NanoCore
NanoCore RAT is a commodity Windows remote access trojan used since at least 2013 to provide backdoor access and remote monitoring on infected systems. Across the provided reporting, its documented capabilities include keylogging, spying, file execution, ingress tool transfer, webcam/video capture, audio capture, registry editing/modification, network configuration discovery, mouse control, use of the Windows command shell, persistence via Registry Run keys or the Startup folder, and the ability to disable or modify the system firewall and modify the victim’s antivirus. One source notes NanoCore uses DES/symmetric cryptography to encrypt C2 traffic. It has been described as opening a backdoor and stealing information, including passwords, and has been used to spy through webcams.
Observed infection and delivery vectors in the content are primarily email-based malware campaigns and malware-as-a-service/downloader chains. Reported delivery methods include malicious email attachments, including ZIP archives containing a PIF executable, and a VBScript loader that ultimately executes a PowerShell command to run a NanoCore payload. NanoCore was also observed as a final payload delivered by a .NET downloader, by GuLoader, and by FormBook. Coronavirus-themed malspam campaigns were specifically reported distributing NanoCore via a ZIP attachment containing a PIF file. Similar email-based campaigns were noted to install NanoCore after victim execution, granting adversaries remote access.
The malware is associated in the content with multiple threat ecosystems. SilverTerrier actors used NanoCore extensively in business email compromise activity, and NanoCore was the most frequently seen RAT employed by SilverTerrier in 2018, averaging 125 unique samples per month. The Elfin/APT33 group is also reported to have used NanoCore among other commodity RATs. NanoCore appears repeatedly in prevalence reporting as a widely used commodity RAT and was ranked among the most prevalent malware families uploaded to the ANY.RUN public sandbox.
The content also references legal action against its developer: Taylor Huddleston was sentenced in 2018 for making and selling NanoCore RAT. High-confidence indicators mentioned in the content include the SHA-256 hash c6092b1788722f82280d3dca79784556df6b8203f4d8f271c327582dd9dcf6e1 for a NanoCore .vbs loader sample and the SHA-256 hash c57fa2a5d1a65a687f309f23ca3cfc6721d382b06cf894ee5cd01931bbc17a46 for a NanoCore sample observed in coronavirus-themed campaigns.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
"The malware downloaded and executed by the .Net downloader is NanoCore, a well-known RAT (Remote Access Trojan) that enables the remote monitoring of victims via their computers."
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
With an average of 125 unique samples per month, NanoCore was the most frequently seen RAT employed by SilverTerrier actors in 2018.
NanoCore (Trojan.Nancrat): Commodity RAT used to open a backdoor on an infected computer and steal information.
"The malware downloaded and executed by the .Net downloader is NanoCore, a well-known RAT (Remote Access Trojan) that enables the remote monitoring of victims via their computers."
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueAdditionally, the branding of trusted organizations (for example the World Health Organization (WHO)) is abused in order to build credibility and trust in order to have people, for example, open malicious attachments or web pages.
Execution
6 techniquesDarkComet ... Command and Scripting Interpreter; Lokibot ... Visual Basic, Windows Command Shell, PowerShell; NanoCore ... Windows Command Shell, Visual Basic; NETWIRE ... Visual Basic, PowerShell, Unix Shell, Windows Command Shell
We won't focus on the remainder of the code, but it effectively executes a powershell command that runs a Nanocore payload.
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Lokibot ... Command and Scripting Interpreter: Visual Basic ... NanoCore ... Visual Basic ... NETWIRE ... Visual Basic
Examples include 'Cobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands', 'Orz can execute commands with JavaScript', 'Patchwork used JavaScript code and .SCT files on victim machines', and 'Water Curupira Pikabot Distribution installation via JavaScript will launch follow-on commands via cmd.exe.'
By relying on basic social engineering – an attack technique that takes advantage of human traits such as curiosity, trust and greed in order to obtain confidential information or to have the victim perform a certain action – it is suffice to say that certain threat actors (both criminal and nation state) are exploiting these unprecedented times for various nefarious means.
Persistence
3 techniquesContagious Interview has established persistence using InvisibleFerret malware to place a .bat file in the Startup Folder. TeamTNT has added batch scripts to the startup folder. Storm-1811 has created Windows Registry Run keys that execute various batch scripts to establish persistence on victim devices.
Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include AppleSeed creating 'HKCU\Software\Microsoft/Windows\CurrentVersion\RunOnce', AvosLocker executed via the RunOnce Registry key, NanoCore creating a RunOnce key, and Raspberry Robin setting a RunOnce key.
Privilege Escalation
2 techniquesContagious Interview has established persistence using InvisibleFerret malware to place a .bat file in the Startup Folder. TeamTNT has added batch scripts to the startup folder. Storm-1811 has created Windows Registry Run keys that execute various batch scripts to establish persistence on victim devices.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include AppleSeed creating 'HKCU\Software\Microsoft/Windows\CurrentVersion\RunOnce', AvosLocker executed via the RunOnce Registry key, NanoCore creating a RunOnce key, and Raspberry Robin setting a RunOnce key.
Stealth
2 techniquesThe content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
the list of features and plugins advertised for this RAT includes functionality that goes significantly beyond what one might see in a traditional remote administration tool, such as DDoS-for-hire capabilities, and the ability to disable the light indicator on webcams so as not to alert the target that the RAT is active.
Defense Impairment
1 techniqueCredential Access
2 techniquesAgent Tesla became popular among business email compromise (BEC) scammers, who use it to record keystrokes and take screenshots on the infected host.
These are, of course, on top of the obviously ominous features such as password retrieval and key logging that are normally seen in Remote Access Trojans.
Discovery
1 techniqueThe content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.
Collection
3 techniquesAgent Tesla became popular among business email compromise (BEC) scammers, who use it to record keystrokes and take screenshots on the infected host.
DarkComet ... Audio Capture ... NanoCore ... Audio Capture
NanoCore capabilities also include keylogging, spying, file execution, capturing video and audio...
Command and Control
5 techniquesC2 Tracker is a free-to-use-community-driven IOC feed that uses Shodan and Censys searches to collect IP addresses of known malware/botnet/C2 infrastructure.
The commands include instructing the malware to download and execute files... Download and unpack ZIP archive ... In the last few weeks, FormBook was seen downloading other malware families such as NanoCore.
4H RAT has the capability to create a remote shell. AuditCred can open a reverse shell on the system to execute commands. PlugX allows actors to spawn a reverse shell on a victim. QuasarRAT can launch a remote shell to execute commands on the victim’s machine.
NanoCore ... Encrypted Channel ... NETWIRE ... Encrypted Channel
NanoCore ... Encrypted Channel: Symmetric Cryptography ... NETWIRE ... Symmetric Cryptography
Impact
1 techniqueScammers running business email compromise (BEC) fraud have grown in number, attack more often, and turn to remote access trojans as the preferred malware type to accompany their raids.
Other
3 techniquesThe content repeatedly describes threat actors and malware disabling, stopping, uninstalling, or modifying antivirus, EDR, Windows Defender, AMSI, logging, and other security controls.
Examples include 'Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools', 'BlackByte disabled security tools such as Windows Defender', 'Scattered Spider has uninstalled and disabled security tools', and many malware families terminating AV/EDR processes or services.
IOCs tracked for this family
13 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
39 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Windows remote access trojan delivered via malicious PowerPoint (PPSX) droppers and a .NET downloader; provides remote monitoring/control and is obfuscated via packing/crypting (PAC Crypt). C2 observed at 88.198.222[.]163:8081.
Commercially available RAT with keylogging, screen capture, password theft, data exfiltration, downloader, and persistence capabilities. Spread via malspam attachments.
Remote access trojan payload delivered by the analyzed obfuscated .vbs loader.
Referenced as a RAT associated with exploitation of CVE-2023-38831 (WinRAR RCE) in the cited activity.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.