Nanocore RAT

Also known as: Nancrat, NanoCore

Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.

Linked Threat Actors

APT33The Gorgon Group

C2 Infrastructure

Hosting/VPS 100%

Last 7 days

Jun 3, 2026

C2 Hosts: 6

Jun 2, 2026

C2 Hosts: 16

Jun 1, 2026

C2 Hosts: 14

May 31, 2026

C2 Hosts: 3

May 30, 2026

C2 Hosts: 2

May 29, 2026

C2 Hosts: 20

May 28, 2026

C2 Hosts: 11

Daily C2 host counts for the last 7 days
Date	C2 Hosts
Jun 3, 2026	6
Jun 2, 2026	16
Jun 1, 2026	14
May 31, 2026	3
May 30, 2026	2
May 29, 2026	20
May 28, 2026	11

Further Reading

A year of Fajan evolution and Bloomberg themed campaigns

By Vanja Svajcer. News summary * Some malware campaigns are designed to spread malware to as many people as possible — while some others carefully choose their targets. Cisco Talos recently di...

blog.talosintelligence.com

Kasablanka（卡萨布兰卡）组织针对中东地区政治团体和公益组织的攻击行动

近期，360高级威胁研究院在日常情报挖掘中发现并捕获到了Kasablanka组织针对Windows和Android两个平台的攻击活动，经分析后推测该组织不简简单单是为了经济利益，其动机似乎更倾向于信息收集和间谍活动

mp.weixin.qq.com

Foxit PDF “Flawed Design” Exploitation - Check Point Research

Check Point Research has identified an unusual pattern of behavior involving PDF exploitation, mainly targeting users of Foxit Reader. This exploit triggers security warnings that could deceive uns...

research.checkpoint.com

Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.

Although heavily focused on the Middle East, Elfin (aka APT33) has also targeted a range of organizations in the U.S. including a number of major corporations.

symantec-blogs.broadcom.com

Threat Actors Abuse AI-Generated Youtube Videos to Spread Stealer Malware | CloudSEK

Since November 2022 there has been a 200-300% month-on-month increase in Youtube videos containing links to stealer malware such as Vidar, RedLine, and Raccoon in their descriptions. The videos lur...

DarkTortilla Malware Analysis

Learn how Secureworks CTU researchers have identified DarkTortilla samples delivering targeted malicious payloads, benign decoy documents, and executables.

secureworks.com

Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.

Although heavily focused on the Middle East, Elfin (aka APT33) has also targeted a range of organizations in the U.S. including a number of major corporations.

Water Basilisk Uses New HCrypt Variant to Flood Victims with RAT Payloads

In this blog entry we look into a fileless campaign that used a new HCrypt variant to distribute numerous remote access trojans (RATs) in victim systems.

Campaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites

We have been tracking a campaign involving the SpyAgent malware that abuses well-known remote access tools (RATs) — namely TeamViewer — for some time now. While previous versions of the malware hav...

How Cybercriminals Abuse Cloud Tunneling Services | Trend Micro (US)

Our research examines how cloud tunneling services work and how organizations can thwart threats that abuse them.

Multistage Loader used to spread AZORult and NanoCore | blog

Multistage .NET loader used to spread AZORult and NanoCore Infostealers targeting users in Asian subcontinent, specifically South Korea and Indonesia.

Analysis of top non-HTTP/S threats | Zscaler Blog

In this article, Zscaler security research team dissect the custom protocols used in some of the most prevalent RATs seen in recent campaigns. Read more.

Affordable Malware RE Training | 0ffset Training Solutions

We assist individuals, SMEs, and F500s alike by providing professional training within the niche field of malware analysis and reverse engineering, without breaking the bank.