1 malware family

ta4563

Also known asta4563

TA4563 is a threat actor tracked by Proofpoint that has targeted European financial and investment entities since late 2021, with more recent observed campaigns focused exclusively on decentralized finance (DeFi) organizations. Proofpoint observed the group using the EvilNum malware family, a modular backdoor used for reconnaissance, data theft, and loading additional payloads. Proofpoint assessed TA4563 activity overlaps with activity publicly associated with DeathStalker and EvilNum, and also noted similarities with EvilNum activity reported by Zscaler in June 2022. Observed delivery methods evolved across campaigns and included Microsoft Word documents using remote templates, ISO files, and Windows shortcut (LNK) loaders, often delivered through financial-themed email lures and OneDrive links. Infection chains described by Proofpoint included LNK execution, cmd.exe and PowerShell, dynamically loaded C# code, and in earlier activity JavaScript components. Proofpoint reported that EvilNum campaigns were highly fenced, allowing only one download per IP address for final payload retrieval. The malware also adapted execution paths based on detected antivirus products including Avast, AVG, and Windows Defender, and attempted to invoke likely legitimate host-resident executables such as TechToolkit.exe and nvapiu.exe to evade detection. Proofpoint stated the tooling is under active development. Known aliases and related public associations directly mentioned in the content are DeathStalker and EvilNum.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

finance
investment
crypto

MITRE ATT&CK

Tradecraft

12 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

6 of 15 tactics17 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1566

Phishing

T1566.001

Spearphishing Attachment

T1566.003

Spearphishing via Service

TA0002

Execution

2 techniques

T1059

Command and Scripting Interpreter

T1059.001

PowerShell

T1059.003

Windows Command Shell

T1059.007

JavaScript

T1204

User Execution

TA0005

Stealth

4 techniques

T1140

Deobfuscate/Decode Files or Information

T1218

System Binary Proxy Execution

T1221

Template Injection

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

TA0007

Discovery

1 technique

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

TA0009

Collection

1 technique

T1113

Screen Capture

TA0011

Command and Control

1 technique

T1105

Ingress Tool Transfer

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

EVILNUM"TA4563 is a threat actor leveraging EvilNum malware to target European financial and investment entities... EvilNum is a backdoor that can be used for data theft or to load additional payloads."1Mar 18, 2026

IOCS

Observables

29 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

29 IOCsView more in app

Domains

14 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+6

uri

10 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+2

hash.sha256

5 total

••••••••••••••••••••••••••••••••••••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

proofpoint threat insight blogNews

Jul 21, 2022

Buy, Sell, Steal, EvilNum Targets Cryptocurrency, Forex, Commodities

Targeting European financial and investment entities—recently focused on decentralized finance (DeFi)—via email campaigns delivering the EvilNum backdoor for reconnaissance, data theft, and potential follow-on payload delivery. Uses varied attachment types (Word, ISO, LNK), remote template injection, staged PowerShell/C# execution, and AV-aware execution-path changes to evade detection.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping12

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables29

Domains, IPs, and hashes tied to this actor, refreshed continuously.