Deathstalker

DeathStalker is a likely mercenary threat actor assessed to offer hack-for-hire services or act as an information broker. The content attributes an updated VileRAT-centered cyber-espionage campaign to DeathStalker with high confidence based on code continuity, shared TTPs, similar XOR logic, Office object abuse, and consistent victimology with Evilnum, PowerSing, and PowerPepper campaigns. Researchers discovered VileRAT in Q2 2020 during analysis of updated Evilnum tradecraft, and DeathStalker has continuously updated and used the VileRAT toolchain against foreign exchange and cryptocurrency trading companies since June 2020. Observed targeting includes foreign exchange and cryptocurrency trading companies, with identified compromised or targeted organizations in Bulgaria, Cyprus, Germany, Grenadines, Kuwait, Malta, the United Arab Emirates, and the Russian Federation. About half of the identified targets were foreign currency and cryptocurrency exchange brokers. Separate reporting in the content also notes DeathStalker intrusions targeting legal entities in the Middle East. The infection chain evolved over time. In 2020, DeathStalker used spear-phishing emails from fake personas, including a fake diamonds trading company, with malicious Google Drive links delivering Windows shortcut files masquerading as PDFs or ZIP archives. In 2021-2022, the actor used malicious DOCX files sent by email or via chatbots embedded in targeted companies’ public websites. These DOCX lures commonly used keywords such as "compliance" or "complaint" and often referenced the targeted company’s name, then fetched malicious macro-enabled DOTM remote templates. The toolchain described in the content includes VileDropper, VileLoader, and VileRAT. The DOTM templates used VBA stomping and variant tailoring for different Microsoft Office versions. Macros gathered installed security product information via WMI, decoded and dropped files from hidden TextBox form data in Office objects, and executed the obfuscated JavaScript backdoor VileDropper. VileDropper performed anti-analysis checks, gathered host data, communicated with C2 via HTTP GET requests, and scheduled execution of VileLoader. VileLoader is a multi-stage downloader documented earlier as dddp.exe; recent samples used a legitimate but doctored binary plus encoded shellcode, created the mutex "Global\wU3aqu1t2y8uN", and downloaded implant packages from C2. VileRAT, also known publicly as PyVil, is an obfuscated and packed Python 3 RAT supporting arbitrary remote command execution, SSH-based tunneling, keylogging, scheduled-task persistence, security product enumeration, and self-updating from C2. The content also states that VileRAT is reportedly uniquely used by DeathStalker. DeathStalker invested heavily in evasion and obfuscation, including VBA stomping, XOR-encoded data stores in Office objects, JavaScript anti-analysis checks, multi-stage in-memory loading, and Python bytecode obfuscation intended to break decompilers. Researchers identified hundreds of domains associated with the VileRAT infection chain; from at least October 2021, campaign infrastructure IPs belonged to AS42159 (DELTAHOST UA, located in the Netherlands), and malicious domains were often batch-registered through NAMECHEAP, Porkbun LLC, or PDR Ltd. Known aliases and related names directly mentioned in the content include Evilnum, PowerSing, PowerPepper, and PyVil.