Cyber Threat Actor: Dr.evil

Dr.3v1l is an Iranian‑based threat actor known by the alias Dr.3v1l, whose activity has been publicly linked to a single documented incident targeting a government website. In February 2014 the actor compromised a subpage of Nepal’s Office of the President, extracted administrator credentials from the site’s database, and posted a defacement notice; a second attacker subsequently defaced the main homepage, possibly using the exposed credentials. The defacement was accompanied by no political messaging, indicating that the primary goal was to demonstrate technical capability rather than advance an ideological agenda. This event caused the presidential website to remain offline for more than twenty‑four hours and highlighted the exposure of sensitive administrative data.

The actor’s observed tactics involve web‑application exploitation to gain unauthorized access, credential harvesting from compromised databases, and the deployment of defacement content as a visible impact. No specific malware families, exploit kits, or tooling styles were referenced in the reporting of this incident, and no evidence points to the use of persistent backdoors or lateral movement beyond the initial web‑server compromise. The targeting appears limited to a single government entity in South Asia, with no publicly available information indicating a broader sector focus or a pattern of repeated attacks against similar victims.

Attribution to Dr.3v1l rests on the claim that an Iranian hacker using that alias participated in the breach; no public sources have established a state‑sponsored affiliation, criminal‑consortium tie, or other organizational link for the actor. Consequently, the only confirmed campaign associated with Dr.3v1l remains the 2014 defacement of Nepal’s presidential website, which serves as the sole example of the actor’s publicly reported operations. No further details regarding additional activities, motivations, or capabilities are available in the provided material.