Recently, the Evilnum APT group used the Python-based RAT PyVil tool to spy and steal sensitive data; here, the main motive of the group is to spy on its victims and exfiltrate all the VPN passwords, email credentials, various documents, and browser cookies.
This is not the first time as the Evilnum APT group had also attacked earlier in 2018, but this time they came up with some new ideas and tricks to steal all sensitive data of the victims. The Evilnum APT group mostly targets victims from the UK and EU, but this time they do attack some victims from Australia and Canada.
The experts affirmed that Evilnum had been detected using attack elements that are scripted in JavaScript and C#; they also use various tools from malware-as-a-service provider Golden Chickens.
Not only this, but this group mainly uses spear-phishing emails to bypass all the ill-disposed files as scans of service bills, credit cards, driving licenses. It also includes other verifying documents that are needed by know-your-customer (KYC) management in the financial sector.
All these variations cover a change in the chain of infection and persistence, a new business that is increasing over time, and the use of a new Python-scripted Remote Access Trojan (RAT) Nocturnus dubbed as PyVil RAT.
The PyVil RAT allows the attackers to exfiltrate all the data, apply key-logging & take screenshots. It can also use secondary credential-harvesting tools like LaZagne; it’s an open-source application that is used to steal the passwords that are stored on a local computer.
The experts of cybersecurity frim Cybereason Nocturnus reported that this new version of PyVil is created with a multitude of functions and here they are mentioned below:-
Evilnum has always relied on spear-phishing emails that include ZIP archives housing 4 LNK files. That’s why its attack patterns and the new version is made with new ideas and tricks.
Vulnerable programs used
The vulnerable programs that are used in this attack are:-
Mitigations
The experts of cybersecurity firm have suggested some mitigations that are to be applied by the business carefully:-
Apart from this, the security researchers are still trying their best to bypass all the threats from Evilnum, and more importantly, the business firms need to be cautious regarding all these risks.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates
Also Read:
PoetRAT – New Python RAT Attacking Government and Energy Sector Via Weaponized Word Documents
Oracle Corporation has confirmed a data breach involving its older Gen 1 servers, marking its…
A critical security vulnerability, CVE-2025-31125, has been identified in the Vite development server. Due to improper…
A newly identified Android spyware app is elevating its tactics to remain hidden and unremovable…
Malicious PDF files have emerged as a dominant threat vector in email-based cyberattacks, accounting for…
A former employee of Dutch semiconductor firm ASML, identified as German A. (43), stands accused…
A severe vulnerability has been identified in the Apache Parquet Java library, specifically within its parquet-avro module.…