NanoCore
NanoCore is a commodity remote access trojan (RAT) in use since at least 2013. It is used to open a backdoor on infected Windows systems and enable remote monitoring and control. Reported capabilities in the provided content include keylogging, spying/monitoring, file execution, ingress tool transfer, registry editing/modification, Windows command shell execution, network configuration discovery, mouse control, audio capture, video/webcam capture, and disabling or modifying the system firewall and antivirus settings. The content also notes encrypted communications using symmetric cryptography and persistence via Registry Run keys or the Startup folder.
NanoCore is commonly delivered through phishing and malware delivery chains. The content specifically mentions distribution via email-based campaigns, including ZIP attachments containing PIF executables, OneDrive links, RAR/UUE attachments, ISO files, macro-enabled Excel documents, and VBScript/PowerShell-based loaders. It is also described as a payload delivered by GuLoader and as a secondary payload downloaded by FormBook. A deobfuscated VBS loader example ultimately executed a PowerShell command to run a NanoCore payload.
Threat actor associations directly mentioned in the content include TA2722, which distributed NanoCore alongside Remcos in campaigns impersonating Philippine government and related entities, and SilverTerrier, for which NanoCore was the most frequently seen RAT in 2018, averaging 125 unique samples per month. Elfin/APT33 is also noted as having used NanoCore among other commodity RATs. The malware has been used for information gathering, data theft, monitoring, and control of compromised computers, including business email compromise-related operations.
Targeting described in the content spans organizations in shipping, logistics, manufacturing, business services, pharmaceutical, energy, finance, aerospace, defense contractor, and other sectors, with campaigns observed globally. The content also notes legal action against NanoCore's developer: Taylor Huddleston was sentenced in 2018 for making and selling NanoCore RAT, which was used to spy through webcams and steal passwords.
Indicators and configuration details explicitly mentioned include NanoCore samples used by TA2722/Shahzad73 with PrimaryConnectionHost shahzad73[.]casacam[.]net, BackupConnectionHost shahzad73[.]ddns[.]net, and version 1.2.2.0; a coronavirus-themed NanoCore sample with SHA-256 C57fa2a5d1a65a687f309f23ca3cfc6721d382b06cf894ee5cd01931bbc17a46; and a NanoCore VBS loader sample with SHA-256 c6092b1788722f82280d3dca79784556df6b8203f4d8f271c327582dd9dcf6e1.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
"The malware downloaded and executed by the .Net downloader is NanoCore, a well-known RAT (Remote Access Trojan) that enables the remote monitoring of victims via their computers."
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
TA2722 distributes Remcos and NanoCore remote access trojans (RATs). Remcos and NanoCore are typically used for information gathering, data theft operations, monitoring and control of compromised computers.
With an average of 125 unique samples per month, NanoCore was the most frequently seen RAT employed by SilverTerrier actors in 2018.
NanoCore (Trojan.Nancrat): Commodity RAT used to open a backdoor on an infected computer and steal information.
"The malware downloaded and executed by the .Net downloader is NanoCore, a well-known RAT (Remote Access Trojan) that enables the remote monitoring of victims via their computers."
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
TA2722 impersonates Philippine health, labor, and customs organizations... The threat actor generally leverages themes purporting to be entities related to the Philippine government... The phishing emails masqueraded as the Philippines Bureau of Customs CPRS.
They contained multiple threat distribution mechanisms including: OneDrive URLs linking to RAR files with embedded UUE files... Compressed MS Excel documents containing macros which, if enabled, download malware... Most of these messages contain either UUE or RAR attachments ultimately leading to the installation of Remcos remote access trojan (RAT) or NanoCore RAT.
Execution
4 techniques
Execution
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Compressed MS Excel documents containing macros which, if enabled, download malware
Examples include 'Cobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands', 'Orz can execute commands with JavaScript', 'Patchwork used JavaScript code and .SCT files on victim machines', and 'Water Curupira Pikabot Distribution installation via JavaScript will launch follow-on commands via cmd.exe.'
Persistence
3 techniques
Persistence
Contagious Interview has established persistence using InvisibleFerret malware to place a .bat file in the Startup Folder. TeamTNT has added batch scripts to the startup folder. Storm-1811 has created Windows Registry Run keys that execute various batch scripts to establish persistence on victim devices.
Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include AppleSeed creating 'HKCU\Software\Microsoft/Windows\CurrentVersion\RunOnce', AvosLocker executed via the RunOnce Registry key, NanoCore creating a RunOnce key, and Raspberry Robin setting a RunOnce key.
Privilege Escalation
3 techniques
Privilege Escalation
Contagious Interview has established persistence using InvisibleFerret malware to place a .bat file in the Startup Folder. TeamTNT has added batch scripts to the startup folder. Storm-1811 has created Windows Registry Run keys that execute various batch scripts to establish persistence on victim devices.
A group of remote access trojans, among them WarZoneRAT, njrat, nanocore, and netwire, overlap on process injection, keylogging-related calls, and command-and-control traffic.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include AppleSeed creating 'HKCU\Software\Microsoft/Windows\CurrentVersion\RunOnce', AvosLocker executed via the RunOnce Registry key, NanoCore creating a RunOnce key, and Raspberry Robin setting a RunOnce key.
Stealth
3 techniques
Stealth
The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
A group of remote access trojans, among them WarZoneRAT, njrat, nanocore, and netwire, overlap on process injection, keylogging-related calls, and command-and-control traffic.
the list of features and plugins advertised for this RAT includes functionality that goes significantly beyond what one might see in a traditional remote administration tool, such as DDoS-for-hire capabilities, and the ability to disable the light indicator on webcams so as not to alert the target that the RAT is active.
Defense Impairment
1 technique
Defense Impairment
Credential Access
2 techniques
Credential Access
Discovery
1 technique
Discovery
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
Collection
3 techniques
Collection
Command and Control
4 techniques
Command and Control
Proofpoint named the first identified cluster Shahzad73 based on the command and control (C2) domains used by the threat actor... The observed Remcos samples included the following example configuration: C2: shahzad73[.]casacam[.]net:2404... Observed NanoCore RAT samples included... PrimaryConnectionHost: shahzad73[.]casacam[.]net
First, we see a call to a location in the stack ... that will execute the function InternetOpenUrlA, we also see the C2 it will use... the second shellcode downloads further malware.
Impact
1 technique
Impact
Other
2 techniques
Other
The content repeatedly describes threat actors and malware disabling, stopping, uninstalling, or modifying antivirus, EDR, Windows Defender, AMSI, logging, and other security controls.
Examples include 'Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools', 'BlackByte disabled security tools such as Windows Defender', 'Scattered Spider has uninstalled and disabled security tools', and many malware families terminating AV/EDR processes or services.
IOCs tracked for this family
26 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
43 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A remote access trojan associated here with process injection, keylogging-related calls, and command-and-control traffic.
Windows remote access trojan delivered via malicious PowerPoint (PPSX) droppers and a .NET downloader; provides remote monitoring/control and is obfuscated via packing/crypting (PAC Crypt). C2 observed at 88.198.222[.]163:8081.
Commercially available RAT with keylogging, screen capture, password theft, data exfiltration, downloader, and persistence capabilities. Spread via malspam attachments.
Remote access trojan payload delivered by the analyzed obfuscated .vbs loader.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.