Skip to content
Malware family

NanoCore

NanoCore RAT, also referred to as Nancrat/NanoCore, is a commodity remote access trojan used for information theft and remote control of compromised Windows systems.

Profile source: Mallory opens in a new tab

NanoCore

Family profile

NanoCore RAT, also referred to as Nancrat/NanoCore, is a commodity remote access trojan used for information theft and remote control of compromised Windows systems. The provided content states it has been in use since at least 2012–2013 and that leaked source code enabled broad criminal reuse and modification. Reported capabilities include keylogging, webcam and audio capture, spying, file execution, downloading additional binaries, registry editing, folder control, mouse control, network configuration discovery, command execution via the Windows command shell, and modification of security settings including antivirus and firewall-related controls. The malware can open a backdoor on infected hosts and is commonly used for information gathering, monitoring, and data theft.

Observed delivery vectors in the content include spearphishing emails, fake emails with attached archives such as ZIP/ZIPX/RAR, malicious documents, macro-enabled Excel files, ISO files, PDF attachments with links, OneDrive-hosted payloads, malicious software-download lures, and obfuscated VBS-based loaders that invoke PowerShell DownloadString to retrieve additional stages. NanoCore has also been delivered by other malware and loaders including GuLoader and FormBook. One analyzed infection chain used multiple obfuscated VBS stages retrieved from 52.231.98.236, culminating in a PE payload identified as the NanoCore client.

Persistence and execution behaviors described in the content include use of Windows Run registry keys and Startup-folder mechanisms, including HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run and Explorer Shell Folders/User Shell Folders paths; placement of New.vbs or files under \\Public\\Run; scheduled-task persistence in some variants; duplicate loader copies; and creation of run.dat artifacts in roaming or temporary paths. Variants may use process hollowing or injection into legitimate processes such as MSBuild.exe, RegAsm.exe, vbc, cvtres, applaunch, taskmgr, or aspnet_compiler.exe, and may self-delete after installation. Communications are described as using encrypted channels with symmetric cryptography, and recent reporting in the content notes frequent use of dynamic DNS infrastructure such as duckdns, hopto, and ddns domains.

Threat-actor and campaign associations directly mentioned in the content include APT33/Elfin, Gorgon Group, Vendetta, TA2719, TA2722, Aggah, and SilverTerrier. TA2722 distributed NanoCore in phishing campaigns impersonating Philippine government and related entities, while SilverTerrier used NanoCore extensively in malware-assisted business email compromise activity and it was the most frequently seen RAT in that ecosystem in 2018. The content also notes historical use by APT33 and references targeting across sectors including shipping, logistics, manufacturing, business services, pharmaceutical, energy, finance, aerospace, defense contractors, and other organizations. Example indicators and infrastructure explicitly mentioned in the content include 52.231.98.236, wallpapercave[.]com, paste[.]ee, seeno[.]hopto[.]org, customcheats[.]ddns[.]net, december2nd[.]ddns[.]net, xp18[.]ddns[.]net, shahzad73[.]casacam[.]net, and shahzad73[.]ddns[.]net. The content also references observed NanoCore version 1.2.2.0 and notes versions 1.2.2.0 and 1.2.2.2 as commonly seen.

C2 tracking

Seven-day C2 activity

Derp observations, rolling seven-day window

Observed infrastructure

Last seven days

First activity
Jul 12, 2026
Last activity
Jul 18, 2026
Feed role
C2
Host form
6 IP / 44 hostnames

Leading locations

  • US32
  • DE4
  • FR1
  • JP1
  • KE1

Leading providers

  • Cloudflare, Inc.28
  • BEDGE CO LIMITED3
  • ACE1
  • Bouygues Telecom SA1
  • Edgenext Legend Dynasty Pte. Ltd.1
  • Fastly, Inc.1

Infrastructure traits

  • Hosting 37
  • Anycast 29
  • Mobile 1
  • Proxy 1
  • Residential Proxy 1

Samples

Recent associated samples

Reported operators

Threat actors

8 named in public reporting
APT33

Overview NanoCore is a RAT (Remote Admin Tool) used by cybercriminal groups such as APT33... The main potential of NanoCore is usually to steal data from the computer and user once it has gained access to the disk, but once it is inside, it could perform any action from the outside... we get the NanoCore client...

Gorgon Group

NanoCore (also known as Nancrat) is considered a RAT (Remote Admin Tool), which is used to obtain relevant information from victims such as data from the affected computer, camera captures, keyboard input, etc.

Aggah

NanoCore (also known as Nancrat) is considered a RAT (Remote Admin Tool), which is used to obtain relevant information from victims such as data from the affected computer, camera captures, keyboard input, etc.

TA2719

NanoCore (also known as Nancrat) is considered a RAT (Remote Admin Tool), which is used to obtain relevant information from victims such as data from the affected computer, camera captures, keyboard input, etc.

TA2722

NanoCore (also known as Nancrat) is considered a RAT (Remote Admin Tool), which is used to obtain relevant information from victims such as data from the affected computer, camera captures, keyboard input, etc.

Vendetta

NanoCore (also known as Nancrat) is considered a RAT (Remote Admin Tool), which is used to obtain relevant information from victims such as data from the affected computer, camera captures, keyboard input, etc.

SilverTerrier

With an average of 125 unique samples per month, NanoCore was the most frequently seen RAT employed by SilverTerrier actors in 2018.

Group5

"The malware downloaded and executed by the .Net downloader is NanoCore, a well-known RAT (Remote Access Trojan) that enables the remote monitoring of victims via their computers."

Exploited software

Vulnerabilities linked to NanoCore

1 CVEs

MITRE ATT&CK

NanoCore in ATT&CK

41 distinct techniques

Reporting

Research mentioning NanoCore

Jun 26
Help Net Security

A privacy-first take on local malware analysis - Help Net Security

A group of remote access trojans, among them WarZoneRAT, njrat, nanocore, and netwire, overlap on process injection, keylogging-related calls, and command-and-control traffic.

Jan 20
Citizenlab

Group5: Syria and the Iranian Connection - The Citizen Lab

"The malware downloaded and executed by the .Net downloader is NanoCore, a well-known RAT (Remote Access Trojan) that enables the remote monitoring of victims via their computers."

Nov 14
Cisecurity Blog Msisca And Eiisac

Top 10 Malware Q3 2025

NanoCore is a RAT sold on criminal forums and usually spread via malspam with an attachment, such as a malicious Excel (XLS) spreadsheet. NanoCore has a wide range of capabilities including keylogging, screen capture, password theft, data exfiltration, downloading and executing additional files, and adding registry keys for persistence.

Sep 3
Embee Research

Advanced Cyberchef Techniques - Defeating Nanocore Obfuscation With Math and Flow Control

We won't focus on the remainder of the code, but it effectively executes a powershell command that runs a Nanocore payload.

Mar 25
Rexorvc0

NanoCore Update | RexorVc0

NanoCore (also known as Nancrat) is considered a RAT (Remote Admin Tool), which is used to obtain relevant information from victims such as data from the affected computer, camera captures, keyboard input, etc.

Nov 13
Picus Security

October 2023: Key Threat Actors, Malware and Exploited Vulnerabilities

CVE-2023-38831... Malware: SmokeLoader, Nanocore RAT, Crimson RAT and Agent Tesla

May 22
Checkpoint Research

Cloud-Based Malware Delivery: The Evolution of GuLoader - Check Point Research

We see evidence that GuLoader is currently being used to distribute the following malware: Formbook XLoader Remcos 404Keylogger Lokibot AgentTesla NanoCore NetWire

Dec 20
Talos Intelligence

Threat Spotlight: XLLing in Excel - threat actors using malicious add-ins

"Other notable commodity malware families that use XLLs... include ... Nanocore..."

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.