3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Evilnum

Evilnum

ID: 8f1c5bd61fcc6f9b5a5ae55a289a775a90636
Cybercrime Cybercriminal
Threat types: Intrusion, Financial Theft, Malware
Unknown UNKNOWN
Updated: 2026-01-13
Created: 2025-10-21
Progress: 35% Completeness: 28% Freshness: 50%
Operation zone: UNKNOWN
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Evilnum is a financially motivated threat group that has been active since at least 2018. Ref: https://attack.mitre.org/groups/G0120/


Technique Technique name Tactics Evidence
T1059.007 JavaScript TA0002
  • Command and Scripting Interpreter: JavaScript - Evilnum has used malicious JavaScript files on the victim's machine. · ref
T1070.004 File Deletion TA0005
  • Indicator Removal: File Deletion - Evilnum has deleted files used during infection. · ref
T1204.001 Malicious Link TA0002
  • User Execution: Malicious Link - Evilnum has sent spearphishing emails designed to trick the recipient into opening malicious shortcut links which downloads a .LNK file. · ref
T1219.002 Remote Desktop Software TA0011
  • Remote Access Tools: Remote Desktop Software - EVILNUM has used the malware variant, TerraTV, to run a legitimate TeamViewer application to connect to compromised machines. · ref
T1497.001 System Checks TA0005 TA0007
  • Virtualization/Sandbox Evasion: System Checks - Evilnum has used a component called TerraLoader to check certain hardware and file information to detect sandboxed environments. · ref
T1548.002 Bypass User Account Control TA0004 TA0005
  • Abuse Elevation Control Mechanism: Bypass User Account Control - Evilnum has used PowerShell to bypass UAC. · ref
T1566.002 Spearphishing Link TA0001
  • Phishing: Spearphishing Link - Evilnum has sent spearphishing emails containing a link to a zip file hosted on Google Drive. · ref
T1574.001 DLL TA0003 TA0004 TA0005
  • Hijack Execution Flow: DLL - Evilnum has used the malware variant, TerraTV, to load a malicious DLL placed in the TeamViewer directory, instead of the original Windows DLL located in a system folder. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.