Nimbus RAT

The malicious operators combine email harassment with voice phishing tactics to breach network perimeters.

Posing as internal support staff, the attacker convinced the user to launch Quick Assist | Microsoft Teams is used for initial access

attackers used Microsoft Teams voice phishing to trick a user into granting remote access via Windows Quick Assist

Quick Assist Launch and Initial Recon using cmd

...this multi-layered assault tricks corporate employees into downloading an advanced Java-based backdoor threat.

The downloaded archive contained a malicious Java archive, bundled with an OpenJDK runtime, allowing execution on any Windows system

It supports arbitrary command execution, file system manipulation, registry access

The user followed the Pastebin instructions: extracted the archive to C:\ProgramData\InboxCorePro\, imported InboxCorePro.reg via regedit.exe, and placed a launcher in the Startup folder.

The user followed the Pastebin instructions: extracted the archive to C:\ProgramData\InboxCorePro\, imported InboxCorePro.reg via regedit.exe, and placed a launcher in the Startup folder.

Posing as internal support staff

It supports ... in-memory execution of second-stage payloads

It supports arbitrary command execution, file system manipulation, registry access

Nimbus RAT can display either a Java Swing imitation of the Windows Security credential prompt or invoke the real Windows CredUIPromptForCredentialsW API directly via JNA ... Both approaches are designed to capture two password entries

it includes dual credential-harvesting mechanisms: a fake Windows Security prompt and direct API invocation via CredUIPromptForCredentialsW

Reconnaissance ipconfig equiv. Full network adapter info via GetNetworkParams + GetAdaptersInfo (JNA)

Quick Assist Launch and Initial Recon using cmd

It supports arbitrary command execution, file system manipulation

Nimbus RAT can display either a Java Swing imitation of the Windows Security credential prompt or invoke the real Windows CredUIPromptForCredentialsW API directly via JNA ... Both approaches are designed to capture two password entries

It supports arbitrary command execution, file system manipulation, registry access, screenshot capture

File system za / tz / z ZIP directory, ZIP single file inline, extract ZIP (with optional password)

the malware communicates with legitimate Google APIs, making network-level detection extremely difficult | Nimbus RAT is a modular and highly capable implant... A defining feature of Nimbus RAT is its use of Google Drive and Google Sheets as C2 channels.

All command delivery and data exfiltration travels over legitimate Google API endpoints.

Commands are fetched from attacker-controlled Google Drive files, and exfiltrated data is uploaded in the same way.

The final payload was retrieved from a compromised Microsoft 365 tenant hosted on SharePoint

the attacker convinced the user to launch Quick Assist and follow step-by-step instructions

All C2 traffic is RSA-encrypted using a hardcoded 4096-bit public key embedded in the JAR.

exfiltrated data is uploaded in the same way

The tool, which TRU identifies as InboxSetupPro ... uses OneDrive rather than Google Drive for exfiltration.