{
	"id": "96829f67-8a34-4587-9b5b-9b4e7369a0e6",
	"created_at": "2026-04-06T00:16:24.230003Z",
	"updated_at": "2026-04-10T03:20:00.546323Z",
	"deleted_at": null,
	"sha1_hash": "627277ed390c28d6c33e36d625d228f8c64aa5d6",
	"title": "Cova and Nosu: a new loader spreads a new stealer | Bitsight",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1695514,
	"plain_text": "Cova and Nosu: a new loader spreads a new stealer | Bitsight\r\nArchived: 2026-04-05 17:18:16 UTC\r\nBitsight has discovered two previously undocumented malware families named Cova and Nosu. They have\r\ndifferent purposes and capabilities, although we found some similarities during our research:\r\nCova is a tiny loader with capabilities to update itself, download and execute files, and load DLLs.\r\nNosu is a stealer capable of gathering credentials, cookies, crypto wallets, and files.\r\nThe threat actor is using Cova to distribute both SystemBC proxy bot and Nosu stealer.\r\nThe server where the Cova web panel is installed is also hosting a SystemBC panel. \r\nGiven the similarity between Cova and Nosu web panels, it is very likely that these two malware families\r\nare developed by the same individual(s).\r\nDuring our research efforts to track the usage of the SystemBC proxy bot, we came across a command and control\r\n(C2) server that was hosting a web panel in the root of the http server with \"Cova\" as the title. From there it didn't\r\ntake us too long to find a sample with a PDB string that matched the title of the web panel:\r\nFigure 1 - PDB string (h/t PE-Bear)\r\nPDB's store symbols. When executables refer to PDB files it means they were compiled in debug mode. This\r\nusually gives hints about the internal names of the projects and other interesting details.\r\nhttps://www.bitsight.com/blog/cova-and-nosu-new-loader-spreads-new-stealer\r\nPage 1 of 7\n\nAfter reverse engineering the sample, we concluded that this malware was in fact a loader that waits for\r\ninstructions to download additional malware into the infected system. Loaders are a type of malware whose sole\r\npurpose is to download and run other malware onto infected systems. The process of successfully infecting\r\nsystems with another malware is often referred to as “loads” and a loader's success is often measured by the\r\nnumber of loads it can provide as well as the quality of the infections.\r\nTo get further instructions, Cova sends a request to the C2 server every 15 minutes using a HTTP GET request to\r\nthe following endpoint http://\u003cc2 ip\u003e/client.php?p=\u003cencoded data\u003e.\r\nTo build the data that goes into the p query parameter, the loader generates a bot ID based on the value that is\r\nstored in the registry key Software\\Microsoft\\Cryptography under MachineGuid:\r\nFigure 2 - Bot ID generation\r\nNext, it collects the hostname and the username and builds a unicode string with the following format: \u003ccomputer\r\nname\u003e||\u003cusername\u003e||0||\u003crandom number computed with RtlRandomEx\u003e||\u003cbot ID\u003e\r\nAs the final step, the loader builds a string with the hex values of the previous unicode string containing the data.\r\nFor example, the string MYPC||user1||0||1749582054||11510924602506494874 is converted into\r\n4D005900500043007C007C00750073006500720031007C007C0030007C007C003100370034\r\n0039003500380032003000350034007C007C003100310035003100300039003200340036003\r\n0003200350030003600340039003400380037003400.\r\nThe C2 server response is always 648 bytes long and it contains an instruction for the bot. The structure below\r\nshows the format of the C2 response:\r\nFigure 3 - C2 response structure\r\nExample of a parsed response:\r\nhttps://www.bitsight.com/blog/cova-and-nosu-new-loader-spreads-new-stealer\r\nPage 2 of 7\n\nFigure 4 - Parsed C2 response\r\nCurrently, the loader supports the following commands:\r\nID Name Description\r\n100 Idle Do nothing\r\n200 Update Download and execute an update\r\n300 Download and Execute Download executable file, drop to disk, and execute\r\n400 Parsed Dll Download and launch Dll (in memory)\r\nThe URLs from command ID 400 (Parsed Dll) retrieve a custom encoded DLL with some bootstrap code in it.\r\nThe function below is responsible for parsing, decoding, and launching the bootstrap code that will load and\r\nexecute the DLL in memory:\r\nhttps://www.bitsight.com/blog/cova-and-nosu-new-loader-spreads-new-stealer\r\nPage 3 of 7\n\nFigure 5 - Encoded DLL parser\r\nWe didn't have to figure out the encoding in detail given that the easiest solution was to build a simple C loader\r\nthat would take an encoded file as input and perform the same exact operations as the previous decoder function\r\n(Figure 5). From there it was easy to dump the decoded DLLs from memory with a tool like PE-sieve.\r\nThe web panel is very simple and allows the botnet operator to view all the bots, define tasks, and search/filter for\r\nspecific bots.\r\nhttps://www.bitsight.com/blog/cova-and-nosu-new-loader-spreads-new-stealer\r\nPage 4 of 7\n\nFigure 6 - Cova login and panel\r\nFigure 7 - Cova panel task creation\r\nFigure 8 - Cova panel search\r\nSince we started tracking this loader, we observed over 3700 infected systems pretty much worldwide but with\r\nmuch more impact in North and South American countries. The top 10 most affected countries are (in order) the\r\nUnited States, Brazil, Indonesia, Vietnam, Philippines, Colombia, Mexico, Thailand, Argentina, and Chile.\r\nhttps://www.bitsight.com/blog/cova-and-nosu-new-loader-spreads-new-stealer\r\nPage 5 of 7\n\nFigure 9 - Geographic distribution of victims\r\nDuring our research, we observed that the botnet operator has been using Cova to infect systems with SystemBC\r\nproxy bot and a new malware named Nosu stealer. Nosu is capable of stealing credentials from various types of\r\napplications, browser cookies, crypto wallets, and stealing files from the infected systems. We also found that\r\nNosu web panel is very similar to Cova panel suggesting that this might be work done by the same developer:\r\nFigure 10 - Nosu stealer login and panel\r\nWhile tracking the current usage of the SystemBC proxy bot, Bitsight has discovered two previously\r\nundocumented malware families being used in the wild. Cova is a tiny and simple loader but it seems capable of\r\ndoing its job. On the other hand Nosu seems to be just another stealer capable of providing the threat actor(s) with\r\nhttps://www.bitsight.com/blog/cova-and-nosu-new-loader-spreads-new-stealer\r\nPage 6 of 7\n\ntons of information that can be monetized.\r\nWe could see the similarities between the web panels of these two families and it seems very likely that they are\r\ndeveloped by the same individual(s). We'll keep an eye on these families and see how they evolve.\r\nIf you got curious about the SystemBC proxy bot have a look at our blog post where we explain how it works:\r\nhttps://www.bitsight.com/blog/systembc-multipurpose-proxy-bot-still-breathes\r\nC2 servers:\r\n80.66.77[.]6 - Cova \u0026 SystemBC C2 server\r\n80.66.77[.]54 - Cova \u0026 SystemBC C2 server\r\n80.66.77[.]63 - Cova \u0026 SystemBC C2 server\r\n80.66.77[.]95 - Cova \u0026 SystemBC C2 server\r\n80.66.77[.]125 - Cova \u0026 SystemBC C2 server\r\n80.66.77[.]33 - Nosu stealer C2 server\r\nFile hashes:\r\n11ffd58d2707121ab5363d6c08560a50d3209bf60dd4b8eec066eb4241aa7bee - Cova (packed)\r\nb0eaf0cc2f88701a216bb994a7bcbd43cb21ac11e295af9f99e6b56d6797ea01 - Cova (unpacked)\r\n8d6ba779eb230cb2f0f2db98179d5342f0d9f2cd74c7537d736ecea156195292 - Cova (packed)\r\na1ae4a7440c7f2f0d03c6f2e05ff97b875e8295cf2b340b96fdda919af6c7eb5 - Cova (unpacked)\r\n6499cadaea169c7dfe75b55f9c949659af49649a10c8b593a8db378692a11962 - Nosu stealer\r\nb369ed704c293b76452ee1bdd99a69bbb76b393a4a9d404e0b5df59a00cff074 - SystemBC (dropped by Cova)\r\nSource: https://www.bitsight.com/blog/cova-and-nosu-new-loader-spreads-new-stealer\r\nhttps://www.bitsight.com/blog/cova-and-nosu-new-loader-spreads-new-stealer\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bitsight.com/blog/cova-and-nosu-new-loader-spreads-new-stealer"
	],
	"report_names": [
		"cova-and-nosu-new-loader-spreads-new-stealer"
	],
	"threat_actors": [],
	"ts_created_at": 1775434584,
	"ts_updated_at": 1775791200,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/627277ed390c28d6c33e36d625d228f8c64aa5d6.pdf",
		"text": "https://archive.orkl.eu/627277ed390c28d6c33e36d625d228f8c64aa5d6.txt",
		"img": "https://archive.orkl.eu/627277ed390c28d6c33e36d625d228f8c64aa5d6.jpg"
	}
}