MalwareUsed by 1 actor

NICECURL

NICECURL is malware associated with the Iran-linked threat actor APT42. Based on the provided content, it is used for command-and-control communications over HTTPS and provides an arbitrary command execution interface on compromised systems. It appears in reporting alongside other APT42 malware families including BASICSTAR, CharmPower, GORBLE, GorjolEcho, POWERSTAR, and TAMECAT. High-confidence details in the content are limited to its HTTPS-based C2 and arbitrary command execution capability; no specific infection vector, targeted industries, platforms, or standalone indicators of compromise for NICECURL are directly provided.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

APT42

NICECURL has used HTTPS for C2 communications.

via mitre attack websiteattack.mitre.org

MITRE ATT&CK

Techniques & procedures

7 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique

T1059Command and Scripting InterpreterEvidence2

APT19 downloaded and launched code within a SCT file; APT32 used COM scriptlets to download Cobalt Strike beacons; APT37 used Ruby scripts to execute payloads; ArcaneDoor included the adversary executing command line interface (CLI) commands.

Stealth

2 techniques

T1070Indicator RemovalEvidence1

Examples throughout the content include deleting tools, logs, malware-related files, staged archives, screenshots, temporary files, and exfiltrated data 'to cover their tracks,' 'reduce their footprint,' 'remove traces of activity,' or as part of 'post-intrusion cleanup.'

T1070.004File DeletionEvidence4

The content repeatedly describes adversaries and malware deleting files, directories, droppers, scripts, logs, archives, staged data, and other artifacts from compromised systems, e.g., 'APT29 has used SDelete to remove artifacts from victim networks' and 'Lazarus Group malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim.'

Command and Control

4 techniques

T1071.001Web ProtocolsEvidence6

APT41 DUST used HTTPS for command and control. APT42 has used tools such as NICECURL with command and control communication taking place over HTTPS. Lumma Stealer has used HTTPS for command and control purposes.

T1105Ingress Tool TransferEvidence1

T1573Encrypted ChannelEvidence1

The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.

T1573.002Asymmetric CryptographyEvidence3

APT42 has used tools such as NICECURL with command and control communication taking place over HTTPS.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

f5News

Mar 2, 2026

Weekly Threat Bulletin - February 4th, 2026 | F5 Labs

Threat Details and IOCs Malware: BASICSTAR, CharmPower, GORBLE, GorjolEcho, NICECURL, POWERSTAR, TAMECAT

mitre attack websiteNews

Aug 1, 2017

Encrypted Channel: Asymmetric Cryptography, Sub-technique T1573.002 - Enterprise | MITRE ATT&CK®

Malware/tool that uses HTTPS for command-and-control communications.

mitre attack websiteNews

Oct 1, 2016

Command and Scripting Interpreter, Technique T1059 - Enterprise | MITRE ATT&CK®

Backdoor malware that exposes an interface for arbitrary command execution.

mitre attackNews

Jan 24, 2026

Command and Scripting Interpreter, Technique T1059 - Enterprise | MITRE ATT&CK®

Backdoor/tooling that exposes an interface for arbitrary command execution.

+3 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping7

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.