{
	"id": "4f4755b7-eee9-4800-b534-53f767a17401",
	"created_at": "2026-04-06T00:14:29.503168Z",
	"updated_at": "2026-04-10T03:23:51.592339Z",
	"deleted_at": null,
	"sha1_hash": "918af18b4e815dfe0aa26bd9b9832efc54c38407",
	"title": "The Nukebot trojan, a bruised ego and a surprising source code leak",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 44026,
	"plain_text": "The Nukebot trojan, a bruised ego and a surprising source code\r\nleak\r\nBy Limor Kessem, Ilya Kolmanovich\r\nPublished: 2017-03-28 · Archived: 2026-04-05 13:21:19 UTC\r\nLimor Kessem\r\nX-Force Cyber Crisis Management Global Lead\r\nIBM\r\nIlya Kolmanovich\r\nSenior Threat Researcher\r\nIn early December 2016, IBM X-Force researchers noticed the emergence of a new banking malware advertised\r\nfor sale in a few underground boards. The malware’s vendor, who went by the online moniker Gosya, was a\r\nRussian-speaking member who introduced himself as the developer of Nuclear Bot, or NukeBot, a modular\r\nbanking Trojan.\r\nConsidering the demand for commercially available malware in the cybercrime community, this malware should\r\nhave been accepted very eagerly. But instead, its developer’s user account was banned from multiple forums. In\r\nMarch 2017, the source code was leaked, apparently by the developer himself.\r\nWhat led to this leak, and what impact can we expect as a result?\r\nGosya Comes to Town\r\nIn cybercrime forums, and especially in the more closed and Russian-speaking communities, members earn\r\ncredibility by following certain customary steps. To begin, they must be introduced by a known member and\r\nvetted by the community according to what they can offer. Most importantly, they must gain the trust of the\r\nadministrators running the board.\r\nWhen Gosya joined underground communities, he apparently did not follow all the customary steps. He was\r\nintroduced by a known member but took some wrong turns from there.\r\nImmediately upon joining, Gosya began advertising a new banking malware for sale. According to X-Force\r\nresearch observations, he did not have the malware tested and certified by forum admins, nor did he provide any\r\ntest versions to members. At the same time, he was attacked by existing competition, namely the FlokiBot vendor,\r\nwho wanted to get down to the technical nitty gritty with him and find out if Gosya’s claims about his malware’s\r\ncapabilities were indeed viable.\r\nhttps://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/\r\nPage 1 of 3\n\nIn posts where he replied to challenging questions, Gosya got nervous and defensive, raising suspicion among\r\nother forum members. This was likely a simple case of inexperience, but it cost him the trust of potential buyers.\r\nFor his next wrong move, Gosya started selling on additional forums under multiple monikers. When fraudsters\r\nrealized that the same person was trying to vend under different names, they got even more suspicious that he was\r\na ripper, misrepresenting or selling a product he does not possess. The issue got worse when Gosya changed the\r\nmalware’s name to Micro Banking Trojan in one last attempt to buy it a new life.\r\nThat was the point when Gosya was banned in the forums where he was attempting to sell his bot.\r\nThe latest tech news, backed by expert insights\r\nStay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with\r\nthe Think Newsletter, delivered twice weekly. See the IBM Privacy Statement.\r\nWas NukeBot Ever Real?\r\nThe notable part of this case is that NukeBot is an actual banking malware. It is a functional, modular Trojan that\r\ncomes with a web-based admin panel to control infected endpoints. The malware is capable of webinjections and\r\ndoes not fall short of other, similar code by much.\r\nWhen NukeBot had a test server up, it was captured and analyzed by Arbor Networks, which blogged about it in\r\nDecember 2016. Based on this analysis, the malware was a functional and viable code from the get go.\r\nIBM X-Force researchers also analyzed NukeBot, specifically because Gosya claimed it was able to circumvent\r\nIBM Security’s antifraud protection product, Trusteer Rapport. These claims were dispelled by X-Force, which\r\ndetermined that NukeBot did not affect Rapport at any point in its development. X-Force researchers also\r\nconcluded that NukeBot was not a fake product and that its developer was not being taken seriously due to the\r\nway he introduced the malware, not because it was a hoax.\r\nA Bruised Ego and a Malware Code Leak\r\nBanned from the underground venues where he planned to sell NukeBot and distrusted by members of the\r\ncybercrime community, NukeBot’s developer was likely struggling to come to terms with months of hard work\r\namounting to nothing.\r\nIn mid-March 2017, X-Force researchers noticed that NukeBot’s code was leaked in a web-based source code\r\nmanagement platform and made available for anyone to pick it up. This move appears to have been the action of\r\nthe developer, not an intentional leak by another party.\r\nWhat could this mean? An educated guess would be that Gosya was disappointed with the distrust he faced in the\r\nunderground and decided to release the main module of the malware for others to test and attest to.\r\nIn Gosya’s arguments with the FlokiBot developer, the latter boasted the number of Google results that appear\r\nwhen one searches the FlockiBot value. Gosya may think the malware will get picked up by more experienced\r\noperators and start appearing in attacks in the wild — and in additional security blogs.\r\nhttps://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/\r\nPage 2 of 3\n\nWith yet another malware source code out in the open, the most likely scenario is that NukeBot code will be\r\nrecompiled and used by botnet operators. Parts of it may be embedded into other malware codes, and we are likely\r\nto see actual NukeBot fraud attacks in the wild in the coming months.\r\nIt’s also possible that Gosya will be readmitted to the same forums from which he was banned, this time as an\r\nauthorized vendor. He may even deliver on previous promises to supply new modules for the malware.\r\nCode Leaks Mean More Malware\r\nWe know from previous incidents, such as the Zeus, Gozi and Carberp leaks, that publicly available source code\r\nmakes for more malware. This is often incorporated into existing projects. X-Force researchers noted that\r\nNukeBot is likely to see the same process take place in the wild, especially since its code is not copied from other\r\nleaked malware, per the developer’s claims.\r\nAt this time, NukeBot has not been detected in real-world attacks and does not have defined target lists. This\r\nsituation is likely to change in the near future.\r\nTo help stop threats such as NukeBot before they ever cause damage, banks and service providers can use\r\nadaptive solutions to detect infections and protect customer endpoints. Fighting evolving malware threats can be\r\nmade easier with the right malware detection solutions. With protection layers designed to address the ever-changing threat landscape, financial organizations can benefit from malware intelligence that provides real-time\r\ninsight into fraudster techniques and capabilities.\r\nConsumers wishing to protect themselves from malware infections on endpoints and mobile devices are invited to\r\nread our best practices page.\r\nSource: https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/\r\nhttps://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/"
	],
	"report_names": [
		"the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434469,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/918af18b4e815dfe0aa26bd9b9832efc54c38407.pdf",
		"text": "https://archive.orkl.eu/918af18b4e815dfe0aa26bd9b9832efc54c38407.txt",
		"img": "https://archive.orkl.eu/918af18b4e815dfe0aa26bd9b9832efc54c38407.jpg"
	}
}