article featured image


Evilnum is a sophisticated persistent threat that has been active since at least 2018, although its campaign and tools were just recently discovered in the year 2020. This means that Evilnum has been operating for at least two years.

Emails containing links to ZIP files stored on Google Drive are sent to potential victims as part of a spear-phishing attack. This download contains a number of LNK files, often known as shortcuts, which when opened will extract and run a malicious JavaScript component while simultaneously presenting a dummy document. “Double extensions” are used on these shortcut files in an attempt to deceive users into opening them by making them believe the files contain harmless photos or documents (in Windows, file extensions for known file types are hidden by default).

What Happened?

The most recent exposure is the result of the efforts of Zscaler’s experts, who have been monitoring Evilnum’s activities since the beginning of 2022 and collecting a variety of artifacts relating to the assaults they have carried out.

Since the beginning of 2022, ThreatLabz has been closely monitoring the activities of the Evilnum APT group. We identified several instances of their low-volume targeted attack campaigns launched against our customers in the UK and Europe region.

The new instances of the campaign use updated tactics, techniques, and procedures. In earlier campaigns observed in 2021, the main distribution vector used by this threat group was Windows Shortcut files (LNK) sent inside malicious archive files (ZIP) as email attachments in spear phishing emails to the victims.

In the most recent instances, the threat actor has started using MS Office Word documents, leveraging document template injection to deliver the malicious payload to the victims’ machines. In this blog, we present the technical details of all components involved in the end-to-end attack chain. At the time of writing, to the best of our knowledge, the complete attack chain of this new instance of Evilnum APT group is not publicly documented anywhere.

ThreatLabz has identified several domains associated with Evilnum APT group which have not been previously detected by security vendors. This discovery indicates that the Evilnum APT group has been successful at flying under the radar and has remained undetected for a long time.


Important migration organizations were sent malicious emails that included macro-laden papers about the same time that Russia began its invasion of Ukraine. The targeting and the timing of the attack were coincidental.

There are several different filenames for the papers that were utilized in the campaign, but most of them include the word “compliance.” At least nine distinct documents were discovered by Zscaler, all of which were referenced in the IoC part of the report.


In order to avoid detection, the attachment makes use of a method called template injection and also stomps on VBA code, which ultimately results in the execution of highly obfuscated JavaScript.

This, in turn, decrypts and drops a malware loader known as “SerenadeDACplApp.exe” together with an encrypted binary known as “devZUQVD.tmp.” Additionally, this results in the creation of a scheduled job known as “UpdateModel Task” for the purpose of persistence.

The loader performs preliminary checks and loads the binary under an extracted file name. The binary injection is done using the old “Heaven’s gate” technique to evade AV detection. This technique involves invoking 64-bit code in 32-bit processes, and while it has been mitigated in Windows 10, Evilnum still likely uses it to target machines running older OS versions.

As BleepingComputer reports, the backdoor that is loaded on the compromised system executes to perform the following operations:

  • Decrypts the backdoor configuration (C2 domains, User Agent strings, network paths, referrer strings, cookies-type strings);
  • Resolves API addresses from the libraries retrieved from the configuration;
  • Performs a mutex check;
  • Builds data exfiltration string to be sent as part of the beacon request;
  • Encrypt and encode the generated string with Base64;
  • Embed the encoded string inside the cookie header field by selecting one of the cookie-type strings from the configuration.

When all of the processes have been completed, the backdoor will choose a C2 domain and a route string from the setup before sending out a beacon network request. It’s possible that the C2 may respond with a fresh encrypted payload.

In addition, the backdoor is capable of capturing system snapshots and transmitting them to the C2 server via POST requests. This allows the data to be exfiltrated in an encrypted format.

Don’t forget to follow us on LinkedInTwitterFacebookYoutube, or Instagram to keep up to date with everything we post!

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo