{
	"id": "7ba4e230-b474-47fe-9026-3e27f1b7125c",
	"created_at": "2026-04-06T00:14:28.411725Z",
	"updated_at": "2026-04-10T13:12:42.889094Z",
	"deleted_at": null,
	"sha1_hash": "872ab780cf302d7a0891fe03ede424d705915d98",
	"title": "Nebula Broker: offensive operations made in Italy",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1513840,
	"plain_text": "Nebula Broker: offensive operations made in Italy\r\nBy serverca\r\nPublished: 2023-12-06 · Archived: 2026-04-05 19:36:00 UTC\r\nFortgale has been tracking an Italian Threat Actor, internally dubbed as Nebula Broker, since March 2022.\r\nThe actor uses self-made malware (BrokerLoader) to compromise Italian systems. Further analysis revealed that\r\nthe attacker has been operating since the end of 2020. Although this threat is not well-known, the number of\r\ncompromises is particularly extensive. Indeed, Fortgale has observed several cases of this malware’s presence in\r\ncompanies across various sectors, such as Transport and Aeronautics.\r\nGiven these findings, we believe that the attacker is not conducting targeted offensive activities, especially\r\nconsidering the malware’s USB propagation capabilities. A notable aspect of the offensive activity is the use of\r\nunique and curious Tactics, Techniques, and Procedures (TTPs) that have evolved over time. These include\r\nunique obfuscation and encoding techniques, such as using empty spaces and tabs in an intermediate file hosted\r\non GitHub, and the use of platforms like Vimeo and ArsTechnica to host code.\r\nA detailed analysis of the threat follows.\r\nFor any further information, contact us at info@fortgale.com\r\nAttack Flow Evolution\r\nN-Broker is following a precise pattern of tactics, techniques, and procedures (TTPs). Recently, after a brief\r\nperiod of limited activities, its operations started rising again.\r\nWe are releasing an analysis and comparison of the activites between March 2022 and November 2023. Over the\r\nlast few days, a new variant has been observed, with small new changes as reported here. These changes are also\r\nreported in the table below.\r\nMarch 2022 November 2023 December 2023\r\nInfection\r\nChain\r\nUSB (.lnk) USB (.lnk) USB (.lnk)\r\nStage 1\r\nPowershell\r\n(explorer.ps1):\r\nRuntimeBroker.exe\r\ndownload (external file\r\non GitHub)\r\nPowerShell\r\n(explorer.ps1):\r\nDownload and\r\nexecution of PowerShell\r\ncode from Vimeo\r\nPowerShell\r\n(explorer.ps1):\r\nDownload and execution\r\nof PowerShell code from\r\nArsTechnica\r\nStage 2 RuntimeBroker.exe\r\nExecution\r\nPowershell:\r\nRuntimeBroker.exe\r\nPowershell:\r\nRuntimeBroker.exe\r\nhttps://fortgale.com/blog/featured/nebula-broker-offensive-operations-italy/\r\nPage 1 of 10\n\nMarch 2022 November 2023 December 2023\r\nDownload Download\r\nStage 3 /\r\nRuntimeBroker.exe\r\nExecution\r\nRuntimeBroker.exe\r\nExecution\r\nCampaigns evolution\r\nWe provide a technical analysis of the entire compromise chain, comparing each step of the March 2022 and\r\nNovember 2023 campaigns.\r\nTechnical Analysis\r\nThe infection vector is an USB drive, containing a .lnk file.\r\nFile “pendrivename”.lnk\r\nMarch 2022 \u0026 November 2023\r\nThe file “penndrivename.lnk” (where “pendrivename” varies with the USB device used) is located within the\r\nremovable USB device. This file holds the inital command for the compromise in its Destination field.\r\nTechnical information:\r\nNAME Pendrivename.lnk\r\nMD5 9C72F27AABF97782734C7620A445A5DB\r\nSHA1 6257313E5B2A9A714A2E3ABCC0BC60CACABEB299\r\nSHA256 7A8DF9FC056835A659BE9E5B9F6F34D0ED8CA548B26CB41C14C76ADB78FAF0E7\r\nhttps://fortgale.com/blog/featured/nebula-broker-offensive-operations-italy/\r\nPage 2 of 10\n\nFrom the properties of the link, it can be observed that the file “KINGSTON (124GB).lnk” executes the\r\nPowerShell command for the initiation of the explorer.ps1 script:\r\nC:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -windowstyle hidden -nologo -\r\nNoProfile -ExecutionPolicy ByPass -File explorer.ps1\r\nFile “explorer.ps1”\r\nMarch 2022\r\nThe PowerShell script executed by the .lnk file contains a series of instructions on a single line. The values of the\r\nvariables used are encoded in base64 to evade any checks by protection software.\r\nNAME explorer.ps1\r\nMD5 6B51E7F335BEDB7F66B31C24750F0619\r\nSHA1 748BC66D21B77BB8DE7EB8A624FDC6C976901E96\r\nSHA256 99D9DFD8F1C11D055E515A02C1476BD9036C788493063F08B82BB5F34E19DFD6\r\nContent of the script duly formatted for better reading:\r\nhttps://fortgale.com/blog/featured/nebula-broker-offensive-operations-italy/\r\nPage 3 of 10\n\nThe variables $d, $f, and $aa contain the information of the system paths where the Worm places the malicious\r\nfiles. These have been obfuscated to prevent the identification of compromise indicators by protection\r\nsoftware.\r\nTheir content is used for the creation of the variables $bb, $h, and $mn. By executing the first 9 lines of the script,\r\nit is possible to obtain the decoded content of the final variables:\r\nUpon examining the content of the variable $bb, it is possible to notice an “empty” character at the end of the path\r\n(highlighted in yellow). Following the way the path is constructed, it is possible to trace back to the invisible value\r\nin the variable $aa. The initial value is the base64 string “44wk”. Decoding the value yields the Unicode Hangul\r\nFiller character (U+3164).\r\nThe path contained in the variable $bb is therefore valid as it contains a character “rendered” by an “empty\r\nspace”. This technique allows the attacker to hide elements in the system from the Windows graphical interface\r\nand makes identification from the command line difficult.\r\nThe second part of the script performs a check on the actual presence of the hidden folder in the system. If the\r\nfolder is present, the default action is invoked, which is the opening of the same via explorer.exe. In this way, the\r\nvictim user actually sees the folder containing the data saved on the device.\r\nSubsequently, a file is downloaded and saved to the path specified by the variable $mn. The URL of the file is\r\ncreated from a string, which in turn is downloaded from the URL contained in the variable $f: “src.txt” contained\r\nin a GitHub repository (which is no longer available as of today, hxxps://eldi8[.]github.io/src.txt).\r\nThe content of the file appears empty. However, it contains a series of spaces, tabs, and “newline” characters:\r\nhttps://fortgale.com/blog/featured/nebula-broker-offensive-operations-italy/\r\nPage 4 of 10\n\nThe “empty” spaces in the document are replaced by the script with the characters “0”, “1”, and ” ” (space):\r\nThe downloaded content, on which substitutions are applied, appears to be a series of binary strings. The\r\ndecoding process involved several steps: From Base 2 to Base 10, and then to ASCII String. Continuing with the\r\ndecoding, we obtain the following URL: hxxps://wjecpujpanmwm[.]tk/updater.php?from=USB1\r\nAfter downloading and saving the malicious executable, the script halts its execution for 5 seconds (Start-Sleep -\r\ns 5), checks for the presence of the file C:\\Program Files (x86)\\WinSoft Update Service\\pythonw.exe (the variable\r\n$h), and if the check is negative, it executes the just downloaded file. At the end of the execution, the script again\r\nhalts its execution for 1 second (Start-Sleep -s 1) and re-executes the file if the previously checked path still does\r\nnot exist. These last steps are repeated indefinitely, until the file C:\\Program Files (x86)\\WinSoft Update\r\nService\\pythonw.exe is created.\r\nNovember 2023\r\nIn the most recent version of the malware, the content of the file is entirely encoded in base64. The content is\r\ndecoded and executed upon opening.\r\nThe executed script is the following:\r\nOnce deobfuscated, its functionalities can be evaluated:\r\nhttps://fortgale.com/blog/featured/nebula-broker-offensive-operations-italy/\r\nPage 5 of 10\n\nIn this version, the script downloads the metadata of a video present on the Vimeo streaming platform in\r\nJSON format from which to extract additional PowerShell code to execute. Below is the decrypted and\r\ndeobfuscated content.\r\nSeveral similarities can be noticed with the script from the previous year. In particular, the final stage consists of\r\nexecuting a file called RuntimeBroker.exe, and the domain wjecpujpanmwm[.]tk is present in both files.\r\nThe behavior of the malware from the execution of RuntimeBroker.exe is almost identical to the behavior\r\nidentified the previous year, as it is reported below.\r\nBrokerLoader Insights\r\nhttps://fortgale.com/blog/featured/nebula-broker-offensive-operations-italy/\r\nPage 6 of 10\n\nMarch 2022\r\nDuring the execution of the PowerShell of explorer.ps1, a file is downloaded from the link\r\nhxxps://wjecpujpanmwm[.]tk/updater.php?from=USB1, which is then saved as “Runtime Broker.exe” at the path\r\nspecified by the variable $mn.\r\nTechnical information about the malicious file:\r\nNAME Runtime Broker.exe\r\nMD5 abc7a9c5b732b72a8f47fd85ee638c09\r\nSHA1 9876415085f95c02d6bcea9b1fc990d5b5c50d1c\r\nSHA256 d9ebb6958afcd1907651487062108ec56a2af9eb935f2437156584081cb56b2f\r\nNovember 2023\r\nOnce RuntimeBroker.exe is deobfuscated, it is possible to highlight some fundamental characteristics of the\r\nmalware.\r\nThe malware performs a check for its presence on the machine and, if not found, it may create a Mutex. Then it\r\nenumerates the content of the connected removable devices to search for a folder with the same name as the\r\nremovable device in which it is located.\r\nThe malware downloads, loads into memory, and executes an additional payload.\r\nAfter the payload is downloaded and the commands are executed, any results are sent to the server along with\r\nsome information about the host and the currently executing payload. The configuration is downloaded from\r\nthe URL hxxps://bobsmith[.]apiworld[.]cf/license[.]php, to which information about the host is sent.\r\nhttps://fortgale.com/blog/featured/nebula-broker-offensive-operations-italy/\r\nPage 7 of 10\n\nMalware Classification\r\nWe consider this malware, dubbed internally as “BrokerLoader”, to have been specifically created by Nebula\r\nBroker for use in campaigns targeting Italy.\r\nDuring the past years, domains related to the malware remained substantially the same.\r\nIn the last registered incident, instead, was noted a complete substitution of the domains used to download\r\nRuntimeBroker and the final payload.\r\nThreat Actor Attribution\r\nFortgale, with a substantial degree of certainty, identifies Nebula Broker as an italian-speaking threat actor. This\r\nconclusion is drawn based on several pieces of supporting evidence:\r\nAnalysis of the RuntimeBroker Executable: The examination of the RuntimeBroker executable has\r\nprovided significant insights that reinforce this belief;\r\nCharacteristics of the C2s Used in Initial Campaigns (2020-2021): Certain distinctive features of the\r\nCommand and Control servers (C2s) utilized in the early operations further affirm this viewpoint;\r\nSpecific Naming Conventions in Observed Samples (2020-2021): The unique naming patterns in some\r\nof the samples observed during 2020-2021 also point towards the Italian-speaking nature of the actor.\r\nIn the following section, we will delve into a detailed analysis of the RuntimeBroker’s features:\r\nhttps://fortgale.com/blog/featured/nebula-broker-offensive-operations-italy/\r\nPage 8 of 10\n\nThe manifest file of RuntimeBroker.exe generated by Visual Studio is in Italian, indicating that an Italian\r\nversion of the development suite was used.\r\nWith a low level of uncertainty, it can be assumed that the person who compiled the malware is of Italian\r\nlanguage. There are several other elements that create a strict link between the threat actor and Italy, such as\r\nopen-source intelligence (OSINT) information we collected by analyzing the GitHub repository used in the March\r\n2022 campaign.\r\nWith a high level of confidence, we consider N-Broker to be a group of e-crime actors of Italian language. It\r\ntargets Italian companies and individuals with large-scale and non-targeted malware campaigns, that are\r\nevolving over time.\r\nIndicators of Compromise\r\nMarch 2022\r\nHASH\r\nNAME KINGSTON (124GB).lnk\r\nMD5 9C72F27AABF97782734C7620A445A5DB\r\nSHA1 6257313E5B2A9A714A2E3ABCC0BC60CACABEB299\r\nSHA256 7A8DF9FC056835A659BE9E5B9F6F34D0ED8CA548B26CB41C14C76ADB78FAF0E7\r\nKINGSTON (124GB).lnk\r\nNAME explorer.ps1\r\nMD5 6B51E7F335BEDB7F66B31C24750F0619\r\nSHA1 748BC66D21B77BB8DE7EB8A624FDC6C976901E96\r\nhttps://fortgale.com/blog/featured/nebula-broker-offensive-operations-italy/\r\nPage 9 of 10\n\nSHA256 99D9DFD8F1C11D055E515A02C1476BD9036C788493063F08B82BB5F34E19DFD6\r\nexplorer.ps1\r\nDomains \u0026 URLs\r\nhxxps://eldi8[.]github.io/src.txt\r\nhttps://wjecpujpanmwm[.]tk/updater[.]php?from=USB1\r\nhttps://lucaespo[.]altervista[.]org\r\nhttps://studiofotografico35mm[.]altervista[.]org\r\nNovember 2023\r\nHASH\r\nNAME Explorer.ps1\r\nMD5 EB2DF3C33F102A792068A28B122832EE\r\nSHA1 223AA8C734913B982826600EFC10A1E298D1D337\r\nSHA256 218A819360DF70ECC4CDBDFAC4FBC0E49BE3F4CADBAD04D591A3DE992617DAC2\r\nexplorer.ps1\r\nNAME RuntimeBroker.exe\r\nMD5 730F84805B3B815BF5F11B4EF0E60EE2\r\nSHA1 E5A8E615F69BDAE35160B8BCC8DD7D5F272B2FEB\r\nSHA256 8A492973B12F84F49C52216D8C29755597F0B92A02311286B1F75EF5C265C30D\r\nexplorer.ps1\r\nDomains \u0026 URLs\r\nhxxps://vimeo[.]com/api/v2/video/804838895[.]json\r\nhxxps://bobsmith[.]apiworld[.]cf/license[.]php\r\nhttps://wjecpujpanmwm[.]tk/updater[.]php?from=USB1\r\nSource: https://fortgale.com/blog/featured/nebula-broker-offensive-operations-italy/\r\nhttps://fortgale.com/blog/featured/nebula-broker-offensive-operations-italy/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://fortgale.com/blog/featured/nebula-broker-offensive-operations-italy/"
	],
	"report_names": [
		"nebula-broker-offensive-operations-italy"
	],
	"threat_actors": [],
	"ts_created_at": 1775434468,
	"ts_updated_at": 1775826762,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/872ab780cf302d7a0891fe03ede424d705915d98.pdf",
		"text": "https://archive.orkl.eu/872ab780cf302d7a0891fe03ede424d705915d98.txt",
		"img": "https://archive.orkl.eu/872ab780cf302d7a0891fe03ede424d705915d98.jpg"
	}
}