Last seven days
- First activity
- Jul 12, 2026
- Last activity
- Jul 18, 2026
- Feed role
- C2
- Host form
- 6 IP / 44 hostnames
NanoCore RAT, also referred to as Nancrat/NanoCore, is a commodity remote access trojan used for information theft and remote control of compromised Windows systems.
Profile source: Mallory opens in a new tabNanoCore
NanoCore RAT, also referred to as Nancrat/NanoCore, is a commodity remote access trojan used for information theft and remote control of compromised Windows systems. The provided content states it has been in use since at least 2012β2013 and that leaked source code enabled broad criminal reuse and modification. Reported capabilities include keylogging, webcam and audio capture, spying, file execution, downloading additional binaries, registry editing, folder control, mouse control, network configuration discovery, command execution via the Windows command shell, and modification of security settings including antivirus and firewall-related controls. The malware can open a backdoor on infected hosts and is commonly used for information gathering, monitoring, and data theft.
Observed delivery vectors in the content include spearphishing emails, fake emails with attached archives such as ZIP/ZIPX/RAR, malicious documents, macro-enabled Excel files, ISO files, PDF attachments with links, OneDrive-hosted payloads, malicious software-download lures, and obfuscated VBS-based loaders that invoke PowerShell DownloadString to retrieve additional stages. NanoCore has also been delivered by other malware and loaders including GuLoader and FormBook. One analyzed infection chain used multiple obfuscated VBS stages retrieved from 52.231.98.236, culminating in a PE payload identified as the NanoCore client.
Persistence and execution behaviors described in the content include use of Windows Run registry keys and Startup-folder mechanisms, including HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run and Explorer Shell Folders/User Shell Folders paths; placement of New.vbs or files under \\Public\\Run; scheduled-task persistence in some variants; duplicate loader copies; and creation of run.dat artifacts in roaming or temporary paths. Variants may use process hollowing or injection into legitimate processes such as MSBuild.exe, RegAsm.exe, vbc, cvtres, applaunch, taskmgr, or aspnet_compiler.exe, and may self-delete after installation. Communications are described as using encrypted channels with symmetric cryptography, and recent reporting in the content notes frequent use of dynamic DNS infrastructure such as duckdns, hopto, and ddns domains.
Threat-actor and campaign associations directly mentioned in the content include APT33/Elfin, Gorgon Group, Vendetta, TA2719, TA2722, Aggah, and SilverTerrier. TA2722 distributed NanoCore in phishing campaigns impersonating Philippine government and related entities, while SilverTerrier used NanoCore extensively in malware-assisted business email compromise activity and it was the most frequently seen RAT in that ecosystem in 2018. The content also notes historical use by APT33 and references targeting across sectors including shipping, logistics, manufacturing, business services, pharmaceutical, energy, finance, aerospace, defense contractors, and other organizations. Example indicators and infrastructure explicitly mentioned in the content include 52.231.98.236, wallpapercave[.]com, paste[.]ee, seeno[.]hopto[.]org, customcheats[.]ddns[.]net, december2nd[.]ddns[.]net, xp18[.]ddns[.]net, shahzad73[.]casacam[.]net, and shahzad73[.]ddns[.]net. The content also references observed NanoCore version 1.2.2.0 and notes versions 1.2.2.0 and 1.2.2.2 as commonly seen.
C2 tracking
Derp observations, rolling seven-day window
Samples
0c8936b70c80a12089bc1b443813775c6d62e48ebcf09a9ebc333ab68d511f2b a3f97fb816c8f328548f9fd0a3493eb76d7604a5bac2c8a270eaef9494e2570c bfce7111e2d28e6ebd8de39ba1bcd2e7126f95d28058289b2b808c73e11c25f7 dbf26f5e8485bab26b21e4ddffe1f1aaf92e266c626c5709ef73cafe87d1bc0a f7961673d47f54ab243684b92c70c4a37ff45a60fb3f35b1fec7a603409bade5 050c21c70512ea7fbab8edd76c78457e50ea4836926734b2ec8286c76d54711d 31a67586badf7a157ca4e72a3e8ae20ab34ccaf52cbe8663921279220c8ea458 a17141498fc719c468bf9be0122788f88b41ab457b41ada1f31e77558246d831 b0aa25917796666c444ca7a07f08368056a1c33da716fa981502e8adfe3ff73e d3c135b4de434a091bc8382a89bf4f36a75bc4b95434e8a117d4ad88e1a09f37 Reported operators
Overview NanoCore is a RAT (Remote Admin Tool) used by cybercriminal groups such as APT33... The main potential of NanoCore is usually to steal data from the computer and user once it has gained access to the disk, but once it is inside, it could perform any action from the outside... we get the NanoCore client...
NanoCore (also known as Nancrat) is considered a RAT (Remote Admin Tool), which is used to obtain relevant information from victims such as data from the affected computer, camera captures, keyboard input, etc.
NanoCore (also known as Nancrat) is considered a RAT (Remote Admin Tool), which is used to obtain relevant information from victims such as data from the affected computer, camera captures, keyboard input, etc.
NanoCore (also known as Nancrat) is considered a RAT (Remote Admin Tool), which is used to obtain relevant information from victims such as data from the affected computer, camera captures, keyboard input, etc.
NanoCore (also known as Nancrat) is considered a RAT (Remote Admin Tool), which is used to obtain relevant information from victims such as data from the affected computer, camera captures, keyboard input, etc.
NanoCore (also known as Nancrat) is considered a RAT (Remote Admin Tool), which is used to obtain relevant information from victims such as data from the affected computer, camera captures, keyboard input, etc.
With an average of 125 unique samples per month, NanoCore was the most frequently seen RAT employed by SilverTerrier actors in 2018.
"The malware downloaded and executed by the .Net downloader is NanoCore, a well-known RAT (Remote Access Trojan) that enables the remote monitoring of victims via their computers."
Exploited software
MITRE ATT&CK
Reporting
A group of remote access trojans, among them WarZoneRAT, njrat, nanocore, and netwire, overlap on process injection, keylogging-related calls, and command-and-control traffic.
"The malware downloaded and executed by the .Net downloader is NanoCore, a well-known RAT (Remote Access Trojan) that enables the remote monitoring of victims via their computers."
NanoCore is a RAT sold on criminal forums and usually spread via malspam with an attachment, such as a malicious Excel (XLS) spreadsheet. NanoCore has a wide range of capabilities including keylogging, screen capture, password theft, data exfiltration, downloading and executing additional files, and adding registry keys for persistence.
We won't focus on the remainder of the code, but it effectively executes a powershell command that runs a Nanocore payload.
NanoCore (also known as Nancrat) is considered a RAT (Remote Admin Tool), which is used to obtain relevant information from victims such as data from the affected computer, camera captures, keyboard input, etc.
CVE-2023-38831... Malware: SmokeLoader, Nanocore RAT, Crimson RAT and Agent Tesla
We see evidence that GuLoader is currently being used to distribute the following malware: Formbook XLoader Remcos 404Keylogger Lokibot AgentTesla NanoCore NetWire
"Other notable commodity malware families that use XLLs... include ... Nanocore..."
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.