{
	"id": "06ea6447-14eb-45a3-878e-e9a26c42c144",
	"created_at": "2026-04-06T00:18:43.552661Z",
	"updated_at": "2026-04-10T03:20:25.503127Z",
	"deleted_at": null,
	"sha1_hash": "bdfa1d9b0243ccadc1415598cd42e8bd9c0ad3f0",
	"title": "Ransomware - Nymaim Moves Past Its Ransomware Roots | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 236323,
	"plain_text": "Ransomware - Nymaim Moves Past Its Ransomware Roots |\r\nProofpoint US\r\nBy February 26, 2016 Proofpoint Staff\r\nPublished: 2016-02-29 · Archived: 2026-04-05 21:34:36 UTC\r\nMost malware that we see is distributed through spam sent out by botnets. Other malware comes through \"drive-by downloads\" from compromised or malicious websites. Now one attacker is using legitimate bulk email services\r\nto spread the Nymaim Trojan, an alarming shift that could make such attacks harder to detect.\r\nNymaim is a 2-year-old strain of malware most closely associated with ransomware. We have seen recent attacks\r\nspreading it using an established email marketing service provider to avoid blacklists and detection tools. But\r\ninstead of ransomware, the malware is now being used to distribute banking Trojans.\r\nOriginally observed in 2013, the Nymaim Trojan was installing ransomware before file-encrypting malware\r\nwas making headlines and extorting money from people, hospitals, and even the police. At that time, Nymaim was\r\nlargely distributed via the Black Hole Exploit Kit (BHEK) as a \"drive-by download.” Later, the actors behind the\r\ndistribution of Nymaim began manipulating search results so that sites compromised with BHEK were more likely\r\nto get clicks. By 2014, researchers found machines infected with Nymaim that also contained traces of other\r\nmalware including Vawtrak, Miuref, Pony, and Ursnif.\r\nAlthough most famously associated with early ransomware, Nymaim is, at its core, a downloader Trojan that can\r\nbe used to install a variety of malware. Recently, we have been tracking new vectors and payloads for Nymaim,\r\nwith multiple campaigns utilizing email to send document attachments or URLs leading to documents. When\r\nusers open one of these documents, the macros download and install Nymaim. Then, in most cases, Nymaim\r\ninstalls the Ursnif banking Trojan on vulnerable PCs.\r\nThe emails include links from legitimate domains used by the service provider but redirect users to malicious\r\nmacro-embedded documents to deliver Nymaim. It is unclear whether the threat actors are using a compromised\r\naccount on the email marketing service or signed up for a free trial. In either case, the trend marks a departure\r\nfrom their usual reliance on botnets—and could make them harder to detect.\r\nhttps://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0\r\nPage 1 of 6\n\nFigure 1: Lure leveraging email marketing service\r\nhttps://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0\r\nPage 2 of 6\n\nFigure 2: Malicious document downloaded from link shown in Figure 1\r\nNot surprisingly, using a well-known email marketing service can improve the effectiveness of the attacks by\r\nimproving link reputation, keeping senders on whitelists, and bypassing sampling by multiple security vendors\r\nwho deliberately exclude bulk mailing services.\r\nIn other campaigns, Nymaim is being delivered through even more circuitous means. On February 17, for\r\nexample, we tracked a malicious document attachment campaign in which Microsoft Word documents attached to\r\nemails with subjects \"February payment\" or \"Fedex Delivery Notification\" used macros to drop Pony onto PCs.\r\nPony is a Trojan with credential-stealing capabilities. In this case it is used to download Nymaim, which in turn\r\nmay then download other malware such as Ursnif.\r\nEmail is the top vector for delivering Nymaim in these recent campaigns (whether via attached malicious\r\ndocuments or links to malicious URLs). We have identified two other interesting features in these new campaigns:\r\nNymaim still appears to be using some of the same web injects (hence targeting the same organizations) as\r\nit did in campaigns from 2013 and 2014, even while actors are employing other means (like VBA macros)\r\nto deliver the malware.\r\nhttps://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0\r\nPage 3 of 6\n\nNymaim is heavily obfuscating both its own functions and that of its payload (at least in the case of Ursnif)\r\nin memory. This move makes analyzing and reverse-engineering it harder.\r\nIn Figure 3, Nymaim is monitoring and replacing content of a banking website while the user is browsing it. This\r\nscreenshot shows traffic generated by the malware to its injection control IP address 31.184.234[.]21. The\r\nmalware reports that the user is visiting a banking site. It then receives instructions on how to modify and replace\r\ncontent to initiate fraud on the user’s account.\r\nFigure 3: Nymaim web injection\r\nNymaim is hardly new. But these campaigns bring some new approaches to the table. Abusing an email marketing\r\nservice brings a number of benefits to the actors and leaves many recipients potentially more vulnerable to attack.\r\nIt's possible to blacklist IP addresses associated with the botnets that typically distribute malware via email. But in\r\nthis case, the campaign uses a known \"good\" mail distribution vector.\r\nWithout more advanced analysis in a sandbox environment, these kinds of attacks are difficult to catch. At the\r\nsame time, actors are leveraging Nymaim's capabilities as a loader and its flexibility to distribute the latest\r\nbanking Trojans.\r\nIn other words, what is old is new again, and Nymaim has been revitalized to meet current demands from threat\r\nactors.\r\nhttps://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0\r\nPage 4 of 6\n\nIndicators of Compromise\r\nSample hashes (Documents that download Nymaim):\r\nce0c220603d23fbb072f91a6a813c07e0c1d02559f54f9899d3d3be1db6d8851\r\n617f3001d64cfc1edb3ccd70a084f888a34cb7f2e39d92e0685461baa23a4e5d\r\nc788fd4cae05844344b04629d97be324d1f85dbefdfc8352489154341f888aa9\r\n18e2461c250aaada1847b2aba8aef43f7686477f11b64e7597c325ee557f5128\r\n3e522c5873f976078e2c31681771640c73ee8a4e192ecbbcf6fe4e8b3a486920\r\nd78e20396efc39af29717d8dcceaf48a241ebd36a2f89d0c903ecf81fa9f5d0c\r\n5cdf41ef8cc330a5ea7fa06de6e220afdd8c2d5b708041296801f45bcafa16e3\r\nd4e3fb25f0d397967f1e88baffb97cfd6f40953d0c9f998d1c4694d1982d2d65\r\n8efdfcf63f1dbfa9666bce23246f49c5788ec8c8edacc722038d9110375d89b5\r\ne5c5385b79743ced00adebc0daae5fa619cf3836417bc2b0379f98a24f81c4bb\r\nc0515052e8bc2e2772b29cbb694e72af9a6c2be8ebceba5766bcdaf26fe955da\r\nb5b6b37f28dc16bbbac8df75af51f66436f7a4b4dec7ee3d911fb2601c1bb3b5\r\n642420b08d6333b8cf48014b62c60f9bd1f51be4b3c00b6023e824987d177b73\r\nDistribution domains (domains hosting documents that download Nymaim):\r\n[hxxp://intuit.secureserver17[.]com/invoices/Invoice_897-84579.doc]\r\n[hxxp://secure.secureserver17[.]com/invoices/Invoice_11471.doc]\r\n[hxxp://quickbooks.intuit-invoices[.]com/invoices/qb_invoice_1147630.doc]\r\nDistribution domains (domains hosting Nymaim payload):\r\ndalinumsdeli42[.]com/posts/dli506.exe\r\nwww.billpay-center[.]com/invoices/007448322.doc\r\nforget42gibb[.]com/post/506pblpks.exe\r\nfini4kbimm[.]com\r\nforget42gibb[.]com\r\ngrotesk14file[.]com\r\nintro12duction1[.]com\r\nfiniki45toget[.]com\r\njoreshi50indo[.]com\r\nepay-solution[.]com\r\nbillpay-center[.]com\r\namoretaniintrodano36[.]com\r\namoretanioontradano37[.]com\r\namoretanoenntrodano38[.]com\r\namoretanoentrodano33[.]com\r\namoretanointrodanio39[.]com\r\namoretanointrodano31[.]com\r\namoretanoontrodano34[.]com\r\nhttps://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0\r\nPage 5 of 6\n\namoretanopintrodano40[.]com\r\namoretanopntrodano35[.]com\r\namoretanountrodano32[.]com\r\ndalinamsdela41[.]com\r\ndalinamsdele45[.]com\r\ndalinamsdelo43[.]com\r\ndalinamsdelu44[.]com\r\ndalinamsdelu46[.]com\r\ndalinumsdeli42[.]com\r\nsecureserver17[.]com\r\nNymaim Sample SHA256 Hashes:\r\n834ce4c3f3b1a4086d906e24ebf7e6028be81daeb84975f4c507c1cdcb08b2bc\r\n1a71f4090a95e643caa4cc5723da5d8cf1a24c8cd3caa95f496f1f2810df46ac\r\n0f62b83a7bdcf4ac5e0f8beccc2b86290ba7432a46cdcdaa5ad21dd4ad2785ee\r\nNymaim C2:\r\n[hxxp://viestisete[.]com/kz49uagxyo/index.php]\r\n[hxxp://mcwcly[.]com/zzpwgdu/index.php]\r\n[hxxp://67.211.221[.]36/zzpwgdu/index.php]\r\n[hxxp://89.163.247[.]186/zzpwgdu/index.php]\r\n[hxxp://94.125.120[.]12/zzpwgdu/index.php]\r\n[hxxp://eoquecwpt[.]com/16lqp/index.php]\r\nPony C2:\r\n[hxxp://sinmoughhin[.]ru/gate.php]\r\n[hxxp://jotertdinthap[.]ru/gate.php]\r\n[hxxp://rinuntinand[.]ru/gate.php]\r\nPony Downloads:\r\n[hxxp://opulencebeautique[.]com/system/logs/webmail.exe]\r\n[hxxp://dulichhanoihalongsapa[.]com/system/logs/webmail.exe]\r\n[hxxp://properenglishtraining[.]co[.]za/wp-content/plugins/cached_data/webmail.exe]\r\nSource: https://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0\r\nhttps://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0"
	],
	"report_names": [
		"what-old-new-again-nymaim-moves-past-its-ransomware-roots-0"
	],
	"threat_actors": [],
	"ts_created_at": 1775434723,
	"ts_updated_at": 1775791225,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bdfa1d9b0243ccadc1415598cd42e8bd9c0ad3f0.pdf",
		"text": "https://archive.orkl.eu/bdfa1d9b0243ccadc1415598cd42e8bd9c0ad3f0.txt",
		"img": "https://archive.orkl.eu/bdfa1d9b0243ccadc1415598cd42e8bd9c0ad3f0.jpg"
	}
}