- ITDM 2025 전망 | “비전을 품은 기술 투자, 모두가 주춤한 시기에 진가 발휘할 것” 컬리 박성철 본부장
- The Model Context Protocol: Simplifying Building AI apps with Anthropic Claude Desktop and Docker | Docker
- This robot vacuum and mop performs as well as some flagship models - but at half the price
- Finally, a ThinkPad model that checks all the boxes for me as a working professional
- Why I recommend this Android phone for kids over a cheap Samsung or Motorola model
Evil Extractor Targets Windows Devices to Steal Sensitive Data
The attack tool known as Evil Extractor and developed by a company called Kodex as an “educational tool,” has been used by threat actors to target Windows-based machines.
The claims come from Fortinet security researchers and were described in an advisory published on Thursday.
“[We] observed this malware in a phishing email campaign [disguised as account confirmation requests] on 30 March, which we traced back to the samples included in this blog. It usually pretends to be a legitimate file, such as an Adobe PDF or Dropbox file, but once loaded, it begins to leverage PowerShell malicious activities,” the company wrote.
Read more on phishing malware here: DEV-1101 Updates Open Source Phishing Kit
Evil Extractor operates through several modules that rely on a File Transfer Protocol (FTP) service.
Further, Evil Extractor contains environment checking as well as anti-virtual machine (VM) and VirusTotal capabilities designed to avoid detection. The malware also has a ransomware function called “Kodex Ransomware.”
“We recently reviewed a version of the malware that was injected into a victim’s system and, as part of that analysis, identified that most of its victims are located in Europe and America,” Fortinet explained.
According to the advisory, the developer released the malware in October 2022 and kept updating it to increase its stability and strengthen its malicious capabilities.
“EvilExtractor is being used as a comprehensive info stealer with multiple malicious features, including ransomware. Its PowerShell script can elude detection in a .NET loader or PyArmor,” reads the technical write-up. “Users should be aware of this new info stealer and continue to be cautious about suspicious mail.”
The publication of the advisory, which also included indicators of compromise for the malware, comes weeks after Open Text Cybersecurity experts warned against a substantial surge in HTTPS phishing sites.