Cybercrime Group TA4563 Targets DeFi Market With Evolving Evilnum Backdoor

The cyber campaign, aimed at siphoning funds, uses an improved version of the malware, which can adjust infection paths based on recognized antivirus software.

Financial and investment entities, including those involved in the decentralized finance (DeFi) and cryptocurrency markets, are being actively targeted by a group of hackers identified as TA4563, who are leveraging Evilnum malware.
According to a new report from Proofpoint, the first email campaign was last December, with the initial campaign attempting to deliver Word documents that could install an updated version of the backdoor. The files contained social-engineering phishing tactics aimed at financial institutions, in one case suggesting the recipient must submit proof of ownership of missing documents.
In later campaigns, the group tried to deliver multiple OneDrive URLs containing either an ISO attachment or shortcut file (.LNK). Then, the group again switched tactics midway through 2022, reverting back to Word files to entice victims to download a remote template, instead sending the victim to an actor-controlled domain delivering the Evilnum payload.
Each campaign is highly fenced; the malware only allows one download per IP address to ensure only the target host can retrieve the final payload, the report,
issued Thursday
, notes.
The
Evilnum backdoor,
first observed in 2020, can be used for data theft, reconnaissance, or to load additional payloads — its often a fixture in cyber-espionage campaigns.
Based on Proofpoints analysis, the malware also contains multiple evasion mechanisms and is under ongoing development.
Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, says this suggests the threat actors may incorporate new features of the malware to evade detection and improve efficacy in the campaigns.
The use of Microsoft Word and .LNK files to launch malware, as well as other different delivery methods, allows the actor to experiment with what works or has a higher likelihood of achieving an infection, she adds.
She points out most targets generally have a potential financial windfall for the threat actor, and notes
DeFi is a new, loosely regulated industry
with many new technologies that may not be fully vetted or secured.
Its an emerging, target-rich environment for threat actors to potentially benefit from, she says, adding that this particular campaign is targeting European organizations.
Decentralized finance lost $1.8 billion to cyberattacks last year — and 80% of those events were the result of vulnerable code, analysts say.
Nicole Hoffman, senior cyber-threat intelligence analyst at Digital Shadows, a provider of digital risk protection solutions, points out the DeFi industry is still relatively new and reliant on open source platforms.
She explains open source means the source code is publicly available, which makes it easier for cybercriminals to identify potential flaws.
Cybercriminals may also be drawn to the billions of dollars held within DeFi platforms, she adds.
Additionally, Hoffman says many DeFi platforms have cross-chain bridges, allowing users to transfer funds across multiple blockchains easily.
This inadvertently allows malicious actors to disburse their stolen funds across multiple blockchains quickly, she says.
Hoffman says DeFi developers are learning the hard way that security needs to be a part of the development process from the beginning.
The developers must address all security flaws and protect peoples funds if they want continuous buy-in, she says. Otherwise, the market will likely flop. Until these vulnerabilities are addressed, there will likely be more opportunistic attackers looking to make fast cash.
DeGrippo adds that more people are aware of and investing in decentralized finance and cryptocurrency resources, so there is an increasing pool of potential victims for threat actors to target.
Additionally, they may use different lure themes to target cryptocurrency-related products and services, she says.
She explains its important that these organizations ensure employees are trained to identify and report suspicious emails.
From a technology perspective, they can also restrict the use of container files such as ISO and LNK files, especially those downloaded from the internet, she says, and block RTF files from being downloaded or accessed from Word where applicable.
The eponymous group behind Evilnum malware has been targeting financial institutions since its emergence in 2018 and has
steadily evolved its methods
, adopting a Python remote access Trojans (RATs) to carry out
well-crafted spear-phishing attacks
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Cybercrime Group TA4563 Targets DeFi Market With Evolving Evilnum Backdoor