Evilnum  (Back to overview)

aka: DeathStalker, EvilNum, Jointworm, KNOCKOUT SPIDER, TA4563

ESET has analyzed the operations of Evilnum, the APT group behind the Evilnum malware previously seen in attacks against financial technology companies. While said malware has been seen in the wild since at least 2018 and documented previously, little has been published about the group behind it and how it operates. The group’s targets remain fintech companies, but its toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from Golden Chickens, a Malware-as-a-Service (MaaS) provider whose infamous customers include FIN6 and Cobalt Group.

Associated Families
osx.janicab ps1.powerpepper vbs.janicab win.stormwind

DeathStalker targets legal entities with new Janicab variant
Janicab Janicab Stormwind
2022-07-21ProofpointBryan Campbell, Pim Trouerbach, Proofpoint Threat Research Team, Selena Larson
Buy, Sell, Steal, EvilNum Targets Cryptocurrency, Forex, Commodities
2022-05-31MalwarologyGaetano Pellegrino
Janicab Series: Attibution and IoCs
2022-05-27MalwarologyGaetano Pellegrino
Janicab Series: The Core Artifact
2022-05-26MalwarologyGaetano Pellegrino
Janicab Series: Further Steps in the Infection Chain
2022-05-24MalwarologyGaetano Pellegrino
Janicab Series: First Steps in the Infection Chain
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2020-12-03Kaspersky LabsPierre Delcher
What did DeathStalker hide between two ferns?
PowerPepper Evilnum
2020-11-03Kaspersky LabsGReAT
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-08-24Kaspersky LabsIvan Kwiatkowski, Maher Yamout, Pierre Delcher
Lifting the veil on DeathStalker, a mercenary triumvirate
EVILNUM Janicab Evilnum
2020-07-20Twitter (@InQuest)InQuest
Tweets on PowerPepper decryption
2020-07-09ESET ResearchMatías Porolli
More evil: A deep look at Evilnum and its toolset
EVILNUM More_eggs EVILNUM TerraPreter TerraStealer TerraTV Evilnum
2018-12-13Security 0wnageMo Bustami
POWERSING - From LNK Files To Janicab Through YouTube & Twitter
2015-09-11MacMarkMarkus Möller
CSI MacMark: Janicab
2013-07-22AvastPeter Kálnai
Multisystem Trojan Janicab attacks Windows and MacOSX via scripts
2013-07-15F-SecureBroderick Aquilino
Signed Mac Malware Using Right-to-Left Override Trick

Credits: MISP Project