A group of hackers known as Evilnum has targeted travel businesses in the Middle East and Europe as part of a broader campaign against legal and financial institutions. The group, also known as DeathStalker, used a variant of the Janicab malware in its attacks, which were first identified in 2020 and 2021. Janicab infections have been reported in Egypt, Georgia, Saudi Arabia, the United Arab Emirates, and the United Kingdom. This is the first time that a legitimate organization in Saudi Arabia has been targeted by the group. DeathStalker is known for using backdoors like Janicab, Evilnum, Powersing, and PowerPepper to steal sensitive company information. It has a history of capturing internal corporate presentations, software licenses, email passwords, and documents containing client names, investments, and trading activities. The group's use of unlisted old YouTube URLs to host encoded strings that are deciphered by Janicab to retrieve the command-and-control (C2) IP address allows it to effectively reuse C2 infrastructure and makes it difficult to identify relevant links on YouTube. The researchers who uncovered the attacks theorize that DeathStalker's customers and operators could be weaponizing the intrusions to keep tabs on lawsuits, blackmail high-profile individuals, track financial assets, and gather business intelligence about potential mergers and acquisitions