Skip to content


EVILNUM is fully capable backdoor that was first identified in 2018. EVILNUM is used by the APT group Evilnum which has the same name.12

Item Value
ID S0568
Associated Names
Version 1.0
Created 28 January 2021
Last Modified 19 January 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder EVILNUM can achieve persistence through the Registry Run key.12
enterprise T1041 Exfiltration Over C2 Channel EVILNUM can upload files over the C2 channel from the infected host.2
enterprise T1070 Indicator Removal EVILNUM has a function called “DeleteLeftovers” to remove certain artifacts of the attack.2
enterprise T1070.006 Timestomp EVILNUM has changed the creation date of files.2
enterprise T1105 Ingress Tool Transfer EVILNUM can download and upload files to the victim’s computer.12
enterprise T1112 Modify Registry EVILNUM can make modifications to the Regsitry for persistence.2
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery EVILNUM can search for anti-virus products on the system.2
enterprise T1539 Steal Web Session Cookie EVILNUM can harvest cookies and upload them to the C2 server.2
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.010 Regsvr32 EVILNUM can run a remote scriptlet that drops a file and executes it via regsvr32.exe.1
enterprise T1218.011 Rundll32 EVILNUM can execute commands and scripts through rundll32.2
enterprise T1082 System Information Discovery EVILNUM can obtain the computer name from the victim’s system.2
enterprise T1033 System Owner/User Discovery EVILNUM can obtain the username from the victim’s machine.2
enterprise T1102 Web Service -
enterprise T1102.003 One-Way Communication EVILNUM has used a one-way communication method via GitLab and Digital Point to perform C2.2
enterprise T1047 Windows Management Instrumentation EVILNUM has used the Windows Management Instrumentation (WMI) tool to enumerate infected machines.2

Groups That Use This Software

ID Name References
G0120 Evilnum 2