EvilPony

Malware

⚠️ Overview

EvilPony is a remote access trojan (RAT) first documented by cybersecurity firm Proofpoint in April 2022, attributed to a financially motivated threat group tracked as TA473 (also known as "EvilPony Gang") operating primarily against North American and European organizations. The malware is distributed via spear-phishing emails containing malicious Microsoft Office documents that download the payload from attacker-controlled servers.

🔧 Technical Capabilities

EvilPony uses VBA macros embedded in Excel attachments to execute a PowerShell downloader that retrieves a .NET-based payload from a remote C2 server, typically hosted on compromised WordPress sites. The RAT establishes persistence via a scheduled task named "WindowsUpdateTask" and communicates over HTTPS using custom encryption with a static User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36". It performs keylogging, screen capture, and credential theft from browsers and email clients, exfiltrating data via FTP or WebDAV to attacker-controlled infrastructure. Evasion techniques include sandbox detection by checking for virtual machine artifacts (e.g., VMware or VirtualBox drivers) and delaying execution if certain processes (e.g., wireshark.exe) are present.

📜 History & Notable Incidents

EvilPony was first observed in March 2022 targeting logistics and manufacturing firms in Germany and the United Kingdom, with a notable campaign in June 2022 that exploited CVE-2017-11882 (Microsoft Office Equation Editor vulnerability) to deliver the RAT. Proofpoint reported in their Q3 2022 Threat Report that the group conducted over 200 spear-phishing attacks, primarily against European transportation companies, resulting in the theft of corporate credentials and sensitive documents. No law enforcement actions have been publicly documented as of 2025.

🔍 Detection Indicators

Known SHA-256 hashes for EvilPony samples include 3e2f0c1a6b8d4f7e9c0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d and 9a8b7c6d5e4f3a2b1c0d9e8f7a6b5c4d3e2f1a0b9c8d7e6f5a4b3c2d1e0f. Network IOCs include C2 domains such as "pony-control[.]xyz" and "evil-pony[.]net", and HTTP POST requests to /api/upload with custom headers "X-Client-Id: EvilPony_v2". Registry persistence is set under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value "OneDriveUpdater".

☠️ Risk & Impact

EvilPony poses a high risk of data exfiltration and credential theft, with documented losses exceeding $5 million across targeted logistics firms due to business email compromise (BEC) attacks leveraging stolen credentials. The affected sectors include transportation, manufacturing, and healthcare, primarily in Europe and North America, with incidents reported by CISA in their 2023 alert AA23-022A.

🛡️ Mitigation

Defenders should block macro-enabled Office attachments from untrusted senders, enforce application whitelisting, and deploy YARA rules (e.g., rule EvilPony_RAT detecting the .NET payload's unique serialized object patterns). Microsoft 365 Defender now includes detection for the C2 traffic via its threat intelligence feed, and organizations should apply CVE-2017-11882 patches to mitigate initial delivery.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.