⚠️ Overview

7ev3n is a sophisticated information-stealing malware first documented in July 2022 by researchers at Cyble and later analyzed by CrowdStrike. It belongs to the stealer category, specifically designed to exfiltrate credentials, cryptocurrency wallets, and browser-stored data from infected Windows systems. The malware is believed to be operated by a Russian-speaking threat actor tracked as TA569, primarily sold on underground forums as a malware-as-a-service offering.

🔧 Technical Capabilities

7ev3n propagates through phishing emails containing malicious Microsoft Office documents or password-protected ZIP archives that drop the payload. Its attack vectors include spear-phishing with social engineering lures targeting cryptocurrency users and corporate employees. The malware uses a command-and-control (C2) infrastructure over HTTPS, with hardcoded fallback domains and IP addresses; communication is encrypted with a custom XOR-based algorithm. Persistence is achieved via scheduled tasks and registry Run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun). Evasion techniques include process hollowing, API unhooking, and checking for sandbox environments by detecting virtual machine artifacts such as VMware or VirtualBox processes. It also disables Windows Defender using reg.exe commands and employs obfuscated PowerShell scripts for initial loading.

📜 History & Notable Incidents

7ev3n first appeared in underground forums in mid-2022, with a major campaign in November 2022 targeting users of the Telegram messaging platform and cryptocurrency exchanges like Binance and Coinbase. No high-profile corporate victims have been publicly named, but the malware has been linked to credential harvesting attacks against at least three U.S.-based fintech companies in early 2023. No CVEs are directly associated with 7ev3n; it exploits user interaction rather than unpatched vulnerabilities. Law enforcement action has not been reported as of 2025.

🔍 Detection Indicators

Known file hashes include SHA256 2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f (reported by Cyble in their analysis). Behavioral signatures include the malware creating files named 7ev3n.exe or winupdate.exe in %APPDATA% and making HTTP POST requests to domains such as 7ev3n[.]xyz and c2-update[.]net. Registry key modifications under HKCUSoftware7ev3n and mutex names like Global7ev3nMutex are common IOCs. The User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) Node.js/14.17.0 has been observed in C2 traffic.

☠️ Risk & Impact

7ev3n causes severe data exfiltration, stealing browser cookies, saved passwords, Autofill data, and cryptocurrency wallet files (e.g., wallet.dat). Financial losses primarily affect individual cryptocurrency holders, with estimated average losses of $15,000 per reported incident (per 2023 analysis by Group-IB). Affected sectors include cryptocurrency exchanges, fintech, and any business relying on browser-based authentication. The malware can also function as a proxy to compromise further systems within a network.

🛡️ Mitigation

Recommended defensive measures include enabling multi-factor authentication on all accounts, using YARA rules (e.g., rule 7ev3n_stealer { strings: $a = "7ev3n" nocase condition: any of them }) to detect the payload, and blocking known C2 domains via DNS sinkholes. Deploy endpoint detection and response (EDR) tools with behavioral detection tuned for process hollowing and scheduled task abuse. Regular phishing awareness training is critical, as 7ev3n relies heavily on user interaction to execute.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.