
The “Evilnum” group of actors has been pretty active during the past two years, and it appears that they are now going through major shifts in their toolset.
Evilnum is interested in banks and financial organizations in general, which hasn’t changed. The group’s main goal is to spy its targets and try to exfiltrate sensitive data like VPN passwords, browser cookies, email credentials, and classified documents.
The infection chain is now differentiating from what used to be typical in the past, and the actors are now using a single LNK file that poses as a utility bill or driver’s license PDF. This file activates a JavaScript dropper, which sets up a scheduled task to retrieve the malicious binaries.

The new payload is the PyVil RAT written in Python, which is obfuscated with extra layers to make its decompilation
The Nocturnus researchers used memory dumps to do it anyway, so they report the following functionality in the PyVil’s code:
- Keylogger
- Running cmd commands
- Taking screenshots
- Downloading more Python scripts for additional functionality
- Dropping and uploading executables
- Opening an SSH shell
- Collecting information such as what Anti-virus products are installed, which USB devices connected, or the Chrome version

When the RAT needs to phone back home to the C2, it does so via POST HTTP requests that feature RC4 encryption applied thanks to a hardcoded base64 key. In several recorded cases, PyVil RAT received a new Python module from the C2, which was basically a custom version of the LaZagne credential stealer.

Finally, the infrastructure that supports the Evilnum operations seems to have grown significantly over the past couple of weeks, and so has the number of domain IP addresses associated with the group. This is indicative of the group’s goal to continue its malicious operations and actually up their game by deploying new tools and making sure that they are still able to remain undetected.