{
	"id": "728ff2f3-d45c-4742-9ea1-d1052c4b6362",
	"created_at": "2026-04-06T00:16:45.041944Z",
	"updated_at": "2026-04-10T03:21:49.078147Z",
	"deleted_at": null,
	"sha1_hash": "2a3443fcabd85359f7b61b9fae9bf47e26fa17ea",
	"title": "NFT Lure Used to Distribute BitRAT | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 373992,
	"plain_text": "NFT Lure Used to Distribute BitRAT | FortiGuard Labs\r\nPublished: 2022-02-14 · Archived: 2026-04-05 16:46:09 UTC\r\nDespite being around for many years, blockchain captured the zeitgeist of the digital movement with the advent of\r\nBitcoin. Digital currencies, however, are not the only application of this technology. Non-fungible tokens (NFT)\r\nentered the popular lexicon in 2021. An NFT is a digital token that uses blockchain to verify the authenticity of\r\ndigital content and ownership, such as art, music, collectibles, and in-video-game items.\r\nThe first major NFT splash came in March 2021, when the digital work of art “Everydays – The First 5000 Days”\r\ncreated by the digital artist “Beeple” was auctioned and sold for a record-breaking $69 million. Later that month,\r\nthe NFT of the very first tweet posted by then-Twitter CEO Jack Dorsey was sold for $2.9 million. NFTs even\r\ngave new life to a popular 10-year-old internet meme, “Nyan Cat.” The original creator remastered the GIF and\r\nsold it as an NFT for 10 Ethereum ($590,000).\r\nExclusive possession of unique assets tends to drive the desire for ownership—and the price—sky-high. And\r\npredictably, online criminals are there trying to exploit this activity.\r\nFortiGuard Labs recently came across a peculiar-looking Excel spreadsheet that seemingly included NFT-related\r\ninformation. But instead, it downloads and installs the BitRAT malware in the background. This blog describes\r\nhow this attack works.\r\nAffected Platforms: Windows\r\nImpacted Users: Windows users\r\nImpact: Compromised machines are under the control of the threat actor\r\nSeverity Level: Medium\r\nStrange looking Excel macro file (XLSM) and target\r\nThe original source of the malicious Excel file has not been identified. However, the file provides some clues as to\r\nits origin and target. First, the XLSM is named “NFT_Items.xlsm”. Second, the file has two workbooks, one of\r\nwhich is in Hebrew. That workbook contains what appears to be legitimate Discord rooms that deal with NFTs. It\r\nalso includes the names of NFTs, forecasts for potential investment returns (hyped, solid, and 50/50), and selling\r\nquantities. Finally, like many similar recent attacks, this attack abuses Discord by using it to host malicious files.\r\nThese points provide enough evidence to conclude that the attacker likely sent a message to NFT enthusiasts in\r\nIsrael to entice them to download and open the malicious XLSM.\r\nhttps://www.fortinet.com/blog/threat-research/nft-lure-used-to-distribute-bitrat\r\nPage 1 of 6\n\nFigure 1. Malicious XLSM file, “NFT_Item.xlsm”\r\nThe XLSM contains a malicious macro, which the user is asked to enable upon opening the file. Once the XLSM\r\nfile is opened, and the macro is enabled, the XLSM drops a batch file. It then uses a PowerShell script to\r\ndownload another file from Discord, NFTEXE.exe. \r\nFigure 2. Malicious macro in NFT_Item.xlsx\r\nFigure 3. Windows batch file dropped by the malicious macro in NFT_Item.xlsx\r\nhttps://www.fortinet.com/blog/threat-research/nft-lure-used-to-distribute-bitrat\r\nPage 2 of 6\n\nFigure 4. Decoded PowerShell script delivered by the batch file in Figure 3\r\nThe downloaded NFTEXE.exe is a .NET executable file that attempts to run \"ipconfig /renew\" and then pull down\r\nyet another file, NFTEXE.png, from Discord. Disguised as an image file, NFTEXE.png is pure data with all its\r\nstrings flipped (see Figure 5.). \r\nFigure 5. Reversed strings in NFTEXE.png\r\nRunning \"ipconfig/renew\" is an attempt to disrupt analysis of the malware should it find itself running in a cloud\r\nenvironment by dropping the connection to the analyst so that the NFTEXE.png will not be downloaded.\r\nNFTEXE.exe then reverses these strings into the next stage file, “Nnkngxzwxiuztittiqgz.dll”. A .NET DLL\r\nappears to have been compiled on January 2nd, 2022. Since the malicious XLSM was made available on a public\r\nonline scan service on January 3rd, the XLSM file was distributed soon after compilation.\r\nNFTEXE.exe copies itself as C:\\Users\\[username]\\AppData\\Roaming\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Adobe\\Cloud.exe, which runs at every startup to maintain persistence. NFTEXE.exe also makes a\r\ncopy of MSBuild.exe, a legitimate Windows file, to C:\\Users\\[username]\\AppData\\Local and runs it.\r\nNFTEXE.exe then injects a malicious payload into the running MSBuild.exe using Nnkngxzwxiuztittiqgz.dll.\r\nBitRAT\r\nOur analysis determined that the payload is BitRAT, a Remote Access Trojan (RAT) that was first sold in a\r\nhacking forum in August 2020.\r\nOne trait of the BitRAT sample that FortiGuard Labs analyzed is its usage of Hidden VNC (HVNC). HVNC\r\nprovides an attacker with remote access to the compromised machine. BitRAT is known to have borrowed the\r\nHVNC code from another malware, TinyNuke, the source code of which was leaked in 2017. Another notable\r\nthing included in the BitRAT sample is a string, “AVE_MARIA”, used as a traffic header value when an HVNC\r\nhttps://www.fortinet.com/blog/threat-research/nft-lure-used-to-distribute-bitrat\r\nPage 3 of 6\n\nclient communicates to its C2 server for verification. The HVNC communication is designed to fail if the traffic\r\nheader value is not “AVE_MARIA”.\r\nMore BitRAT functionality was revealed during our analysis once additional strings were decrypted. For example,\r\nwe were able to see that BitRAT can bypass User Account Control (UAC)—a Windows security feature first\r\nintroduced in Windows Vista that helps prevent unauthorized changes to the operating system—and Windows\r\nDefender— an anti-malware component of Microsoft Windows first released with Windows XP. We also found\r\nthat this variant can also monitor the screen and, if present, utilize the webcam.\r\nFigure 6. More BitRAT capabilities\r\nAfter the strings were decrypted, it also became apparent that BitRAT uses Slowloris for its DDoS capabilities.\r\nFigure 7. Slowloris DDOS\r\nOther BitRAT functionality includes:\r\nStealing credentials from browsers and applications installed on the compromised machine\r\nMining Monero cryptocurrency\r\nLogging keystrokes\r\nhttps://www.fortinet.com/blog/threat-research/nft-lure-used-to-distribute-bitrat\r\nPage 4 of 6\n\nUploading and downloading additional files to the compromised machine\r\nListening live through a microphone\r\nIn an attempt to hide stolen information, this variant of BitRAT stores collected data (keystrokes, clipboard data,\r\netc.) in an alternate data stream (ADS) file that is majority encoded in Base64.\r\nFigure 8. BitRAT writing to ADS file C:\\Users\\REM\\AppData\\Local:11-01-22\r\nAs can be inferred by the file name above, a new file will be created each day and given the name of the current\r\ndate.\r\nFigure 9. Contents of the ADS log file.\r\nThe C2 server (205[.]185[.]118[.]52) this particular BitRAT variant connects to belongs to FranTech Solutions, a\r\nhosting provider that is known as a bulletproof hosting service provider. A bulletproof hosting service is just like a\r\nregular web hosting service in that they are used to store content. The difference is that a bulletproof hosting\r\nservice also hosts illegal content, such as malware, C2, exploit kits, and fake shopping sites. They also tend to be\r\nmore resistant to complaints and takedown requests.\r\nConclusion\r\nIn this attack, NFT was used to lure a victim into opening a malicious XLSM file to deliver BitRAT, which put the\r\nvictim’s data and machine at risk.\r\nNFT is a new internet phenomenon that some view as a legitimate investment and money-making opportunity.\r\nAny investment comes with risk, but certain risks taken before money changes hands are avoidable. Be mindful\r\nthat attackers often use attractive and trendy subjects as lures. As NFTs become increasingly popular, they will be\r\nused to entice victims into opening malicious files or clicking on malicious links. Standard security practices such\r\nas not opening files downloaded from untrusted or suspicious sources can prevent threat actors from gaining\r\naccess to users’ money and valuable data.\r\nFortinet Protections\r\nThe FortiGuard Antivirus Service detects and blocks this threat as MSIL/Agent.JWX!tr.dldr and\r\nVBA/Agent.XC!tr.\r\nFortiEDR detects the downloaded NFTEXE.exe as malicious based on its behavior.\r\nhttps://www.fortinet.com/blog/threat-research/nft-lure-used-to-distribute-bitrat\r\nPage 5 of 6\n\nAll network IOCs are blocked by the WebFiltering client.\r\nIOCs\r\nSample SHA-256:\r\n88ef347ad571f74cf1a450d5dad85a097bb29ab9b416357501cdc4c00388f796\r\n342a5102bc7eedb62d5192f7142ccc7413dc825a3703e818cf32094638ebd17a\r\nNetwork IOCs:\r\nhxxps://cdn[.]discordapp.com/attachments/923977279179202600/927289948825079828/NFT_LIST.xlsm\r\nhxxps://cdn[.]discordapp.com/attachments/927290851930013766/927291495604699167/NFT_LIST.xlsm\r\n hxxps://cdn[.]discordapp.com/attachments/923858595353874472/928279600659234826/NFTEXE.EXE\r\n205[.]185[.]118[.]52\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/nft-lure-used-to-distribute-bitrat\r\nhttps://www.fortinet.com/blog/threat-research/nft-lure-used-to-distribute-bitrat\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/nft-lure-used-to-distribute-bitrat"
	],
	"report_names": [
		"nft-lure-used-to-distribute-bitrat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434605,
	"ts_updated_at": 1775791309,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2a3443fcabd85359f7b61b9fae9bf47e26fa17ea.pdf",
		"text": "https://archive.orkl.eu/2a3443fcabd85359f7b61b9fae9bf47e26fa17ea.txt",
		"img": "https://archive.orkl.eu/2a3443fcabd85359f7b61b9fae9bf47e26fa17ea.jpg"
	}
}