{
	"id": "5b1a9522-d281-44f2-b2b7-67af5237ce93",
	"created_at": "2026-04-06T00:17:40.274525Z",
	"updated_at": "2026-04-10T03:20:36.239006Z",
	"deleted_at": null,
	"sha1_hash": "46e55d1bb537a81f817a891131f7c480cedb6051",
	"title": "TrickBot's BazarBackdoor malware is now coded in Nim to evade antivirus",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1928437,
	"plain_text": "TrickBot's BazarBackdoor malware is now coded in Nim to evade\r\nantivirus\r\nBy Lawrence Abrams\r\nPublished: 2021-02-11 · Archived: 2026-04-05 14:16:34 UTC\r\nTrickBot's stealthy BazarBackdoor malware has been rewritten in the Nim programming language, likely to evade detection\r\nby security software.\r\nThe TrickBot cybercrime gang has been increasingly distributing their newer and stealthier BazarBackdoor malware through\r\nspam campaigns. Once a computer becomes infected, BazarBackdoor is used to provide the threat actors remote access to\r\nthe computer to spread laterally throughout a network.\r\nBazarBackdoor phishing email\r\nLast week, both cybersecurity firm Intezer and Advanced Intel's Vitali Kremez analyzed a new sample of BazarBackdoor\r\nand discovered that the TrickBot gang ported it to the Nim programming language.\r\nhttps://www.bleepingcomputer.com/news/security/trickbots-bazarbackdoor-malware-is-now-coded-in-nim-to-evade-antivirus/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/trickbots-bazarbackdoor-malware-is-now-coded-in-nim-to-evade-antivirus/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nAccording to the programming language's website, Nim takes its inspiration from Python, Ada, and Modula and can\r\ngenerate executables supported on Windows, macOS, and Linux.\r\n\"Nim is one of the very few programmable statically typed languages, and combines the speed and memory efficiency of C,\r\nan expressive syntax, memory safety and multiple target languages.\" states the Nim website.\r\nAs it is rare to find malware developed using Nim, Kremez believes that the TrickBot gang ported BazarBackdoor to Nim to\r\nbypass detection by antivirus software.\r\n\"The backdoor component that is capable of command execution is written in NIM programming language to evade anti-virus detection. The crime group likely chose to pursue the lightweight malware development in Nim to frustrate anti-virus\r\nand detection mechanism focused on traditional binaries compiled in C/C++ style languages.\"\r\n\"Not too long ago, Golang has become another preferred language of choice for some malware families including\r\nRobbinHood ransomware majorly due to the fact that many anti-virus products fail to process and characterize\r\nunconventional binaries as malware due to unique section and binary content introduced by the Nim and similar exotic\r\nlanguages,\" Advanced Intel CEO Vitali Kremez told BleepingComputer in a conversation.\r\nOther malware developed in Nim is a ransomware family called XCry [VirusTotal] discovered by MalwareHunterTeam in\r\n2019.\r\nMore recently, the Nim-coded DeroHE ransomware [VirusTotal] was used in an attack against IObit forum users.\r\nNim is not the only uncommon language recently used to create malware. Last month, Kremez found that the new\r\nVovalex ransomware was written in the D programming language.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nhttps://www.bleepingcomputer.com/news/security/trickbots-bazarbackdoor-malware-is-now-coded-in-nim-to-evade-antivirus/\r\nPage 3 of 4\n\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/trickbots-bazarbackdoor-malware-is-now-coded-in-nim-to-evade-antivirus/\r\nhttps://www.bleepingcomputer.com/news/security/trickbots-bazarbackdoor-malware-is-now-coded-in-nim-to-evade-antivirus/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/trickbots-bazarbackdoor-malware-is-now-coded-in-nim-to-evade-antivirus/"
	],
	"report_names": [
		"trickbots-bazarbackdoor-malware-is-now-coded-in-nim-to-evade-antivirus"
	],
	"threat_actors": [],
	"ts_created_at": 1775434660,
	"ts_updated_at": 1775791236,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/46e55d1bb537a81f817a891131f7c480cedb6051.pdf",
		"text": "https://archive.orkl.eu/46e55d1bb537a81f817a891131f7c480cedb6051.txt",
		"img": "https://archive.orkl.eu/46e55d1bb537a81f817a891131f7c480cedb6051.jpg"
	}
}