{ "id": "300da1fb-4d7a-4408-a9d3-ff6ef19b2437", "created_at": "2026-04-06T00:08:21.604473Z", "updated_at": "2026-04-10T03:33:18.78356Z", "deleted_at": null, "sha1_hash": "3d3d35be5b85542bcf41046f8c078d90637dec01", "title": "Spear-Phishing Campaign Distributes Nim-Based Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 149690, "plain_text": "Spear-Phishing Campaign Distributes Nim-Based Malware\r\nBy Prajeet Nair\r\nArchived: 2026-04-05 13:41:47 UTC\r\nCybercrime , Fraud Management \u0026 Cybercrime , Fraud Risk Management\r\nNimzaLoader Uses Nim Programming Language to Avoid Detection (@prajeetspeaks) • March 12, 2021    \r\nTA800 targets individuals with tailored phishing emails. (Source: Proofpoint)\r\nAn ongoing spear-phishing campaign by the threat group TA800 is distributing a new malware loader based on the\r\nNim programming language that's designed to help avoid detection, according to the cybersecurity company\r\nProofpoint.\r\nSee Also: OnDemand | Transform API Security with Unmatched Discovery and Defense\r\n“TA800 has predominantly used BazaLoader since April of 2020, but on February 3, 2021 they distributed this\r\nnew malware we are calling NimzaLoader,” says Sherrod DeGrippo, senior director of Proofpoint's threat research\r\nand detection team. “This malware is exclusive to TA800, and we've only seen it distributed once. This could be a\r\nsign of more to come.”\r\nLewis Jones, threat intelligence analyst at cybersecurity company Talion, notes: \"The use of Nim is uncommon for\r\nmalware in the threat landscape. However we have recently seen a Nim-based downloader used by the Zebrocy\r\nthreat group. It is likely that the threat actors are switching to Nim to avoid detection by defense teams who may\r\nnot be familiar with the language.\"\r\nhttps://www.healthcareinfosecurity.com/spear-phishing-campaign-distributes-nim-based-malware-a-16176\r\nPage 1 of 2\n\nProofpoint researchers also found evidence suggesting NimzaLoader is being used to download and execute\r\nCobalt Strike as its secondary payload.\r\nNimzaLoader Malware\r\nOn Feb. 3, researchers discovered the Nim-based malware was being distributed via phishing. The messages are\r\noften designed to look as if they came from within the targeted company, DeGrippo says. “Lures have included\r\nhard-to-resist subjects, such as payments, meetings, termination, bonuses and complaints in the subject line or\r\nbody of the email,” he says\r\nThe message contained links portrayed as a PDF preview that are actually links to a GetResponse (an email\r\nmarketing service) landing page, Proofpoint discovered.\r\n\"The landing pages contained a link to the 'PDF' which was the NimzaLoader executable hosted on Slack and used\r\na fake Adobe icon in an attempt to fool the user,\" the researchers note.\r\nNim-related strings used by the malware are encrypted when stored by using an XOR-based algorithm and a\r\nsingle key per string. One of those encrypted strings is a timestamp used as an expiration date for the malware,\r\nProofpoint says.\r\n\"At the time of research, all known NimzaLoader C2s were down, but a public malware sandbox run seems to\r\nshow it receiving a 'powershell' command that ultimately delivered a Cobalt Strike beacon,\" the researchers say.\r\n\"We are unable to validate or confirm this finding, but it does align with past TA800 tactics, techniques and\r\nprocedures.\"\r\nEvolving Tactics\r\nThe switch to using Nim is a good example of how threat actors are constantly changing tactics to avoid detection,\r\nJones says.\r\n\"The activity has so far been linked to TA800, who are a threat group that has targeted a wide range of industries\r\ninfecting victims with banking Trojans and malware loaders,\" Jones says. \"Previous activity by the group has\r\noften shown how the group has completed initial reconnaissance on targets to specifically target individuals with\r\ntailored phishing emails attempting to look more genuine and increasing success of the campaigns.\"\r\nIn the fourth quarter of last year, TA800 was responsible for a wave of attacks against the healthcare sector using a\r\nloader called BazaLoader DeGrippo says. “BazaLoader, under the control of a separate threat actor, subsequently\r\ninstalled a ransomware strain called Ryuk.”\r\nDeGrippo says Proofpoint's analysis corroborates analysis by other researchers that NimzaLoader is not a\r\nBazaLoader variant. That's because NimzaLoader is written in a different programming language and does not use\r\nthe same code-flattening obfuscator.\r\nSource: https://www.healthcareinfosecurity.com/spear-phishing-campaign-distributes-nim-based-malware-a-16176\r\nhttps://www.healthcareinfosecurity.com/spear-phishing-campaign-distributes-nim-based-malware-a-16176\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.healthcareinfosecurity.com/spear-phishing-campaign-distributes-nim-based-malware-a-16176" ], "report_names": [ "spear-phishing-campaign-distributes-nim-based-malware-a-16176" ], "threat_actors": [ { "id": "cf32661e-7543-4b57-8665-7f8101a000e9", "created_at": "2023-01-06T13:46:39.322379Z", "updated_at": "2026-04-10T02:00:03.287241Z", "deleted_at": null, "main_name": "TA800", "aliases": [], "source_name": "MISPGALAXY:TA800", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434101, "ts_updated_at": 1775791998, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3d3d35be5b85542bcf41046f8c078d90637dec01.pdf", "text": "https://archive.orkl.eu/3d3d35be5b85542bcf41046f8c078d90637dec01.txt", "img": "https://archive.orkl.eu/3d3d35be5b85542bcf41046f8c078d90637dec01.jpg" } }