Financial and investment entities, including those involved in the decentralized finance (DeFi) and cryptocurrency markets, are being actively targeted by a group of hackers identified as TA4563, who are leveraging Evilnum malware.
According to a new report from Proofpoint, the first email campaign was last December, with the initial campaign attempting to deliver Word documents that could install an updated version of the backdoor. The files contained social-engineering phishing tactics aimed at financial institutions, in one case suggesting the recipient must submit "proof of ownership of missing documents."
In later campaigns, the group tried to deliver multiple OneDrive URLs containing either an ISO attachment or shortcut file (.LNK). Then, the group again switched tactics midway through 2022, reverting back to Word files to entice victims to download a remote template, instead sending the victim to an actor-controlled domain delivering the Evilnum payload.
![[correlate]](/data/avatars/m/79/79653.jpg?1556985072){kind=avatar}
