NICECURL
NICECURL is malware associated with the Iran-linked threat actor APT42. Based on the provided content, it is used for command-and-control communications over HTTPS and provides an arbitrary command execution interface on compromised systems. It appears in reporting alongside other APT42 malware families including BASICSTAR, CharmPower, GORBLE, GorjolEcho, POWERSTAR, and TAMECAT. High-confidence details in the content are limited to its HTTPS-based C2 and arbitrary command execution capability; no specific infection vector, targeted industries, platforms, or standalone indicators of compromise for NICECURL are directly provided.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Techniques & procedures
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 techniqueAPT19 downloaded and launched code within a SCT file; APT32 used COM scriptlets to download Cobalt Strike beacons; APT37 used Ruby scripts to execute payloads; ArcaneDoor included the adversary executing command line interface (CLI) commands.
Stealth
2 techniquesExamples throughout the content include deleting tools, logs, malware-related files, staged archives, screenshots, temporary files, and exfiltrated data 'to cover their tracks,' 'reduce their footprint,' 'remove traces of activity,' or as part of 'post-intrusion cleanup.'
The content repeatedly describes adversaries and malware deleting files, directories, droppers, scripts, logs, archives, staged data, and other artifacts from compromised systems, e.g., 'APT29 has used SDelete to remove artifacts from victim networks' and 'Lazarus Group malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim.'
Command and Control
4 techniquesAPT41 DUST used HTTPS for command and control. APT42 has used tools such as NICECURL with command and control communication taking place over HTTPS. Lumma Stealer has used HTTPS for command and control purposes.
The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.
APT42 has used tools such as NICECURL with command and control communication taking place over HTTPS.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Threat Details and IOCs Malware: BASICSTAR, CharmPower, GORBLE, GorjolEcho, NICECURL, POWERSTAR, TAMECAT
Malware/tool that uses HTTPS for command-and-control communications.
Backdoor malware that exposes an interface for arbitrary command execution.
Backdoor/tooling that exposes an interface for arbitrary command execution.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.