G0120: Evilnum
Analyst context for executives and security teams
Evilnum is an ATT&CK-tracked, financially motivated group active since at least 2018. The decision value is not the name alone: the mapped behaviors combine phishing links, script execution, backdoors, credential and session-cookie theft, remote desktop software, tool transfer, UAC bypass, DLL abuse, system checks, and file deletion. For leaders, this makes Evilnum a useful planning reference for validating whether identity, endpoint, email, web, and incident response controls can handle financially motivated intrusion patterns that may start with a user click and progress into credential access and remote control.
Executive priority
Prioritize this as a resilience and control-validation use case, especially where business processes depend on user web access, SaaS sessions, stored credentials, and remote administration tools. Executives should ask whether the organization can prove coverage for phishing-link prevention, suspicious script execution, password-store access, session-cookie theft, unauthorized remote desktop software, and post-compromise cleanup attempts. The mapped techniques also support audit and compliance evidence: show that email security, endpoint logging, identity session controls, privileged access governance, and incident response playbooks are tested against realistic financially motivated intrusion behavior.
Technical view
SOC and IR teams should treat this object as a group-level behavior map, not as a complete detection recipe. ATT&CK provides no official detection text or explicit platforms for the group itself, but relationships point to Windows-heavy tooling such as More_eggs and EVILNUM, cross-platform credential tooling such as LaZagne, and techniques spanning endpoint, identity provider, Office suite, SaaS, and some cloud/IaaS contexts. Validate detection logic across the chain: spearphishing link and malicious-link activity, JavaScript/JScript execution, ingress tool transfer, remote desktop software use, credential access from password stores, web session cookie theft, UAC bypass, DLL abuse, sandbox/system-check behavior, and file deletion. Correlate user, endpoint, network, email, and identity events rather than relying on any single indicator.
Likely telemetry
- Email security and secure web gateway logs for spearphishing links, URL clicks, redirects, and downloads
- Endpoint process creation and command-line telemetry for JavaScript/JScript execution and suspicious script hosts
- File creation, modification, deletion, and quarantine events for dropped tools, DLL activity, and cleanup behavior
- EDR or operating system events for UAC bypass indicators and elevated process execution on Windows
- Application, browser, and identity telemetry relevant to web session cookie theft and anomalous authenticated sessions
Detection direction
- Build detections around behavior clusters, not the Evilnum name alone: phishing link click followed by script execution, download activity, credential-store access, or remote desktop software is higher value than isolated events.
- Tune for legitimate administrative activity. Remote desktop software, DLL loading, JavaScript execution, and file deletion all have benign uses; prioritize unusual user context, rare parent-child process chains, new software appearance, abnormal destinations, and timing after email/web events.
- Validate identity visibility for session risk. Because ATT&CK maps web session cookie theft, confirm whether the SOC can see impossible travel, new device/session activity, token/session anomalies, and SaaS access that bypasses normal credential prompts.
- Confirm Windows endpoint depth for UAC bypass, DLL abuse, More_eggs, and EVILNUM-related coverage, while also checking Linux, macOS, SaaS, Office Suite, Identity Provider, and IaaS telemetry where mapped techniques apply.
- Hunt for cleanup and anti-analysis signals such as file deletion after tool execution and system checks that may cause malware to change behavior in sandboxed environments.
Mitigation priorities
- Start with phishing-link risk reduction: user reporting, URL inspection, safe browsing controls, and rapid containment workflows for clicked links.
- Harden identity and session controls: enforce strong authentication, monitor session anomalies, reduce long-lived sessions where business-appropriate, and maintain SaaS and identity provider audit coverage.
- Reduce credential exposure by governing password stores, secrets vaults, browser-stored credentials, and local credential artifacts; validate that access to these stores is logged and reviewed.
- Control script and tool execution with endpoint hardening, application control where feasible, least privilege, and monitoring of script hosts and unexpected downloads.
- Govern remote desktop and remote monitoring software through approved-tool inventories, allowlisting or policy controls, and alerting on unauthorized installation or use.
Analyst notes and limits
This take is based on the ATT&CK group object for Evilnum, its official description, the ESET July 2020 external reference, and supplied ATT&CK relationships to software and techniques. The group object itself has no official detection guidance, no explicit platforms, and no listed tactics; platform and tactic discussion here is derived only from the related software and technique records provided.
Local risk depends on the organization’s exposed users, SaaS/identity architecture, endpoint platforms, logging depth, and approved remote administration practices. The supplied ATT&CK fields do not establish current activity, specific victimology, active campaigns, indicators of compromise, or guaranteed detection methods. Environment-specific validation is required before turning this into control assurance or executive risk scoring.
Evilnum
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1497.001 | System Checks Sub-technique | Evilnum has used a component called TerraLoader to check certain hardware and file information to detect sandboxed environments. CitationESET EvilNum July 2020 |
| Enterprise | T1219.002 | Remote Desktop Software Sub-technique | EVILNUM has used the malware variant, TerraTV, to run a legitimate TeamViewer application to connect to compromised machines.CitationESET EvilNum July 2020 |
| Enterprise | T1539 | Steal Web Session Cookie | Evilnum can steal cookies and session information from browsers.CitationESET EvilNum July 2020 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Evilnum has sent spearphishing emails containing a link to a zip file hosted on Google Drive.CitationESET EvilNum July 2020 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | Evilnum has used PowerShell to bypass UAC.CitationESET EvilNum July 2020 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Evilnum has deleted files used during infection.CitationESET EvilNum July 2020 |
| Enterprise | T1574.001 | DLL Sub-technique | Evilnum has used the malware variant, TerraTV, to load a malicious DLL placed in the TeamViewer directory, instead of the original Windows DLL located in a system folder.CitationESET EvilNum July 2020 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Evilnum has sent spearphishing emails designed to trick the recipient into opening malicious shortcut links which downloads a .LNK file.CitationESET EvilNum July 2020 |
| Enterprise | T1555 | Credentials from Password Stores | Evilnum can collect email credentials from victims.CitationESET EvilNum July 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | Evilnum can deploy additional components or tools as needed.CitationESET EvilNum July 2020 |
| Enterprise | T1059.007 | JavaScript Sub-technique | Evilnum has used malicious JavaScript files on the victim's machine.CitationESET EvilNum July 2020 |
Groups, software, and campaigns
S0284: More_eggs
More_eggs is a JScript backdoor used by Cobalt Group and FIN6. Its name was given based on the variable "More_eggs" being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4. [1][2]
S0568: EVILNUM
S0349: LaZagne
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f32924297940… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET EvilNum July 2020
Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
Open source URL -
[2]
Evilnum
(Citation: ESET EvilNum July 2020)
-
[3]
mitre-attack G0120Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.