{
	"id": "226db789-8cc1-47a1-ad2e-95c6dde7f2e3",
	"created_at": "2026-04-06T00:14:48.435956Z",
	"updated_at": "2026-04-10T03:23:52.073934Z",
	"deleted_at": null,
	"sha1_hash": "0774ea5f6ddd0a6445c3d3da9b909cce77aa9fa4",
	"title": "TinyNuke Banking Malware Targets French Entities | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 376809,
	"plain_text": "TinyNuke Banking Malware Targets French Entities | Proofpoint\r\nUS\r\nBy Selena Larson, Joe Wise, and the Proofpoint Threat Research Team\r\nPublished: 2021-12-08 · Archived: 2026-04-05 20:25:15 UTC\r\nKey Findings \r\nProofpoint researchers identified ongoing activity from the banking malware TinyNuke.\r\nThe activity nearly exclusively targets French entities and organizations with operations in France. \r\nThe campaigns leverage invoice-themed lures targeting entities in manufacturing, industry, technology,\r\nfinance, and other verticals. \r\nThe new activity demonstrates a re-emergence of the malware specifically targeting French users that\r\npeaked in popularity in 2018.\r\nOverview \r\nProofpoint identified multiple recent campaigns leveraging invoice-themed lures to distribute the uncommonly\r\nobserved TinyNuke malware. The activity marks a stark reappearance of this threat, which has not been seen with\r\nregularity since 2018. The campaigns target hundreds of customers in various industries including manufacturing,\r\ntechnology, construction, and business services. The campaigns use French language lures with invoice or other\r\nfinancial themes, and almost exclusively target French entities and companies with operations in France.  \r\nTinyNuke is a banking trojan that first appeared in Proofpoint data in 2017 targeting French companies. It is\r\nsimilar to the notorious banking trojan Zeus, which has many variants with identical functionality. TinyNuke can\r\nbe used to steal credentials and other private information and can be used to enable follow-on malware attacks.\r\nThe author initially released the code on GitHub in 2017, and although the original repo is no longer available,\r\nother open-source versions of the malware exist. \r\nCampaign Details\r\nProofpoint observed dozens of TinyNuke campaigns targeting French entities in 2018. After only observing a\r\nhandful of TinyNuke campaigns in 2019 and 2020, Proofpoint observed TinyNuke reappear in January 2021 in\r\none campaign distributing around 2,000 emails. Subsequent campaigns appeared in low volumes in May, June,\r\nand September. In November, Proofpoint identified multiple TinyNuke campaigns distributing around 2,500\r\nmessages and impacting hundreds of customers.   \r\nIn the most recent campaigns, the threat actor uses invoice-themed lures purporting to be logistics, transportation,\r\nor business services entities. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/tinynuke-banking-malware-targets-french-entities\r\nPage 1 of 6\n\nFigure 1: Email lure with link leading to the download of TinyNuke.\r\nThese messages contain URLs that lead to the download of a compressed executable responsible for installing\r\nTinyNuke. \r\nProofpoint first observed TinyNuke in 2017 used as a second-stage payload in a Zeus banking trojan campaign\r\ntargeting French entities. Its use peaked in 2018 before all but disappearing in Proofpoint data in 2019 and 2020. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/tinynuke-banking-malware-targets-french-entities\r\nPage 2 of 6\n\nFigure 2: TinyNuke campaign data. \r\nProofpoint has observed three times as many TinyNuke campaigns in 2021 as the two previous years combined.\r\nBut while threat actors have conducted more campaigns this year, they are distributing fewer messages compared\r\nto previous years. \r\nFigure 3: TinyNuke message data. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/tinynuke-banking-malware-targets-french-entities\r\nPage 3 of 6\n\nThough the number of 2021 campaigns is less than 2018, TinyNuke’s reappearance and consistent targeting of\r\nFrench organizations is striking, suggesting it is a re-emerging threat in the French cybercrime threat landscape. \r\nProofpoint assesses there are at least two distinct activity sets using TinyNuke based on different lure themes,\r\npayload deployment, and command and control (C2) infrastructure. Specifically, one intrusion set associated with\r\nthe initial TinyNuke actors uses Tor for C2 since 2018, while commodity actors typically leverage clear web C2.\r\nOpen source reporting suggests the malware version using Tor which Proofpoint has observed with continued\r\nregularity is not publicly available, and likely used only by the original TinyNuke threat actors. The following\r\nanalysis focuses on the most frequently observed activity set responsible for most of the TinyNuke campaigns in\r\n2021. \r\nMalware Details\r\nIn the recently observed campaigns, messages are sent with URLs that lead to ZIP files. The ZIP files contain a\r\nJavaScript file (e.g. Facture-78224UDJ2021.js) which is invoked by the Microsoft Windows native binary wscript.\r\nPowerShell is then executed and leverages the Start-BitsTransfer cmdlet to download another ZIP file (e.g.\r\nputty.zip) which contains the TinyNuke PE file. \r\nFigure 4: PowerShell Command Line sample.\r\nThe actor generally uses legitimate, but compromised, websites to host the payload URL. The websites are\r\ntypically French language, and do not share a common theme.    \r\nThe following binaries are dropped to disk and executed.\r\nC:\\Users\\[User]\\AppData\\Roaming\\E02BC647BACE72A1\\tor.exe\r\nC:\\Users\\[User]\\AppData\\Roaming\\E02BC647BACE72A1\\firefox.exe\r\nC:\\Users\\[User]\\AppData\\Roaming\\putty.exe\r\nIn the recently observed campaigns, C2 communications occur via Tor. For example:\r\nfizi4aqe7hpsts3r[.]onion/hci/client[.]php\r\nProofpoint researchers observed the string \"nikoumouk\" sent to the C2 server for an unknown purpose. According\r\nto information sharing partners and open-source information, the actors previously used that string in C2\r\ncommunications in previous campaigns since 2018. The string is an insult in popular Arabic, mainly used in\r\nFrench speaking suburbs in Europe.\r\nPersistence is achieved by adding an entry in the registry under the following location.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/tinynuke-banking-malware-targets-french-entities\r\nPage 4 of 6\n\nKey: HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\x00E02BC647BACE72A1\\xe4\\x8d\\x82\r\nData: C:\\Users\\[User]\\AppData\\Roaming\\E02BC647BACE72A1\\firefox.exe\r\nOnce installed, the TinyNuke loader can be used for data and credential theft with formgrabbing and webinject\r\ncapabilities for Firefox, Internet Explorer, and Chrome, and to install follow on payloads. \r\nRelated Threat Actors\r\nProofpoint identified TinyNuke infrastructure used in campaigns in 2018 overlapped with PyLocky ransomware\r\nattacks first reported that year. However, Proofpoint has not observed ransomware activity associated with\r\nTinyNuke in subsequent campaigns.  \r\nPublic reporting associates the original TinyNuke author with an individual charged in a French sextortion case,\r\nand was imprisoned before reportedly being released under legal supervision in 2020 during a spike in the COVID\r\npandemic. In 2017, the accused individual previously claimed to be the original author of TinyNuke in\r\nan interview with the journalist Brian Krebs. \r\nTinyNuke actors have also reportedly taunted and harassed security researchers investigating TinyNuke activity. \r\nProofpoint does not associate TinyNuke with a known threat actor or group. The malware is publicly available and\r\nlikely used by multiple threat actors, however Proofpoint assesses with high confidence at least some of the\r\noriginal threat actors distributing TinyNuke in 2018 continue to use it. \r\nConclusion\r\nTinyNuke has re-emerged as a threat to French organizations, and entities with operations in France. Of note, in\r\nmost of the recent campaigns the actor has stayed consistent with using URLs to ZIP files and the continued use of\r\nTor for C2 communications. The malware can be used for data and financial theft, and compromised machines\r\nmay be added to a botnet under the control of the threat actor.\r\nIndicators of Compromise\r\nProofpoint identified the following indicators of compromise in 2021 campaigns.\r\nIndicator Description\r\nFirst\r\nObserved\r\nfizi4aqe7hpsts3r[.]onion/hci/client.php TinyNuke C2 May 2021\r\nhxxps://www[.]genou-alsace[.]fr/putty.zip\r\nTinyNuke\r\nPayload URL\r\nNovember\r\n2021\r\nhttps://www.proofpoint.com/us/blog/threat-insight/tinynuke-banking-malware-targets-french-entities\r\nPage 5 of 6\n\nhxxps://addendasoftware[.]com/blog2/wp-content/uploads/2021/11/putty.zip\r\nTinyNuke\r\nPayload URL\r\nNovember\r\n2021\r\nhxxps://www[.]edmf[.]org/redirect_d2CORIvmZ/putty.zip\r\nTinyNuke\r\nPayload URL\r\nNovember\r\n2021\r\nhxxp://www[.]palette-events[.]com/css/_notes/putty.zip\r\nTinyNuke\r\nPayload URL\r\nNovember\r\n2021\r\nhxxp://laurentabert[.]fr/setup.zip\r\nTinyNuke\r\nPayload URL\r\nSeptember\r\n2021\r\nhxxp://www[.]energym63[.]com/10451372/cports.exe\r\nTinyNuke\r\nPayload URL\r\nJune 2021\r\nhxxp://www[.]energym63[.]com/10451372/putty2.zip\r\nTinyNuke\r\nPayload URL\r\nJune 2021\r\nhxxp://www[.]lightcharts[.]com/old-website/putty.zip\r\nTinyNuke\r\nPayload URL\r\nMay 2021\r\nhxxps://baloobajojonako[.]fr/panel/client.php?47F3640E5BCAD613 TinyNuke C2\r\nJanuary\r\n2021\r\nhxxps://lft[.]orange[.]fr/spaces/download/\r\nQYQ9IHG325rxm/600686abb5395430a1363770\r\nTinyNuke\r\nPayload URL\r\nJanuary\r\n2021\r\n5ba482a11f1a99293a249c350c360cd0d8f1456dfcfd27bf0b4189511e4800d8\r\nTinyNuke\r\nSHA256\r\nJanuary\r\n2021\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/tinynuke-banking-malware-targets-french-entities\r\nhttps://www.proofpoint.com/us/blog/threat-insight/tinynuke-banking-malware-targets-french-entities\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/tinynuke-banking-malware-targets-french-entities"
	],
	"report_names": [
		"tinynuke-banking-malware-targets-french-entities"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434488,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0774ea5f6ddd0a6445c3d3da9b909cce77aa9fa4.pdf",
		"text": "https://archive.orkl.eu/0774ea5f6ddd0a6445c3d3da9b909cce77aa9fa4.txt",
		"img": "https://archive.orkl.eu/0774ea5f6ddd0a6445c3d3da9b909cce77aa9fa4.jpg"
	}
}