PyVil Remote Access Trojan Threat Intel Advisory

CloudSEK Threat Intelligence Advisory on PyVil RAT, part of Evilnum's arsenal, capable of exfiltrating data, taking screenshots, keylogging.
Updated on
April 19, 2023
Published on
October 23, 2020
Subscribe to the latest industry news, threats and resources.
Python-script remote access trojan (RAT), dubbed PyVil, is used by Evilnum APT to gather sensitive corporate information. In September 2020, threat actors leveraged PyVil along with several other tools, such as More_eggs, TerraPreter, TerraStealer, and TerraTV to target FinTech companies across the UK and the European Union. This RAT propagates through malicious LNK files masquerading as legitimate PDF documents distributed via phishing scams. They send deceptive emails disguised as identification documents associated with the victim’s banking, including bills, credit card statements, etc. The RAT is compiled with py2exe, which converts python scripts into Microsoft Windows executables. This allows it to download new modules to expand its functionality.  The RAT is configured such that it can hold instructions for the browser when communicating with the Command and Control (C2) server. C2 communications are done via POST HTTP requests and are RC4 encrypted using a hardcoded key, encoded with Base64 (converts the binary data into text format). The key features of PyVil are:
  • Keylogging 
  • Taking screenshots
  • Gathering information from infected systems
The Python code inside the py2exe is made complicated with extra layers of encryptions to prevent the decompilation of the payload using existing tools.[/vc_wp_text][vc_wp_text]


  1. The leak of PII information can lead to identity theft.
  2. Confidential documents/ chats leaked to the public can cost the reputation of an individual or organization.
  3. Once the device is infected it can be used as a bot to perform DDoS attacks, leading to inaccessibility of services.
  4. The malware gives its operators access to a victim’s details, which are then used to further dupe the victims or to carry out social engineering attacks on them. 


  1. Do not open suspicious or unsolicited emails, especially those received from unknown/ suspect senders.
  2. Block the installation of programs from unknown sources.
  3. Download only from relevant and trusted sources.
  4. Backup your data at regular intervals.
  5. Use a trusted scanner to detect malware.
  6. Disable Windows PowerShell, which is a task automation framework.

Indicators of Compromise

  • voipasst[.]com
  • voipreq12[.]com
  • telecomwl[.]com
  • crm-domain[.]net
  • leads-management[.]net
  • fxmt4x[.]com
  • xlmfx[.]com
  • telefx[.]net
  • voipssupport[.]com
  • trquotesys[.]com
  • extrasectr[.]com
  • veritechx[.]com
  • quotingtrx[.]com
  • vvxtech[.]net
  • corpxtech[.]com
IP addresses
  • 193[.]56[.]28[.]201
  • 185[.]236[.]]230[.]25
  • 5[.]206[.]227[.]81
  • 176[.]107[.]188[.]175
  • db5d09edc2e9676a41f26f5f4310df9d13abdae8011b1d37af7139008362d5f1
  • 3b7cd07e87902deae4b482e987dea9e25a93a55ec783884e8b466dc55c346bce
  • c7cf5c62ecfade27338acb2cc91a06c2615dbb97711f2558a9379ee8a5306720
  • f5f79e2169db3bbe7b7ae3ff4a0f40659d11051e69ee784f5469659a708e829e
  • cff5ed4de201256678c7c068c1dbda5c47f4b322b618981693b1fd07a0ea7e68
  • 83c375dcdadb8467955f5e124cf4e8d6eac78c51c03fb7393dc810a243ba1a90
Dropped PDF
  • 048388c04738763c0ec57124e3a88fc82a545639636fb5ed6cd397881dd6ced9
  • 11d9a87b144c0eaf71e8dea1b08117d464ed7f24a6e716e935e0c7f3a7e03edc
  • 0b95c8c70d2dad47baef15d0299cd7e273e8a59ae0420921632b21789a80aef0
PyVil py2exe executable
  • f388a2ebbb6a7e577e8aa6205e87d5b2975e7c08464123cc36e8e3d437e9a523
  • 130e0536cdb4e9f7cfb273dbabc9ee196a51d1217cd4b981847af6314f46b052
  • d6343a07357e5443d6a59f10e16a06796c46bec3cbe5968ac04b0f082d6fcecf
PyVil first obfuscation layer
  • 568ec03a27740f8babc3513948a44ce1a2944d05f3d454ce345e67a0634a4a73
PyVil second obfuscation layer
  • 63a4b6ef72e0a3a0886364a5ebcc0009c6da8c27d93cf9d6c8107b6f025fed34
PyVil python libraries
  • 1aa9ecb83acbebc64b23f7192e763cf4bd278f10df2223512087b87230e411b4
  • 9dfb040dab1fd05fbccf69ff3461295815edc463a61a6304af18a72f82bce534
  • 8dfb2f5c74f38ffb39bfc17bf6a62d5822c458215619c1b2ec2eb345f21d1265
  • 3f3738e4606ea85a382319269405ee72a928a8a761273914c52342b116cbddfc
  • a787ecc380021b3b7115c97242ba06706a0a1e41efe1b734552d74384bae22ec
  • 062ed9f40ca330f0fed63cbdd401521deb23f93b5527038fc88f70ed9acadf39

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations