK, Ukraine.
Tools usedBypass-UAC, Cardinal RAT, ChromeCookiesView, Evilnum, IronPython, LaZagne, MailPassView, More_eggs, ProduKey, PyVil RAT, TerraPreter, TerraStealer, TerraTV.
Operations performedMay 2020Operation “Phantom in the [Command] Shell”
Prevailion’s Tailored Intelligence Team has detected two new criminal campaigns targeting the global financial industry with the EVILNUM malware, one of which became active on May 3rd 2020.
Aug 2020In recent weeks, the Nocturnus team has observed new activity by the group, including several notable changes from tactics observed previously.

Last change to this card: 20 October 2020

Download this actor card in PDF or JSON format

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
PGP Download PGP key