SYMBOLCOMMON_NAMEaka. SYNONYMS

Evilnum  (Back to overview)

aka: DeathStalker

ESET has analyzed the operations of Evilnum, the APT group behind the Evilnum malware previously seen in attacks against financial technology companies. While said malware has been seen in the wild since at least 2018 and documented previously, little has been published about the group behind it and how it operates. The group’s targets remain fintech companies, but its toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from Golden Chickens, a Malware-as-a-Service (MaaS) provider whose infamous customers include FIN6 and Cobalt Group.

Associated Families
osx.janicab ps1.powerpepper vbs.janicab win.stormwind
References
2022-12-08KasperskyGReAT
@online{great:20221208:deathstalker:a171c50, author = {GReAT}, title = {{DeathStalker targets legal entities with new Janicab variant}}, date = {2022-12-08}, organization = {Kaspersky}, url = {https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/}, language = {English}, urldate = {2022-12-14} } DeathStalker targets legal entities with new Janicab variant
Janicab Janicab Stormwind
2022-05-31MalwarologyGaetano Pellegrino
@online{pellegrino:20220531:janicab:f2b2798, author = {Gaetano Pellegrino}, title = {{Janicab Series: Attibution and IoCs}}, date = {2022-05-31}, organization = {Malwarology}, url = {https://www.malwarology.com/2022/05/janicab-series-attibution-and-iocs/}, language = {English}, urldate = {2022-05-31} } Janicab Series: Attibution and IoCs
Janicab
2022-05-27MalwarologyGaetano Pellegrino
@online{pellegrino:20220527:janicab:f14d487, author = {Gaetano Pellegrino}, title = {{Janicab Series: The Core Artifact}}, date = {2022-05-27}, organization = {Malwarology}, url = {https://www.malwarology.com/2022/05/janicab-series-the-core-artifact/}, language = {English}, urldate = {2022-05-29} } Janicab Series: The Core Artifact
Janicab
2022-05-26MalwarologyGaetano Pellegrino
@online{pellegrino:20220526:janicab:92c671c, author = {Gaetano Pellegrino}, title = {{Janicab Series: Further Steps in the Infection Chain}}, date = {2022-05-26}, organization = {Malwarology}, url = {https://www.malwarology.com/2022/05/janicab-series-further-steps-in-the-infection-chain/}, language = {English}, urldate = {2022-05-29} } Janicab Series: Further Steps in the Infection Chain
Janicab
2022-05-24MalwarologyGaetano Pellegrino
@online{pellegrino:20220524:janicab:c04ed61, author = {Gaetano Pellegrino}, title = {{Janicab Series: First Steps in the Infection Chain}}, date = {2022-05-24}, organization = {Malwarology}, url = {https://www.malwarology.com/2022/05/janicab-series-first-steps-in-the-infection-chain/}, language = {English}, urldate = {2022-05-29} } Janicab Series: First Steps in the Infection Chain
Janicab
2020-12-03Kaspersky LabsPierre Delcher
@online{delcher:20201203:what:9853c58, author = {Pierre Delcher}, title = {{What did DeathStalker hide between two ferns?}}, date = {2020-12-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/}, language = {English}, urldate = {2020-12-08} } What did DeathStalker hide between two ferns?
PowerPepper Evilnum
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-08-24Kaspersky LabsIvan Kwiatkowski, Pierre Delcher, Maher Yamout
@online{kwiatkowski:20200824:lifting:fd3c725, author = {Ivan Kwiatkowski and Pierre Delcher and Maher Yamout}, title = {{Lifting the veil on DeathStalker, a mercenary triumvirate}}, date = {2020-08-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/deathstalker-mercenary-triumvirate/98177/}, language = {English}, urldate = {2020-08-25} } Lifting the veil on DeathStalker, a mercenary triumvirate
EVILNUM Janicab Evilnum
2020-07-20Twitter (@InQuest)InQuest
@online{inquest:20200720:tweets:8920a27, author = {InQuest}, title = {{Tweets on PowerPepper decryption}}, date = {2020-07-20}, organization = {Twitter (@InQuest)}, url = {https://twitter.com/InQuest/status/1285295975347650562}, language = {English}, urldate = {2020-12-08} } Tweets on PowerPepper decryption
PowerPepper
2020-07-09ESET ResearchMatías Porolli
@online{porolli:20200709:more:24d8b63, author = {Matías Porolli}, title = {{More evil: A deep look at Evilnum and its toolset}}, date = {2020-07-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/}, language = {English}, urldate = {2020-07-11} } More evil: A deep look at Evilnum and its toolset
EVILNUM More_eggs EVILNUM TerraPreter TerraStealer TerraTV Evilnum
2018-12-13Security 0wnageMo Bustami
@online{bustami:20181213:powersing:2a7b1db, author = {Mo Bustami}, title = {{POWERSING - From LNK Files To Janicab Through YouTube & Twitter}}, date = {2018-12-13}, organization = {Security 0wnage}, url = {https://sec0wn.blogspot.com/2018/12/powersing-from-lnk-files-to-janicab.html}, language = {English}, urldate = {2020-08-25} } POWERSING - From LNK Files To Janicab Through YouTube & Twitter
Janicab
2015-09-11MacMarkMarkus Möller
@online{mller:20150911:csi:56aa614, author = {Markus Möller}, title = {{CSI MacMark: Janicab}}, date = {2015-09-11}, organization = {MacMark}, url = {https://www.macmark.de/blog/osx_blog_2013-08-a.php}, language = {German}, urldate = {2020-05-19} } CSI MacMark: Janicab
Janicab
2013-07-22AvastPeter Kálnai
@online{klnai:20130722:multisystem:907e0a4, author = {Peter Kálnai}, title = {{Multisystem Trojan Janicab attacks Windows and MacOSX via scripts}}, date = {2013-07-22}, organization = {Avast}, url = {https://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/}, language = {English}, urldate = {2020-05-20} } Multisystem Trojan Janicab attacks Windows and MacOSX via scripts
Janicab
2013-07-15F-SecureBroderick Aquilino
@online{aquilino:20130715:signed:013bd1d, author = {Broderick Aquilino}, title = {{Signed Mac Malware Using Right-to-Left Override Trick}}, date = {2013-07-15}, organization = {F-Secure}, url = {https://archive.f-secure.com/weblog/archives/00002576.html}, language = {English}, urldate = {2020-05-19} } Signed Mac Malware Using Right-to-Left Override Trick
Janicab
Credits: MISP Project