ShadowCoil is a credential-stealing malware family associated in reporting with UNC2165, a cluster linked to EvilCorp. It has been observed used alongside ViperTunnel in intrusion chains affecting business environments, particularly in campaigns that appear oriented toward maintaining access for follow-on criminal activity. ShadowCoil is specifically described as targeting credentials and related data from Chromium-based and Mozilla browsers, including Chrome, Edge, and Firefox. Reporting also notes shared obfuscation tradecraft between ShadowCoil and other tooling used by the same operators, indicating a common development ecosystem or operator overlap. Based on available high-confidence information, ShadowCoil is a Windows-focused credential stealer used in financially motivated intrusion activity.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Evidence suggests a link to the UNC2165 group, associated with EvilCorp, and it's often used with the ShadowCoil credential stealer.
Evidence suggests a link to the UNC2165 group, associated with EvilCorp, and it's often used with the ShadowCoil credential stealer.
3 distinct techniques documented for this family, organized by ATT&CK tactic.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Credential-stealer referenced as sharing obfuscation techniques with VIPERTUNNEL.
Credential stealer observed alongside ViperTunnel in related activity.
Credential-stealing malware used alongside ViperTunnel to steal browser credentials from Chrome, Firefox, and Edge.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.