TerraTV
TerraTV is a malware variant associated with the Evilnum threat actor. Based on the provided content, its primary role is to abuse legitimate TeamViewer software for remote access on compromised machines. Evilnum has used TerraTV to load a malicious DLL from the TeamViewer directory instead of the legitimate Windows DLL located in a system folder, indicating DLL hijacking/side-loading behavior. TerraTV has also been used to launch a legitimate TeamViewer application to connect to compromised systems. The surrounding Evilnum activity described in the content includes spearphishing links and malicious shortcut-based lures leading to .LNK downloads, JavaScript execution, deployment of additional tools, browser cookie and web session theft, email credential collection, file deletion, and sandbox-detection checks via TerraLoader. TerraTV is listed alongside related Evilnum/Golden Chickens tooling including VenomLNK, TerraLoader, TerraStealer, TerraCrypt, TerraRecon, TerraWiper, lite_more_eggs, RevC2, and Venom Loader. High-confidence behavior directly attributed to TerraTV in the content is TeamViewer hijacking/abuse for remote access through malicious DLL loading in the TeamViewer directory.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
These modules include TerraStealer for credential harvesting, TerraTV for TeamViewer hijacking, and TerraCrypt for ransomware deployment.
Evilnum has used the malware variant, TerraTV, to load a malicious DLL placed in the TeamViewer directory...
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 techniqueStealth
1 techniqueLateral Movement
1 techniqueDuring C0015, the threat actors installed the AnyDesk remote desktop application onto the compromised network. During C0018, the threat actors used AnyDesk to transfer tools between systems.
Command and Control
1 techniqueEVILNUM has used the malware variant, TerraTV, to run a legitimate TeamViewer application to connect to compromised machines.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
"Related Families: VenomLNK, TerraLoader, TerraStealer, TerraTV, TerraCrypt, TerraRecon, TerraWiper, lite_more_eggs, RevC2, Venom Loader"
Golden Chickens module used for TeamViewer hijacking to facilitate remote access/control.
A malware variant associated with Evilnum that performs DLL sideloading via the TeamViewer directory and facilitates remote access by launching legitimate TeamViewer on compromised hosts.
A malware variant used by EVILNUM to launch a legitimate TeamViewer application for remote access to compromised machines.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.