{
	"id": "201b7ec5-b1b7-49e5-8fba-700098f441cc",
	"created_at": "2026-04-06T01:31:16.056987Z",
	"updated_at": "2026-04-10T13:12:46.13308Z",
	"deleted_at": null,
	"sha1_hash": "732967b261da2a942cd918513b966b5085f6a863",
	"title": "A year of Fajan evolution and Bloomberg themed campaigns",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2499189,
	"plain_text": "A year of Fajan evolution and Bloomberg themed campaigns\r\nBy Vanja Svajcer\r\nPublished: 2021-04-21 · Archived: 2026-04-06 00:09:54 UTC\r\nBy Vanja Svajcer.\r\nNews summary\r\nSome malware campaigns are designed to spread malware to as many people as possible — while some\r\nothers carefully choose their targets. Cisco Talos recently discovered a malware campaign that does not fit\r\nin any of the two categories. This actor has a relatively low volume of recovered samples, which makes it\r\ndifficult to decide whether the campaigns are carefully targeted or mass-spammed.\r\nCisco Talos recently discovered a series of low volume email campaigns we're calling \"Fajan,\" targeting\r\nusers with Bloomberg BNA-based email messages since at least March 2020.\r\nThese threats demonstrate several techniques of the MITRE ATT\u0026CK framework, most notably Scripting -\r\nT1064, PowerShell - T1059.001, Process Injection - T1055, Non Standard Port - T1571, Remote Access\r\nSoftware - T1219, Input Capture - T1056, Obfuscated Files or Information - T1027 and Registry Run Keys\r\n/ Startup Folder - T1547.001\r\nThe actor employs various methods to install and run a variant of either JavaScript- or VBScript-based remote\r\naccess trojans (RATs). The command and control (C2) IP addresses of the script-based RATs are also shared with\r\nsome other popular families such as Netwire RC and Revenge RAT.\r\nIn one instance, we also observed Nanocore RAT as the final payload with a C2 server IP address shared with\r\nother RAT families such as XpertRAT.\r\nThe campaigns are likely a work of a single actor that keeps experimenting with various TTPs to make the\r\ncampaigns more difficult to detect and more successful.\r\nWhat's new?\r\nWe believe this is the first time anyone's documented Fajan's operations. The actor is actively maintaining\r\nthe tools and has been active since March 2020. Based on the observed IOCs and TTPs, we have a moderate\r\nconfidence that the actor is an Arabic-speaking person or group.\r\nHow did it work?\r\nThe infection starts with an email containing a message which pretends to come from Bloomberg's BNA\r\ndivision — a site dedicated to providing legal and regulatory information to professionals. The email\r\ncontains an Excel spreadsheet as an attachment, containing macro code to either download the next\r\ninfection stage or drop and run the final payload.\r\nhttps://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html\r\nPage 1 of 17\n\nThe payload is always a RAT that allows the attacker to take control over the infected system using HTTP over a\r\nnon-standard TCP port.\r\nThe main payload is a JavaScript file, a VBScript file or a standard Windows PE binary.\r\nSo what?\r\nThe actors behind Fajan campaigns are actively maintaining and developing functionality to make the\r\nattacks more successful. The campaigns use email messages, which is still the most commonly used vector in\r\na successful compromise. The inclusion of remote access trojans as payloads of the campaign indicate the\r\nactors may want to carry out surveillance operations or steal user data. The C2 servers were not responsive\r\nat the time of analysis and we could not discover the final objective of the campaigns.\r\nTechnical details\r\nEmail messages\r\nAll Fajan email messages contain basic content that purportedly inform a subscriber of the Bloomberg\r\nBNA service that they owe a payment to and includes an Excel spreadsheet as an attachment.\r\nThe attachment name always contains some form of the Bloomberg BNA Invoice name combined with a random\r\nnumber specific for a particular campaign. Some early examples of campaign email messages contain a second\r\nattachment containing a copy of the email body text as a clean RTF file.\r\nhttps://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html\r\nPage 2 of 17\n\nExample of an Fajan email campaign from April 2020.\r\nThe phone number included in Fajan's emails seems to be a private phone number located in New York, and is\r\nlikely unrelated to the actor's true phone number.\r\nExcel attachment VBA macro code\r\nEach Bloomberg-themed campaign attachment contains VBA code that differs from other, similar\r\ncampaigns. The changes may have been generated by an automated tool, and in some instances, even coded\r\nby the actor.\r\nThe VBA code is lightly obfuscated to break the most obvious strings, such as the filenames. The actors hope\r\nthese small changes will be sufficient to make detection more difficult. One notable feature of most Fajan\r\ndroppers is that they place some of the content into the Excel spreadsheet cells which may make emulation of the\r\ncode and detection more difficult. Defenders will sometimes only scan the contents of the usual macro streams to\r\nwrite their detection, so placing it the cell could bypass this technique.\r\nIf an attachment contains VBA macro code, it's usually to drop and execute a JavaScript or a VBScript-based\r\npayload. The payloads are described later in this post and are rather simple RATs that connect to a hardcoded IP\r\naddress and listen to commands sent using HTTP over a non-standard TCP port number.\r\nThe first example is an automatically executed VBA macro that uses a combination of the content of the Excel\r\ncells and hardcoded strings to form the content of a JavaScript payload — jobswebsite.js. The payload is lightly\r\nobfuscated and can be easily deobfuscated with an emulator or by replacing the eval function with the function\r\nwscript.echo.\r\nhttps://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html\r\nPage 3 of 17\n\nAn example of VBA dropper dropping a JavaScript based payload.\r\nExcel cells containing malicious code snippets used by VBA macros.\r\nThe second example we give here is a VBA dropper that drops and executes a VBScript-based payload with the\r\nhttps://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html\r\nPage 4 of 17\n\nfilename \"webstyle.vbs.\"\r\nVBA macro to drop and execute webstyle.vbs.\r\nThe VBA macro code almost always ends with a snippet that deletes the cell contents hosting fragments of\r\nmalicious code and adds additional, legitimate-looking content, to the first cells in an Excel worksheet. This\r\nmeans the VBA code will be rendered unusable after running once, but it makes the document slightly more\r\ndifficult to discover.\r\nCleanup VBA code toward the end of the Workbook_Open function.\r\nExcel 4.0 formula macros\r\nApproximately 60 percent of the attachments use VBA to drop and run a malicious payload. The rest of the\r\nattachments contain Excel 4.0 macro formulas designed to be executed when the files are open. All of them\r\ncontain a simple code to execute a PowerShell command line to download and execute the next stage from a\r\nhttps://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html\r\nPage 5 of 17\n\nPastebin URL. The raw content of the Pastebin URL is supplied as an argument to the Invoke-Expression\r\n(IEX) scriptlet, which executes the downloaded code in memory.\r\nExcel 4.0 macro formula downloader code.\r\nIntermediate stages It is not entirely clear why one or more intermediate stages are used, as the attacks can\r\nbe stopped by blocking any individual stage. The more stages there are, the more likely the detection will be\r\neffective. This may conceal the location of the final payload or to allow the actors the flexibility to change\r\nthe payload by changing the content of intermediate stages.\r\nPastebins — simple PowerShell downloaders\r\nAll of the retrieved Pastebins contain code to download and run a payload from a free file-sharing site Top4top.io,\r\nall except one early example whose URL points to a payload hosted by the Amazon S3 service.\r\nOne outlier downloader from Pastebin with the payload hosted using the Amazon S3 storage service.\r\nTop4top.io is a free file-sharing site that is popular among users in Egypt, Algeria and Yemen, according to its\r\nCisco Umbrella domain requester distribution. Usually, Top4top URLs from the intermediate stages look like\r\nmedia file types but the downloaded files are VBScript-based payloads using filenames \"c.vbs\" or \"NoSleep.vbs\".\r\nNoSleep.vbs, a final payload is downloaded from Top4Top.io.\r\nTop4Top.io seems to be aware of the frequent abuse of the site, as there is a dedicated section for reporting it to\r\nthe operators of the site, which is hosted by OVH.\r\nhttps://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html\r\nPage 6 of 17\n\nIn some cases, the Top4Top intermediate stage was already removed after an abuse report.\r\nhttps://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html\r\nPage 7 of 17\n\nJavaScript payloads A typical final payload dropped by Excel VBA code is a script file, which uses HTTP to\r\ncommunicate with the C2 server. The client collects some information about the infected system and uses\r\nthe collected information as the User-Agent string in the HTTP header, presumably to keep the state for\r\neach individual infected system. The client uses non-standard TCP ports such as 1111 and 1155 to\r\ncommunicate with the C2 server.\r\nThe client expects the C2 server to send commands and parameters in a HTTP response with a typical command\r\nused to download and run additional modules from a URL. Here, we see an example of the command \"RF,\" which\r\nis used to create another script file in the user's Temporary folder and run it using the run function of the\r\nWscript.Shell ActiveX object.\r\nA snippet of Fajan JavaScript RAT code.\r\nThe available commands in this JavaScript example are:\r\nSc: Download a script file into the user's Temp folder and run it.\r\nEx: Execute downloaded code using the eval function\r\nRF: Same as Sc\r\nVBScript payloads The payload is a lightly obfuscated VBScript in the Pastebin download branch that\r\ncould be easily deobfuscated.\r\nhttps://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html\r\nPage 8 of 17\n\nObfuscated Nosleep.vbs payload.\r\nOnce deobfuscated, we see that the functionality of VBScript based payloads is very similar to the functionality of\r\nJavaScript payloads. In this VBScript example, the client sends a request to the C2 server and expects a response\r\nwhich is then split based on the string specified in a variable. The string for splitting for this sample is \"NAJAF\".\r\nOther similar scripts have been uploaded to VirusTotal. Their authorship is claimed by an actor with a handle\r\n\"Security.Najaf.\" This may imply the Fajan's author origin to be Iraq, although it could also be just a coincidence\r\nor false flag.\r\nIt is also possible that we are dealing with an entirely different actor, simply reusing the available script code or\r\nemploying a code generator developed by Security.Najaf. Nevertheless, we decided to name the campaigns Fajan,\r\nreversing the string used to split the command sent from the C2 server.\r\nA snippet of Fajan VBScript-based RAT code.\r\nHere is the list of supported commands by one version of a VBScript based RAT:\r\nExc: Create a file in the user's temp folder, download and save the content and run the file.\r\nNim: Download and save a file in the user's Startup folder, using the filename supplied by the C2 server.\r\nNanocore RAT payload One exception to the usual pattern of dropping or downloading a script based\r\npayload is an instance discovered on Feb. 16, 2021. Here, we are dealing with an almost identical email\r\ncampaign, but the Excel file is a bit different.\r\nhttps://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html\r\nPage 9 of 17\n\nA Fajan campaign, but with the Nanocore RAT downloader as the payload. The attachment size differs and the\r\nattachment naming scheme is slightly different.\r\nInstead of downloading the next stage from Pastebin or dropping a final payload, the VBA macro drops and\r\nexecutes a VBScript-based downloader.\r\nVBScript-based downloader dropped and executed by the VBA macro code.\r\nOnce again, the payload loader is downloaded from the Top4Top.io file sharing site. The content of the loader is\r\ndownloaded to memory and it contains a PowerShell code very similar to what we previously described in our\r\npost about recent Masslogger campaigns.\r\nhttps://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html\r\nPage 10 of 17\n\nNanocore payload stored as a lightly obfuscated PowerShell string.\r\nThis indicates that actors behind Fajan and behind related MassLogger and Agent Tesla campaigns are using a\r\nsimilar toolkit to generate the .NET DLL assembly loaders which decode the payload and load the payload into\r\nthe process space of the legitimate Windows process msbuild.exe.\r\nNanocore payload is injected into a msbuild.exe instance.\r\nNanocore is a well-known commercial Trojan available for sale since 2013. The author was arrested in 2017 and\r\nwas sentenced to 33 months in prison. Ever since, the development of Nanocore stopped, but some versions have\r\nbeen successfully cracked and are widely used by attackers.\r\nThe Nanocore client is written in C# and contains a resource segment with the configuration information which is\r\nextracted, decompressed and decrypted when the client is launched.\r\nNanocore configuration reading function.\r\nOnce decrypted, the configuration can be dumped from memory. Alternatively, a Nanocore dumper tool released\r\nhttps://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html\r\nPage 11 of 17\n\nby Mario Henkel can be used to extract the information from the client without debugging.\r\nWe extracted the configuration information from the client that shows the version 1.2.2.0 which is one of the\r\ncracked versions. The build date for the campaign executed on Feb. 16 was listed as Jan. 11, 2021 and the C2\r\nserver used was 79.134.225.33 using the TCP port 83.\r\nDumped Nanocore configuration.\r\nNanocore is a modular RAT supporting an ecosystem allowing the developer and its affiliates to use additional\r\nplugins embedded into the final payload using the Nanocore Builder tool.\r\nhttps://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html\r\nPage 12 of 17\n\nNanocore GUI displaying the available plugins.\r\nThis specific payload was configured to include the following plugins:\r\nClient Plugin: Handles communications with the C2 server.\r\nCore Plugin: Additional functions to collect recon about the client.\r\nManagement Plugin: Remote console, remote registry editor, file browser, task manager.\r\nNetwork Plugin: Additional network support such as reverse SOCKS proxy.\r\nSecurity Plugin: Access to client firewall and anti-malware configuration.\r\nSurveillance Plugin: Password stealing and keylogging.\r\nSurveillanceEx Plugin: Remote desktop support, video and audio capture.\r\nTools Plugin: Miscellaneous functions, instant messaging, memory and process cleanup.\r\nConclusion\r\nhttps://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html\r\nPage 13 of 17\n\nInfection chains observed in Fajan campaigns.\r\nWe've examined sustained campaigns using Bloomberg BNA-themed email messages as the initial infection\r\nvector. Fajan's author has been actively developing the campaigns since at least March 2020. We named these\r\ncampaigns \"Fajan\" based on the string that may indicate its author, taken from the body of a script payload.\r\nThere is not enough information to show if these campaigns are targeted or aiming to attack any user. Currently,\r\nwe do not have enough information to decide what is the final goal of those campaigns, since the final payload is a\r\nRAT with the ability to remotely control infected systems and install additional software.\r\nNevertheless, we feel it is important to document Fajan's activities to show how the actor is varying TTPs over a\r\nperiod of time and to describe different techniques used to make the campaigns more successful.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html\r\nPage 14 of 17\n\nCisco Secure Endpoint (AMP) is ideally suited to prevent the execution of the malware used by these threat\r\nactors. Exploit Prevention present within AMP is designed to protect customers from unknown attacks such as this\r\nautomatically.\r\nCisco Cloud Web Security (CWS) or Cisco Secure Web Appliance (WSA)web scanning prevents access to\r\nmalicious websites and detects malware used in these attacks.\r\nCisco Secure Email can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Cisco Secure Firewall (NGFW), Cisco Secure IPS (NGIPS),Cisco ISR\r\nandMeraki MX can detect malicious activity associated with this threat.\r\nCisco Secure Malware Analytics helps identify malicious binaries and builds protection into all Cisco Security\r\nproducts.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase onSnort.org.\r\nIOCs\r\nEmails05a68d25f6dac9d9379535e372f4ee80ab0e1abdcfbd20354f96a0e4f7b8e988\r\n106dbe72ef7acaa0f8e4429df7946cfde4f2d30b6636b06b18a2becb1ab876e2\r\n11279189ff8d8fb062dc3403a839b2cec9bece61b9d9c052aba5cf53dbac3acd\r\n237d80e40e4a4395677c137d85970143d8d450af5a5df62d5771ca3376c7b61d\r\n417763ac92236dab2bedd5ba4e9b1bc8a288a15225a76ee46541d47df4ea2de0\r\n4efd56fec792f5a1d343a6f0ee1fbe781cfaf73db8fa39198c7b88ecc1cfbcf0\r\n5299baa763bbce965483c36ca43c59106a143c25a35f7bede289b5ead9917932\r\n684825ff3f730d1e7c79ba1ed94b2dc29efad9e279f8dfbeb930acb420d58e41\r\nhttps://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html\r\nPage 15 of 17\n\n8951766465a94f2f1cb0f0ae6876b48fe6edc206fc6757bc05fca5ec062bcb49\r\nbcbf399e0ac8faa07c78936a84ae3c6d2759446229af617ab68603b7e37b3559\r\ne07cb3752df3a6872bec769474f499dd4ee1d48a0ef64ba70fd30fd114bf2cfc\r\ne8439ca47547da520ec0a73cccf38de344ce20e29dfb2d7ea27dc55e77e4e559\r\n4a08596cb4a32a59b677cdfcf94af83ba5b9f386822cab9e040c184204e2304a\r\n60cb0a1b71ad72758697f71c93ec3374da7286e2d287fc3930448f87f169741f\r\nExcel attachments 5893cbdb7d3f443668a3d48c3d1ab559d33bafe553e0e988c5d32889276229e5 - 02.16.2021\r\n7bb5a4d74b493666671bda32e8e056a4cc53144b2892ae408c6530c3a9c97b58 - 02.15.2021\r\nd5f5ddf9f82f0b757883d8e0fa319c95f2c30a10436ba820384967822ddd9fc8 - 01.27/28.2021\r\n6c229a383854798275d687519fe363b24f7f568482ca1fc77d68e9aa9c902613 - 06.11.2020\r\n0bea13a67c5cf17b1039823a1835855535bfbd3ac808461ae78fa26f77a79171 - 03.15.2021\r\ne1743dfaefdafb712d6b70d0c31d662359e028805dd5fdfe7a7239e5ce569c1a - 04.17.2020\r\nf59fbaed1d475b840800b2ad5c56ffb984db16c194d2a2c09a7f4d851cb99388 - 02.03.2021\r\nf2b0beea8f515e170a9696c64d86f1ce9b4fd1d8c52c34411421c3cd1989476c - 02.10.2021\r\n87146ae8db88ce1c2b11c0b2896a95f7eeded4b21c88517619bbebbe39791a12 - 05.12.2020\r\ne0250920e3e226a650c027a87ff10dd33295cc1853ad06eb3ea1d7a99a5a96a1 - 08.12.2020\r\n943b70f97713875e8e7bd5487b5dd1aa6745df26ce2eba37737207ee86092b8b - 03.22.2021\r\n4772923cf1f5af42d84a91257cab8d7a9461ba629659b4abe6b9a1b7357d47d4 - 03.08.2021\r\n49e109a4d9fa02c06e9473ee72a3754cfc34591366add7936113dcd6258a8051 - 04.06.2021\r\nbc847cdc5b4f6874f60bdb369ac2fe411df29a815e3028281bfb34263ddda2d8 - 04.12.2021\r\nPayloads and downloaders 570cd232c24dd7733a688f6e7373baf5f493ff65ed198346a6728b79551c77b1 - Dropped by\r\n49e109a4d9fa02c06e9473ee72a3754cfc34591366add7936113dcd6258a8051\r\nf95c808947724e26359848c28a25dfd2881f4f3bdd9d861e1990b66abeade09e - Dropped by\r\n5893cbdb7d3f443668a3d48c3d1ab559d33bafe553e0e988c5d32889276229e5\r\n128644d8ea3bbcaac05e927288d20bb91cd344fda0e422f9aab34e63b3bb07f2 - Dropped by\r\n0bea13a67c5cf17b1039823a1835855535bfbd3ac808461ae78fa26f77a79171\r\nfc13c0b783207753c85cfe8d31bc214a187606933586ca36d502d113e87f5ea2 - VBS downloader dropped by\r\n7bb5a4d74b493666671bda32e8e056a4cc53144b2892ae408c6530c3a9c97b58\r\n0aaab7302254def2fe9449364995eb95b9c3896fe435a701a129556b845e0cd6 - Dropped by\r\n943b70f97713875e8e7bd5487b5dd1aa6745df26ce2eba37737207ee86092b8b\r\n120e6fe44d30a8fb22882ac084669ccae70379f8e70569b5b8efd8bf305f8380 - Dropped by\r\nd5f5ddf9f82f0b757883d8e0fa319c95f2c30a10436ba820384967822ddd9fc8\r\ne924952bacf7d5d5f076a8a4529a1e3934c0224d09b57d6616b6b5ec7f39a478 - Payload simple VBS RAT\r\n11aec399f195ab749cf2b7005e5ca7389b513aa08e0d67a72fb970f88730a657 - NanoCore DLLLoader/Injector from VB source\r\n66fe2551210e4aa15195e49a1d16e19a5cd5dbe53d5605c7b4cc72d2dc015566 - NanoCore Payload\r\n52f152ea653f725d55da186ee416408c2ee8a55b31119a50a5693aea0449ecab - Payload downloaded from\r\nhttps://k.top4top.io/p_1893s178y1.jpg\r\n3b07a293b7a9a3dfd5371c13e5691a3275f914429e2d9e33d834055e9ddc38ba - NanoCore RAT PowerShell main loader\r\nURLshttps://e.top4top.io/m_1593v3zvv1.mp4 - Payload\r\nhttps://k.top4top.io/p_1893s178y1.jpg - Payload\r\nhttps://pastebin.com/raw/STGGsHfq - Pastebin PowerShell\r\nhttps://pastebin.com/raw/fASw9wCZ - Pastebin PowerShell\r\nhttps://pastebin.com/raw/TB8DyWCt - Pastebin PowerShell\r\nhttps://pastebin.com/raw/v3YMf04z - Pastebin PowerShell\r\nhttps://pastebin.com/raw/MESH21tR - Pastebin PowerShell\r\nhttps://i.top4top.io/p_1869b2cpe1.jpg - NanoCore RAT VB.NET source\r\nhttps://blob-ap-south-1-ukyez4.s3.ap-south-1.amazonaws.com/sara/0e/0e4d/0e4d1215-3079-468d-9188-6eb6a8e0df14.bin?\r\nresponse-content-disposition=attachment%3B%20filename%3D%22news.vbs%22\u0026response-content-type=\u0026X-Amz-Content-https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html\r\nPage 16 of 17\n\nSha256=UNSIGNED-PAYLOAD\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Credential=AKIAI75SICYCOZ7DPWTA%2F20200417%2Fap-south-1%2Fs3%2Faws4_request\u0026X-Amz-Date=20200417T170615Z\u0026X-Amz-SignedHeaders=host\u0026X-Amz-Expires=1800\u0026X-Amz-Signature=9fbebca4d882e098045c835add71a9b652dfddd7f0fb529974116f4066ac8f0a - Payload on S3\r\nhttps://d.top4top.io/m_15684cm0o1.mp3 - Payload\r\nIP addresses\r\n194.37.97.172C2 -server - Romania\r\n194.37.97.135C2 -server - Romania, Netwire, RevengeRAT,\r\n89.40.206.121C2 -server - Romania\r\n79.134.225.33:83 -C2 server - Nanocore - Switzerland, known C2 IP for other families such as XpertRAT\r\nSource: https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html\r\nhttps://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html"
	],
	"report_names": [
		"a-year-of-fajan-evolution-and-bloomberg.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775439076,
	"ts_updated_at": 1775826766,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/732967b261da2a942cd918513b966b5085f6a863.pdf",
		"text": "https://archive.orkl.eu/732967b261da2a942cd918513b966b5085f6a863.txt",
		"img": "https://archive.orkl.eu/732967b261da2a942cd918513b966b5085f6a863.jpg"
	}
}