DeathStalker | Threat Actor Profile

A mercenary APT group with an unusually narrow commercial focus: law firms, fintech companies, wealth consultancy firms, and financial advisors — the kinds of organizations that hold sensitive business intelligence, merger and acquisition details, and client financial data with high value to commercial competitors or litigants. Unlike most APT groups, DeathStalker does not appear politically motivated, does not deploy ransomware, and does not steal payment information for resale. Kaspersky's GReAT team assesses the group acts as a hack-for-hire service or information broker in financial circles — collecting specific intelligence on demand for paying clients. Five toolchains have been documented: Powersing, Evilnum, Janicab, PowerPepper, and VileRAT. A defining operational signature across all campaigns is the use of dead-drop resolvers — posts on legitimate public services (social media, blogging platforms, messaging services) containing encoded C2 information — to blend malicious traffic into normal internet use and make C2 takedown impractical.

classificationMercenary APT / Hack-for-hire / Information broker

tracked sinceKaspersky GReAT 2018; estimated active since 2012

primary motivationBusiness intelligence theft on behalf of paying clients — not political, not ransomware

primary targetsLaw firms, fintech companies, wealth consultancy, financial advisors, FOREX / crypto exchanges

target sizeSmall and medium businesses — organizations with less robust security programs

toolchains5 documented: Powersing, Evilnum, Janicab, PowerPepper, VileRAT

defining evasion techniqueDead-drop resolvers on public platforms (Twitter, YouTube, Google+, Reddit, GitHub)

geographic reachGlobal — Europe, Middle East, Americas, Asia documented; no country preference

assessed client purposesDue diligence, M&A intelligence, litigation support, sanctions circumvention, competitive intelligence

Overview

DeathStalker occupies an analytically unusual position in the threat landscape because its motivations and operational model diverge from both state-sponsored APT groups and financially motivated cybercriminals. Kaspersky GReAT researchers, who have tracked the group since 2018 and linked its activity to 2012, describe a group that neither appears to be government-directed nor motivated by direct financial theft. The victims are not government agencies, military targets, or critical infrastructure — they are private sector organizations that hold sensitive commercial intelligence: law firms managing litigation and regulatory cases, fintech companies with client financial data and transaction records, wealth consultancy firms with high-net-worth client portfolios, and financial advisors with investment strategy and portfolio details.

The intelligence these organizations hold is precisely the type a corporate competitor would pay for: M&A due diligence data, litigation strategy documents, client financial positions, regulatory filing timing, and business development plans. Kaspersky assessed with medium-to-high confidence that DeathStalker sells this intelligence to paying clients or takes commissions to conduct specific intelligence collection operations — making it one of the few documented examples of a commercial hack-for-hire service operating at APT sophistication levels.

The group's tradecraft is adapted to its target profile. Small and medium-sized organizations in legal and financial sectors typically have less mature security programs than large enterprises, government agencies, or critical infrastructure operators — which are the usual focus of major APT groups. DeathStalker's tools are not technically groundbreaking, but they are specifically engineered to evade the security products likely to be deployed by these organizations. Interactive social engineering — where operators maintain ongoing email conversation with a target using a persona or pretext before delivering the malicious payload — demonstrates knowledge of the target's workflow and willingness to invest in social engineering depth that high-volume operators skip.

The dead-drop resolver technique, used consistently across all documented DeathStalker toolchains, is the group's most distinctive operational signature. Rather than hardcoding C2 server addresses in malware (which enables takedown by blocking those addresses), DeathStalker posts encrypted or encoded C2 information to legitimate public services — comments on social media posts, user profile fields, blog content descriptions, or messaging platform messages. The malware retrieves this information from the public service, decodes the real C2 address, and connects there. This approach makes C2 blocking impractical without blocking the legitimate public service entirely, and means that even if one C2 is taken down, the operator can update the dead drop post with new C2 information without touching the malware on victim systems.

Five Toolchains — Iterative Development

DeathStalker has consistently developed and maintained multiple parallel toolchains rather than consolidating around a single platform. This iterative approach provides operational redundancy and makes attribution more complex — each toolchain may initially appear unrelated. Code similarities, infrastructure overlaps, and consistent victimology enabled Kaspersky to link all five with medium-to-high confidence.

Toolchain 1

Powersing

PowerShell implant — tracked since 2018

A PowerShell-based implant with two primary functions: periodic screenshot capture transmitted to C2, and execution of additional PowerShell scripts downloaded from C2. Uses dead-drop resolvers on public services to retrieve C2 addresses. LNK (shortcut) files are the initial delivery vector via spear-phishing — when clicked, they launch a convoluted execution chain. Powersing can detect antivirus products and change tactics or self-disable accordingly. C2 dead drops were placed on Google+, Reddit, YouTube, and other platforms.

Toolchain 2

Evilnum

Modular LNK-based implant — tracked since 2018

An LNK-based infection chain with broader capabilities than Powersing — including screenshot capture sent to C2, credential theft, and document exfiltration. Uses GitHub as a dead-drop resolver. Also targets fintech companies specifically. Publicly documented by ESET (2020) before Kaspersky linked it to DeathStalker with medium confidence through code similarities and victimology overlap. VileRAT is a later Python-based update to the Evilnum operational track, representing the highest-sophistication toolchain documented from DeathStalker.

Toolchain 3

Janicab

Multi-platform downloader — active since at least 2012

A downloader targeting both Windows and macOS — providing the earliest documented evidence of DeathStalker activity when attributed through code and infrastructure overlaps. Shared infection chain characteristics with Powersing and Evilnum: LNK-based delivery, dead-drop resolvers on public platforms, screenshot capability. Used in attacks exploiting COVID-19 pandemic as a social engineering lure. Linked to Powersing and Evilnum with medium confidence through code similarity analysis.

Toolchain 4

PowerPepper

PowerShell backdoor — documented Dec 2020

A PowerShell backdoor that distinguishes itself through two specific evasion features: steganography (malicious code embedded in what appear to be images of ferns or peppers, extracted by a loader script) and DNS over HTTPS for C2 communication — disguising malicious DNS queries as legitimate HTTPS traffic. Executes arbitrary shell commands sent by operators. Spread via spear-phishing exploiting international events, carbon emission regulations, and pandemic topics as lures. Identified in Europe primarily, but also Americas and Asia.

Toolchain 5

VileRAT

Python implant — active since mid-2020, publicly exposed Aug 2022

DeathStalker's most sophisticated and obfuscated toolchain. A Python-based implant targeting FOREX and cryptocurrency exchange companies, with continuous activity since 2020. Initial access via spear-phishing emails (DOCX attachments — frequently named using "compliance" or "complaint" keywords). From July 2022, operators also used chatbots embedded in targets' public websites to deliver malicious DOCX. Infection chain: DOCX → macro-enabled DOTM (XOR-encrypted payload decoded via VBA) → VileDropper → VileLoader → VileRAT. Vastly more obfuscated than prior DeathStalker toolchains. Victims documented in Bulgaria, Cyprus, Germany, the Grenadines, Kuwait, Malta, UAE, and Russia.

Cross-Toolchain Signature

Dead-Drop Resolvers

C2 evasion — consistent across all five toolchains

All five toolchains use dead-drop resolvers — encoded C2 location information posted to legitimate public services. Documented platforms: Google+, Reddit, YouTube, Twitter/X, GitHub, and various blogging and messaging services. The malware fetches the public post, decodes the encoded C2 address from within the content, and connects to the actual C2. This approach survives C2 domain takedowns (the resolver post can be updated with new C2 information without touching the malware) and blends C2 communication into normal internet traffic.

Key Operations

Powersing Campaigns — Financial and Legal Sector Espionage 2018–2020

The Powersing campaigns, tracked by Kaspersky from 2018, established DeathStalker's core operational profile: spear-phishing emails carrying LNK files disguised as documents, leading to PowerShell execution and periodic screenshot surveillance. Victims identified in Argentina, China, Cyprus, Israel, Lebanon, Switzerland, Taiwan, Turkey, the UK, and the UAE. The COVID-19 pandemic was weaponized in 2020 campaigns to deliver both Janicab and Powersing — pandemic-themed lures reaching financial sector employees during a period of reduced in-person security awareness. In at least one case, DeathStalker targeted a diplomatic entity — an outlier in an otherwise exclusively commercial-sector victim profile.

PowerPepper — DNS over HTTPS and Steganographic C2 Dec 2020

Kaspersky disclosed PowerPepper in December 2020, documenting the group's addition of two significant evasion capabilities. The use of DNS over HTTPS for C2 communication encapsulates malicious DNS lookups inside legitimate HTTPS traffic to DoH resolvers, making them indistinguishable from normal encrypted web traffic at the network layer. The steganographic payload delivery — hiding PowerShell code inside images of ferns or peppers — allows the malicious payload to pass through email security gateways and image-based content inspection as legitimate image attachments. Pierre Delcher of Kaspersky GReAT noted that PowerPepper was the fourth documented malware strain from the actor and that a potential fifth had already been identified.

VileRAT — FOREX and Cryptocurrency Exchange Targeting 2020–2022 (publicly disclosed Aug 2022)

Kaspersky identified VileRAT in mid-2020 as part of an update to the Evilnum operational track. The campaign was privately reported to Kaspersky threat intelligence customers in August 2020 and publicly disclosed in August 2022. VileRAT represents a significant escalation in tool sophistication over prior DeathStalker toolchains — Kaspersky's Pierre Delcher called it "undoubtedly the most intricate, obfuscated and tentatively evasive campaign we have ever identified from this actor." The Python-based implant (VileLoader + VileRAT) targets FOREX and cryptocurrency trading companies with an infection chain beginning in spear-phishing. From July 2022, operators used chatbot features embedded in the trading companies' own public websites to deliver malicious DOCX files — the "compliance" or "complaint" keyword naming convention of the DOCX files disguising the attack as a regulatory or customer issue response. Kaspersky documented VileRAT victims in Bulgaria, Cyprus, Germany, the Grenadines, Kuwait, Malta, UAE, and Russia, ranging from recent startups to established industry leaders.

Tactics, Techniques & Procedures

mitre id	technique	description
T1566.001 / T1566.002	Spear-Phishing — LNK Files and Malicious Documents	DeathStalker's consistent initial access vector across all toolchains. Spear-phishing emails deliver malicious LNK (shortcut) files disguised as documents — clicking executes a convoluted script sequence rather than opening a document. The group employs interactive social engineering: rather than sending a single email, operators maintain ongoing conversations using a pretext or persona to gain target confidence before delivering the payload. Lures have exploited international events, carbon emission regulations, COVID-19 pandemic content, and corporate compliance or complaint themes. VileRAT additionally used website chatbots embedded in target companies' public sites to deliver malicious DOCX files.
T1102 / T1071.001	Dead-Drop Resolvers — C2 via Legitimate Public Services	DeathStalker's defining evasion technique, consistent across all five documented toolchains. The group posts encoded C2 information — encrypted addresses or connection parameters — to legitimate public services: social media posts, blog comment sections, user profile fields, YouTube video descriptions, GitHub repositories, and messaging platform messages. Malware fetches the public post from the legitimate service, decodes the C2 information from within the content, and connects to the actual C2 infrastructure. This approach renders C2 domain blocklisting largely ineffective (the legitimate hosting platform cannot be blocked), allows rapid C2 rotation by simply updating the public post, and blends all initial C2 beacon traffic into normal web service traffic patterns.
T1113 / T1041	Screenshot Surveillance and Business Intelligence Exfiltration	Powersing's two documented primary functions are periodic screenshot capture and PowerShell script execution. Screenshots are sent to C2, enabling operators to monitor victim activity, identify high-value documents as they appear on screen, and understand the victim's organizational environment without requiring full filesystem access. Evilnum adds credential theft and document exfiltration beyond screenshots. VileRAT provides full remote shell capability via the Python implant. The progression reflects the group's understanding of what is needed for business intelligence collection — visual access to sensitive screens is often sufficient for competitor intelligence, while full document exfiltration is needed for litigation-support or due-diligence missions.
T1027 / T1568.001	Steganography and DNS over HTTPS — PowerPepper Evasion	PowerPepper introduced two evasion techniques not previously documented in DeathStalker campaigns. Steganography embeds the PowerShell backdoor code inside image files (presented as images of ferns or peppers) — the malicious code is extracted by a loader script, not executed directly from the image. This allows payload delivery past email security gateways and image inspection systems. DNS over HTTPS (DoH) for C2 communication encapsulates DNS queries inside HTTPS, making them indistinguishable from normal encrypted web traffic to both network monitoring and DNS inspection tools.
T1059.001 / T1059.005	Scripting Language Abuse — PowerShell, VBS, Python	DeathStalker's toolchains are built on scripting languages rather than compiled executables — PowerShell (Powersing, PowerPepper), Visual Basic Script (Evilnum), LUA script (Janicab), and Python (VileRAT). This approach enables rapid toolchain modification and makes static detection by signature-based tools more difficult, as script content can be changed without recompiling. Kaspersky's defensive recommendation across all DeathStalker disclosures is to disable or restrict PowerShell (powershell.exe) and Windows Script Host (cscript.exe, wscript.exe) wherever not required for business operations — reflecting the dependency of DeathStalker's toolchains on these interpreter environments.
T1027.003	VileRAT — XOR Obfuscation and DOTM Macro Encoding	The VileRAT infection chain uses a macro-enabled Word template (DOTM) that contains VBA macros with a consistently implemented XOR decoding function — the same XOR pattern was identified in PowerPepper VBS loader code, providing the cross-toolchain code similarity link. The DOTM macro decodes two files from encoded data stored in non-visible TextBox form controls within the Office document — a technique of leveraging Office object properties as hidden data sources that Kaspersky had previously observed in PowerPepper loaders. This cross-toolchain code reuse in obfuscation implementation was key to attributing VileRAT to DeathStalker.

Why Law Firms and Fintech — The Target Logic

DeathStalker's commercial focus on law firms, fintech companies, wealth consultancy firms, and financial advisors is analytically distinctive and reflects the nature of the intelligence being sold. These organizations hold categories of sensitive data that are commercially valuable to specific types of clients:

Law firms: Case strategies, witness lists, litigation budgets, settlement negotiation positions, privileged communications with clients, regulatory filing timing and content, M&A transaction structures under legal review, and client identity information. This intelligence is directly valuable to opposing parties in litigation, regulatory proceedings, or commercial disputes — the parties most likely to commission hack-for-hire operations.
Fintech companies: Client financial data, transaction records, business model details, proprietary algorithm parameters, regulatory filing schedules, and investor communications. Competitors seeking to understand a fintech competitor's product, a regulator seeking evidence of non-compliance, or an investor conducting covert due diligence would all have use for this category of intelligence.
Wealth consultancy firms: Client identity, asset allocation, investment strategy, estate planning structures, tax optimization approaches, and relationship network data. This intelligence is valuable for competitive intelligence among rival wealth management operations, for legal proceedings involving disputed estates, or for investigations into asset concealment.
Financial advisors: Client financial profiles, investment recommendations, portfolio compositions, and scheduled major financial decisions. Intelligence about a major client's upcoming portfolio rebalancing or asset sale has direct market intelligence value.
FOREX and cryptocurrency exchanges (VileRAT era): Trade flow data, client identity and trading positions, compliance documentation, counterparty relationships, and internal operational procedures. Kaspersky noted the assessed purposes of VileRAT operations include due diligence, asset recovery, litigation or arbitration case support, and working around sanctions — suggesting the VileRAT client base includes parties involved in financial disputes or regulatory investigations where intelligence on the target exchange would be operationally useful.

Indicators of Compromise

detection note

DeathStalker's dead-drop resolver technique makes network-layer C2 blocking unreliable — the group connects to legitimate public platforms (social media, GitHub, blogging services) that cannot be blocked without blocking legitimate services. Detection should focus on behavioral indicators: LNK file execution chains, PowerShell and VBS spawning from unexpected parent processes, DNS over HTTPS traffic from endpoints not configured to use DoH, and Office document templates loading external content. Full IOC sets (file hashes, specific C2 addresses, dead-drop resolver URLs per campaign) are available through the Kaspersky Threat Intelligence Portal.

indicators of compromise — cross-toolchain behavioral identifiers

initial vector LNK (shortcut) files disguised as documents delivered via spear-phishing; also DOCX with embedded or remote DOTM macro templates (VileRAT)

powersing execution chain LNK → convoluted script sequence → PowerShell implant → periodic screenshot (JPG) → POST to C2 retrieved via dead-drop resolver on public service

dead-drop resolver platforms Google+, Reddit, YouTube, Twitter/X, GitHub, messaging platforms — posts/comments containing encoded C2 address strings; connection to these platforms immediately followed by external HTTP connection is a signal

powerpepper evasion Image files containing embedded PowerShell (steganography); DNS over HTTPS traffic from endpoints not using DoH by policy; XOR decoding function with preset constant in VBS/VBA loaders

vilerat docx naming DOCX filenames containing "compliance", "complaint" keywords combined with target company name — sent by email or via chatbots embedded in target company website

vilerat dotm technique DOTM with VBA macro; XOR decoding function similar to PowerPepper loaders; decoded files dropped to %APPDATA% as "Redist.txt"+"ThirdPartyNotice.txt" or "pattern.txt"+"changelog.txt"; TextBox form controls as hidden data sources

scripting interpreter abuse powershell.exe; cscript.exe; wscript.exe — monitor for unexpected parent processes; powershell.exe spawned from non-standard parents or with encoded command lines is high-priority detection signal

evilnum github resolver GitHub used as dead-drop resolver in Evilnum campaigns — outbound requests to raw.githubusercontent.com immediately followed by new C2 connections indicate resolver-based C2 retrieval

full ioc reference Kaspersky Threat Intelligence Portal; Securelist — "DeathStalker: Mercenary Triumvirate" (Aug 2020); Securelist — "What Did DeathStalker Hide Between Two Ferns?" (Dec 2020); Securelist — "VileRAT: DeathStalker's Continuous Strike" (Aug 2022)

Mitigation & Defense

Disable or Restrict Scripting Language Interpreters Where Not Required: Kaspersky's primary defensive recommendation across all three DeathStalker disclosures is to disable powershell.exe and cscript.exe/wscript.exe wherever they are not required for business operations. In law firms and fintech organizations — DeathStalker's primary targets — end-user workstations rarely have a legitimate need to execute PowerShell or VBS scripts directly. Windows Defender Application Control (WDAC) or AppLocker policies restricting these interpreters to authorized IT administration contexts significantly impede DeathStalker's entire toolchain portfolio, since all five documented toolchains depend on at least one of these interpreters.
Implement LNK File Execution Controls: Kaspersky specifically recommends including LNK (shortcut) file infection chains in security awareness training and security product assessments. LNK files as email attachments are anomalous — legitimate documents are not delivered as .lnk files, and this delivery pattern should generate alerts. Email gateway policies filtering LNK attachments and security awareness training covering LNK-based delivery reduce the effectiveness of the initial delivery stage across Powersing, Evilnum, and Janicab toolchains.
Monitor DNS over HTTPS Traffic Anomalies: PowerPepper uses DNS over HTTPS for C2 communication to blend malicious traffic into legitimate HTTPS. If an organization has not deployed DoH by policy, any endpoint making DoH queries should generate an alert — this traffic is anomalous by definition in environments where DoH is not configured. Organizations that have deployed DoH should consider monitoring for DoH query patterns from endpoints to unfamiliar DoH resolvers, or centralizing DoH resolution through a controlled resolver that logs queries.
Alert on PowerShell Spawned from Office Applications: The VileRAT infection chain uses DOTM macros to decode and execute VBA, which then drops files to %APPDATA% and triggers PowerShell or Python. PowerShell spawned from WINWORD.EXE, EXCEL.EXE, or OUTLOOK.EXE parent processes is a high-confidence behavioral indicator of macro-based malware across multiple threat actors. Configure EDR behavioral rules alerting on Office application parent processes spawning scripting interpreter children. This detection applies across all macro-delivered DeathStalker toolchains.
Treat Interactive Social Engineering with Elevated Scrutiny: DeathStalker's interactive social engineering approach — maintaining ongoing conversation before delivering the payload — is designed specifically to build trust and reduce the vigilance of recipients who might otherwise treat unexpected file requests with suspicion. Legal and financial sector employees who interact with external contacts as part of normal work (receiving documents from opposing counsel, counterparties, or regulatory contacts) are the primary targets for this approach. Organizational policies should require that file attachments from external parties undergo security review before execution, regardless of how comfortable the established email relationship has become.
Screen-Level Data Protection for Sensitive Meetings: Powersing's core surveillance function is periodic screenshot capture. For law firm and financial sector employees handling particularly sensitive information — M&A negotiations, litigation strategy, client financial planning — clean-desk and clean-screen policies during sensitive meetings, combined with endpoint monitoring for unexpected screenshot-capturing processes, reduce the intelligence value of a Powersing infection. Process monitoring for unexpected use of screenshot APIs (BitBlt, GetDIBits) by non-standard processes is a behavioral detection signal for Powersing-style implants.

analyst note

DeathStalker represents a category of threat that security programs designed around state-sponsored APT and ransomware threat models frequently under-address: the commercial mercenary. The group's target set — law firms, fintech companies, wealth advisors — sits in a gap between the large-enterprise security programs that deploy dedicated threat intelligence teams and the small-business segment that lacks security resources entirely. SMBs in regulated financial and legal sectors often have compliance-driven security programs (meeting minimum bar for bar association or financial regulatory requirements) without the detection and response capability to identify or respond to a targeted intrusion campaign. DeathStalker's tools are deliberately calibrated to this gap — they do not need to be sophisticated enough to defeat enterprise-grade EDR with behavioral analytics, because the target environment typically does not deploy it. The dead-drop resolver technique is elegant specifically for this target profile: it requires monitoring capability that SMBs rarely have (behavioral network analysis correlating platform access with subsequent C2 connections) while providing trivial evasion against the signature-based tools and perimeter firewalls that characterize SMB security environments. The VileRAT escalation to FOREX and cryptocurrency exchange targeting reflects an expansion into a sector with higher-value intelligence and — at the time of initial campaign activity in 2020 — often less mature security programs than equivalent financial sector organizations in traditional banking. The sustained VileRAT campaign from 2020 to at least 2022 (with Kaspersky noting increased activity in 2022) without significant disruption illustrates both the effectiveness of the toolchain and the gap in detection capability across the target sector.

Sources & Further Reading

— end of profile