LastConn
LastConn is a malware implant associated with TA402, also known as Molerats, a likely Palestinian-aligned threat cluster operating in espionage campaigns. Reporting states that LastConn was discovered as part of TA402 activity and was assessed with high confidence to be an updated version of SharpStage. It is also described as a prior implant later likely replaced by the C# backdoor NimbleMamba. Based on direct comparisons in the reporting, LastConn shares traits with NimbleMamba including C# implementation, base64 encoding in its command-and-control framework, and use of the Dropbox API for command-and-control. Dropbox-linked infrastructure connections between LastConn and NimbleMamba were cited as supporting attribution to the same operators. LastConn has been referenced alongside other malware used by the same ecosystem, including BrittleBush and Micropsia, and is included in reporting on campaigns targeting Middle Eastern governments, foreign policy think tanks, a state-affiliated airline, and more broadly organizations in the Middle East and North Africa. High-confidence content does not provide standalone LastConn-specific infection chain details or indicators beyond its linkage to TA402/Molerats, its relationship to SharpStage and NimbleMamba, and its use of Dropbox-related C2 characteristics.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Later in June 2021, the LastConn malware, which has been discovered as part of activities attributed to the TA402 cluster, was assessed with high confidence to be an updated version of SharpStage.
Tools… “NimbleMamba, BrittleBush, LastConn, Micropsia”
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Stealth
1 techniqueNimbleMamba is written in C# and delivered as an obfuscated .NET executable using third-party obfuscators.
Command and Control
1 techniqueNimbleMamba uses the Dropbox API for both command and control as well as exfiltration.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware attributed to TA402 and assessed with high confidence to be an updated version of SharpStage.
LastConn is a previously used implant by TA402 (Molerats) for espionage and remote access, now likely replaced by NimbleMamba in recent campaigns.
A previously used TA402 implant that appears to have been replaced by NimbleMamba. It shared traits with NimbleMamba such as being written in C#, using base64 encoding in its C2 framework, and leveraging the Dropbox API for C2 communication.
Tools… “NimbleMamba, BrittleBush, LastConn, Micropsia”
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.