DeathStalker: A threat group utilizing unique methods

DeathStalker: A threat group utilizing unique methods


DeathStalker is a hacker group active at least since 2012, with operations around the world. Their focus is spying on the financial industry and law firms. With no reports of stolen data available for resell, researchers believe that DeathStalker is hacker-for-hire group.   

They caught attention of security researchers by their imaginative techniques, such as utilizing social media for dead drops or using previously stolen documents as decoys. There are three known malware families linked to DeathStalker: Powersing, Evilnum and Janicab. 


Powersing is aPowerShell implant distributed by malicious LNK files. Shortcuts, also known as LNK files, can be abused by malware, as they allow to silently run scripts on unsuspecting victims. In this case, LNK files contain embedded PowerShell script, which once executed, deletes the original file, deploys a real decoy document, and runs the main payload. IP addresses of C&C servers are obtained by visiting a hard-coded BASE64 encoded URL, usually a social media post, and decoding contents of a comment. 

After receiving the C&C server, screenshots of the infected system are periodically sent to the C&C, and the malware is ready to receive additional PowerShell commands from the C&C. Persistence is achieved by creating ashortcut to a VBE script in the Windows startup folder. 


Incident Response Retainer 

With LIFARS on retainer a cybersecurity incident or a data breach will be handled with the highest priority under strict SLAs. Have your own Computer Security Incident Response Team on call and ready for deployment as your private 911 cyber-emergency. 



Janicab is a trojan which shares similar traits with Powersing. The first stage of Janicab exploits a Microsoft Office vulnerability, which allows to run code just by opening a malicious Office document. Once the payload is executed, two files are dropped. First is a decoy document; second is the final payload in form of a VBE file. Once again, the C&C server is obtained from social media links. 

The vulnerability exploited, CVE-2012-0158, was just a few months old at the time of Janicab’s discovery and affected all widely used Office versions.  

What makes Janicab stand out is its multi platform capabilities. The malware features a version for Mac OS, which uses Python scripts and gains persistence by cron. The executable files are also signed with Developer ID, which bypasses Gatekeeper in its default setting.  


The third malware associated with DeathStalker is named Evilnum. Evilnum infections starts with LNK files, which create a malicious JavaScript file. The JavaScript file then drops a decoy file, consisting of previously stolen documents, and again decodes an address of a C&C server from social media. 

The JavaScript file often downloads a component written in C#, which is capable of stealing Chrome cookies and passwords, capturing screenshots with mouse movement and more. The two components work in conjunction, with the C# component removing traces after the first-stage JavaScript component.  

Evilnum was used to deploy malware purchased from other for-hire groups. The hackers deployed malware from Golden Chickens, which is also popular with APT groups like Cobalt or FIN6. Golden Chickens malware provides extensive capabilities, including: 

  • Running Meterpreter 
  • Stealing credentials from browsers, e-mail clients, FTP clients  
  • Providing a backdoor via a legitimate copy of TeamViewer 
  • Running popular system/forensics tools from NirSoft 

While some of the techniques used by the DeathStalker group are unique, there are effective mitigations. All the three malware families relied on scripts; therefore, you should restrict script execution and/or enable logging of PowerShell scripts. You should also watch out for LNK files distributed via e-mails. Office 365 and G Suite block LNK attachments by default, but you should block LNK files on your custom e-mail servers.