{
	"id": "a59fad51-581a-466b-aeac-d3c36a0b3188",
	"created_at": "2026-04-06T00:12:06.623169Z",
	"updated_at": "2026-04-10T13:11:57.440047Z",
	"deleted_at": null,
	"sha1_hash": "099c7ff633351b8ca38a0a94c365aeea95ee713f",
	"title": "The NukeBot banking Trojan: from rough drafts to real threats",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 670125,
	"plain_text": "The NukeBot banking Trojan: from rough drafts to real threats\r\nBy Sergey Yunakovsky\r\nPublished: 2017-07-19 · Archived: 2026-04-05 23:19:50 UTC\r\nThis spring, the author of the NukeBot banking Trojan published the source code of his creation. He most\r\nprobably did so to restore his reputation on a number of hacker forums: earlier, he had been promoting his\r\ndevelopment so aggressively and behaving so erratically that he was eventually suspected of being a scammer.\r\nNow, three months after the source code was published, we decided to have a look at what has changed in the\r\nbanking malware landscape.\r\nNukeBot in the wild\r\nThe publication of malware source code may be nothing new, but it still attracts attention from across the IT\r\ncommunity and some of that attention usually goes beyond just inspecting the code. The NukeBot case was no\r\nexception: we managed to get our hands on a number of compiled samples of the Trojan. Most of them were of no\r\ninterest, as they stated local subnet addresses or ‘localhost/127.0.0.1’ as the C\u0026C address. Far fewer samples had\r\n‘genuine’ addresses and were ‘operational’. The main functionality of this banking Trojan is to make web\r\ninjections into specific pages to steal user data, but even from operational servers we only received ‘test’ injections\r\nthat were included in the source code as examples.\r\nTest injections from the NukeBot source code\r\nThe NukeBot samples that we got hold of can be divided into two main types: one with plain text strings, and the\r\nother with encrypted strings. The test samples typically belong to type 1, so we didn’t have any problems\r\nextracting the C\u0026C addresses and other information required for analysis from the Trojan body. It was a bit more\r\ncomplicated with the encrypted versions – the encryption keys had to be extracted first and only after that could\r\nhttps://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/\r\nPage 1 of 4\n\nthe string values be established. Naturally, all the above was done automatically, using scripts we had developed.\r\nThe data itself is concentrated in the Trojan’s one and only procedure that is called at the very beginning of\r\nexecution.\r\nA comparison of the string initialization procedure in plain text and with encryption.\r\nDecryption (function sub_4049F6 in the screenshot) is performed using XOR with a key.\r\nImplementation of string decryption in Python\r\nIn order to trigger web injections, we had to imitate interaction with C\u0026C servers. The C\u0026C addresses can be\r\nobtained from the string initialization procedure.\r\nWhen first contacting a C\u0026C, the bot is sent an RC4 key which it uses to decrypt injections. We used this simple\r\nlogic when implementing an imitation bot, and managed to collect web injections from a large number of servers.\r\nInitially, the majority of botnets only received test injects that were of no interest to us. Later, however, we\r\nidentified a number of NukeBot’s ‘combat versions’. Based on an analysis of the injections we obtained, we\r\nhttps://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/\r\nPage 2 of 4\n\npresume the cybercriminals’ main targets were French and US banks.\r\nExample of ‘combat-grade’ web injections\r\nOf all the Trojan samples we obtained, 2-5% were ‘combat-grade’. However, it is still unclear if these versions\r\nwere created by a few motivated cybercriminals and the use of NukeBot will taper off soon, or if the source code\r\nhas fallen into the hands of an organized group (or groups) and the number of combat-grade samples is set to\r\ngrow. We will continue to monitor the situation.\r\nWe also managed to detect several NukeBot modifications that didn’t have web injection functionality, and were\r\ndesigned to steal mail client and browser passwords. We received those samples exclusively within droppers: after\r\nunpacking, they downloaded the required utilities (such as ‘Email Password Recovery’) from a remote malicious\r\nserver.\r\nKaspersky Lab products detect the banking Trojans of the NukeBot family as Trojan-Banker.Win32.TinyNuke.\r\nDroppers containing this banking Trojan were assigned the verdict Trojan-PSW.Win32.TinyNuke.\r\nMD5\r\n626438C88642AFB21D2C3466B30F2312\r\n697A7037D30D8412DF6A796A3297F37E\r\n031A8139F1E0F8802FF55BACE423284F\r\n93B14905D3B8FE67C2D552A85F06DEC9\r\nA06A16BD77A0FCB95C2C4321BE0D2B26\r\n0633024162D9096794324094935C62C0\r\n9E469E1ADF9AAE06BAE6017A392B4AA9\r\n078AA893C6963AAC76B63018EE4ECBD3\r\n44230DB078D5F1AEB7AD844590DDC13E\r\nFAF24FC768C43B95C744DDE551D1E191\r\n8EBEC2892D033DA58A8082C0C949C718\r\n6DC91FC2157A9504ABB883110AF90CC9\r\n36EB9BDEFB3899531BA49DB65CE9894D\r\nD2F56D6132F4B6CA38B906DACBC28AC7\r\n79E6F689EECB8208869D37EA3AF8A7CA\r\n9831B1092D9ACAEB30351E1DB30E8521\r\nhttps://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/\r\nPage 3 of 4\n\nSource: https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/\r\nhttps://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/"
	],
	"report_names": [
		"78957"
	],
	"threat_actors": [],
	"ts_created_at": 1775434326,
	"ts_updated_at": 1775826717,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/099c7ff633351b8ca38a0a94c365aeea95ee713f.pdf",
		"text": "https://archive.orkl.eu/099c7ff633351b8ca38a0a94c365aeea95ee713f.txt",
		"img": "https://archive.orkl.eu/099c7ff633351b8ca38a0a94c365aeea95ee713f.jpg"
	}
}