{
	"id": "2f35809a-4992-49d4-aecd-852050db9d14",
	"created_at": "2026-04-06T00:20:20.275848Z",
	"updated_at": "2026-04-10T03:20:27.90543Z",
	"deleted_at": null,
	"sha1_hash": "86af9bbad64e1630ec8f79dfd4ef50afb2d44be2",
	"title": "Dismantling a Nuclear Bot | NETSCOUT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1159830,
	"plain_text": "Dismantling a Nuclear Bot | NETSCOUT\r\nArchived: 2026-04-05 16:35:50 UTC\r\nA recent tweet mentioned that a new banking malware called “Nuclear Bot” has started to appear for sale on\r\nunderground marketplaces. Its price starts around $2500 which is more than double the price of another recent\r\nentry to the market. This post dismantles a sample of this malware to determine whether we need to take Bert the\r\nTurtle’s advice to duck and cover.\r\nSample\r\nThe sample analyzed for this post is available on VirusTotal. It has a helpful debugging string:\r\nE:\\Nuclear\\Bot\\Release\\Dropper.pdb\r\nIt also phones home to a command and control (C2) server with an identifying login panel:\r\nIn the rest of this post we'll be discussing the dropper, bot, and webinject components of Nuclear Bot.\r\nDropper Component\r\nhttps://www.netscout.com/blog/asert/dismantling-nuclear-bot\r\nPage 1 of 7\n\nThe first component is the dropper component. It starts by manually loading a bunch of Windows libraries. The\r\nlibrary names are obfuscated with XOR and a hardcoded key. The following Python snippet decodes an example\r\nobfuscated string to “ntdll.dll”:\r\nkey = \"\\x03\\x0E\\x18\\f\\x1A\\x1F\"\r\nencbuf = \"mz|`v1gbt\"\r\nplainbuf= []\r\nfor i, c in enumerate(encbuf):\r\n plain = ord(c) ^ ord(key[i % len(key)])\r\n plainbuf.append(chr(plain \u0026 0xff))\r\nprint \"\".join(plainbuf)\r\nAfter the libraries are loaded, it will resolve a bunch of functions from them using API hashing. The following\r\nPython snippet hashes an example function “LoadLibraryA” to its hash “0x3b7225fc”:\r\nname = \"LoadLibraryA\"\r\nhash_val = 0\r\nfor i, c in enumerate(name):\r\n if i \u0026 1:\r\n v6 = (~(ord(c) ^ (hash_val \u003e\u003e 5) ^ (hash_val \u003c\u003c 11))) \u0026 0xffffffff\r\n else:\r\n v6 = (ord(c) ^ (hash_val \u003e\u003e 3) ^ (hash_val \u003c\u003c 7)) \u0026 0xffffffff\r\n hash_val ^= v6\r\nhash_val = hash_val \u0026 0x7fffffff\r\nprint hex(hash_val)\r\nNext it generates a bot ID based on the root volume serial number, an example of which is:\r\n{496E9266-9266-1717986918}\r\nIt will then perform three types of anti-analysis:\r\n1. Detecting common analysis software such as IDA Pro and Sysinternals tools\r\n2. Detecting common sandbox and virtual machines\r\n3. Detecting debugging via a timing check\r\nIf it detects it is being run in an analysis environment it will delete itself. Persistence is setup by copy itself to the\r\n“%appdata%” directory and setting up a “Software\\Microsoft\\Windows\\CurrentVersion\\Run” entry in the user’s\r\nregistry.\r\nAfter things are setup, an svchost (-k netsvcs) process is started and a DLL is injected into it. The DLL is stored\r\ncompressed in the dropper and is decompressed using the RtlDecompressBuffer Windows API.\r\nhttps://www.netscout.com/blog/asert/dismantling-nuclear-bot\r\nPage 2 of 7\n\nBefore transitioning to the next component some system information is written to a “\u003cbotid\u003e.txt” text file in\r\n\"%appdata%\" where “\u003cbotid\u003e” is replaced with the bot’s ID. The system information is pipe delimited and\r\nconsists of:\r\ninfo\r\nWindows version\r\nComputer name\r\nUsername\r\nisWow64 status\r\nis Admin status\r\nBot Component\r\nThe injected DLL or “bot” component is available at VirusTotal. It uses the same library loading and function\r\nresolving technique as in the dropper. After this initial setup an empty HTTP POST request is sent to the C2\r\nserver:\r\nThe reply from the C2 server will be a hex string that will be used as an XOR key to obfuscate further C2\r\ncommunications. The following Python snippet describes the obfuscation:\r\nkey = \"920e9b92bb97c06fbaf1c4854db682898a85cb1e\"\r\ninbuf = \"ping\"\r\nhttps://www.netscout.com/blog/asert/dismantling-nuclear-bot\r\nPage 3 of 7\n\noutbuf = []\r\nfor i, c in enumerate(inbuf):\r\n b = ord(c) ^ ord(key[i % len(key)])\r\n outbuf.append(chr(b \u0026 0xff))\r\nprint \"\".join(outbuf)\r\nNext the system information from the “\u003cbotid\u003e.txt” file is read and sent to the C2 server:\r\nCommands are polled with a “ping” command. The response is pipe delimited where the first field denotes the\r\ncommand number and the rest are command arguments. The following commands have been identified:\r\n0 – Download and execute\r\n1 – VNC\r\n2 – SOCKS4 proxy\r\n3 – Update self\r\nIn addition to the above commands, Nuclear Bot has “man-in-the-browser” (MitB) functionality that in\r\nconjunction with webinjects—rules denoting what websites to target and how—lets it social engineer and steal\r\nhttps://www.netscout.com/blog/asert/dismantling-nuclear-bot\r\nPage 4 of 7\n\ncredentials from financial and other websites. The MitB code is stored as a compressed DLL in either the “.x86”\r\nor “.x64” PE file section of the bot’s file:\r\n It can be decompressed\r\nusing RtlDecompressBuffer as before and the x86 DLL used for this analysis is also available on VirusTotal.\r\nBased on a debug string, the developer calls this DLL “Engine32”.\r\nEngine\r\nhe “engine” DLL is first injected into explorer.exe. In explorer.exe, the CreateProcessW Windows API is hooked\r\nso that it can control future process creation. The function hook first determines what process is being created.\r\nNext it passes execution to the real CreateProccessW function so that the process is created. Finally, if the process\r\nis a web browser (Internet Explorer, Firefox, Chrome, or Opera) it will open a named pipe where the pipe name is\r\nthe bot’s ID and writes the newly created web browser’s process ID (PID) to it. The other end of the pipe is\r\nopened by the above bot component and once it receives a PID it will inject the “engine” component into that\r\nprocess—this is how the MitB component gets into web browsers.\r\nOnce injected into a web browser it will determine which web browser it is and hook the appropriate functions—\r\ne.g. InternetConnectW, HttpOpenRequestW, InternetReadFile, etc. in Internet Explorer and PR_Read and\r\nPR_Write in Firefox. These hooks monitor the victim’s web browsing (HTTPS doesn’t matter at this layer of\r\ncommunications) and continuously compares traffic to its list of webinjects. If a match is found the malicious\r\nwebinject code is injected in the webpage, the modified web page is shown to the victim, and credential theft can\r\nhappen.\r\nNuclear Bot downloads webinjects from its C2 by sending an “injects” command. The returned data is a JSON file\r\nthat looks like this:\r\nhttps://www.netscout.com/blog/asert/dismantling-nuclear-bot\r\nPage 5 of 7\n\nConclusion\r\nThis post was a dismantling of a new banking malware known as Nuclear Bot. As usual with new malware it is\r\ntoo soon to assess how active and widespread this new family will become. It is even more difficult to assess\r\nbased on this sample and campaign as it is very likely a “test botnet” used for development and not an in the wild\r\nweaponized campaign. This is based on the “Hello World” webinject it is using and also the numerous\r\nMessageBox function calls that pop up throughout the execution of the malware:\r\nhttps://www.netscout.com/blog/asert/dismantling-nuclear-bot\r\nPage 6 of 7\n\nWhile it is probably a bit too soon to heed Bert’s advice, recent advertisements for the bot have suggested bug\r\nfixes and updated versions so it is worth keeping an eye on.\r\nSource: https://www.netscout.com/blog/asert/dismantling-nuclear-bot\r\nhttps://www.netscout.com/blog/asert/dismantling-nuclear-bot\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.netscout.com/blog/asert/dismantling-nuclear-bot"
	],
	"report_names": [
		"dismantling-nuclear-bot"
	],
	"threat_actors": [],
	"ts_created_at": 1775434820,
	"ts_updated_at": 1775791227,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/86af9bbad64e1630ec8f79dfd4ef50afb2d44be2.pdf",
		"text": "https://archive.orkl.eu/86af9bbad64e1630ec8f79dfd4ef50afb2d44be2.txt",
		"img": "https://archive.orkl.eu/86af9bbad64e1630ec8f79dfd4ef50afb2d44be2.jpg"
	}
}