{
	"id": "463f799f-4634-4324-ab67-bb563ee7abfe",
	"created_at": "2026-04-06T00:20:10.078417Z",
	"updated_at": "2026-04-10T13:11:21.122032Z",
	"deleted_at": null,
	"sha1_hash": "c61e25075bf28ac6f35f407b38e70327ad6d179b",
	"title": "NimzaLoader: TA800’s New Initial Access Malware | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1738416,
	"plain_text": "NimzaLoader: TA800’s New Initial Access Malware | Proofpoint US\r\nBy Dennis Schwarz, Matthew Mesa, and the Proofpoint Threat Research Team\r\nPublished: 2021-03-09 · Archived: 2026-04-05 16:47:07 UTC\r\nProofpoint researchers observed an interesting email campaign by a threat actor we track as TA800. This actor\r\nhas predominantly used BazaLoader since April of 2020, but on February 3rd, 2021 they distributed a new\r\nmalware we are calling NimzaLoader. One of NimzaLoader’s distinguishing features is that it is written in the Nim\r\nprogramming language. Malware written in Nim are rare in the threat landscape. Malware developers may choose to use a\r\nrare programming language to avoid detection, as reverse engineers may not be familiar with Nim’s implementation, or\r\nfocused on developing detection for it, and therefore tools and sandboxes may struggle to analyze samples of it. \r\nThere has been some initial analysis of the malware on Twitter indicating that it may just be another variant\r\nof BazaLoader, of which there are many variants. On March 1st, Joshua Platt and Jason Reaves from Walmart put forth an\r\nexcellent writeup on this malware that they call Nimar Loader. Our independent analysis corroborates their analysis and\r\nassertions that this malware is not a BazaLoader variant. Some of the major differences\r\nbetween NimzaLoader and the BazaLoader variants that we’ve analyzed include: \r\nWritten in a completely different programming language \r\nDoesn’t use the same code flattening obfuscator \r\nDoesn’t use the same style of string decryption \r\nDoesn’t use the same XOR/rotate based Windows API hashing algorithm \r\nDoesn’t use the same RC4 using dates as the key command and control (C\u0026C) response decryption \r\nDoesn’t use a domain generation algorithm (DGA) \r\nMakes use of JSON in C\u0026C communications \r\nIn this post we’ll take a closer look at the email campaign and the malware. \r\nCampaign Analysis \r\nOn February 3rd, 2021, Proofpoint observed a TA800 campaign distributing NimzaLoader. Consistent with previous\r\nactivity, this campaign utilized personalized details in its lure, including, the recipient’s name and/or the company’s\r\nname. The messages contained links, which in some cases were shortened links, purporting to be a link to a PDF preview,\r\nbut instead linked to GetResponse (an email marketing service) landing pages. The landing pages contained links to the\r\n“PDF” which was the NimzaLoader executable hosted on Slack and used a fake Adobe icon in an attempt to fool the user.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware\r\nPage 1 of 8\n\nFigure 1: TA800 message linking to the GetResponse Landing Page \r\n Figure 2: TA800 GetResponse Landing page linking to the download of NimzaLoader \r\nhttps://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware\r\nPage 2 of 8\n\nMalware Analysis \r\nThe sample with a SHA-256 hash\r\nof 540c91d46a1aa2bb306f9cc15b93bdab6c4784047d64b95561cf2759368d3d1d was reverse engineered for this analysis. At\r\nthe time of research, the C\u0026C servers were already down, so we also made use of a PCAP file uploaded to VirusTotal. \r\nNim Programming Language \r\nNimzaLoader was developed using the Nim programming language. This can be seen by the various “nim” related strings in\r\nthe executable (Figure 3): \r\nFigure 3: Example of Nim related strings \r\nString Encryption \r\nMost of the strings used by the malware are encrypted when stored by using an XOR-based algorithm and a single key per\r\nstring. An IDA Python function of the algorithm will be available on our GitHub. Here is a listing of decrypted strings from\r\nthe analyzed sample: \r\n1612963255.0039535 \r\n1OcYomEX0BsbkWCzLHRggQ== \r\n; \r\n;\\r\\n \r\n= \r\nAPISID \r\nCV54fakIvNL14Br0vFqSiw== \r\nCookie: \r\nGET \r\nJSESSIONID \r\nSID \r\nWMCIf52ORF4UAztWoqpcAtAdZeysf2lWi0FvUE/L7Uc= \r\n\\r\\n \r\nabout \r\ne8cbd40fda2500cd496b55df43402d8ed077b8cd965701a205c17f2b0389fce1 \r\nhYLuwpX6qTSHW4zqip3prQ== \r\nhxxps://centralbancshares\\.com \r\nhxxps://gariloy\\.com \r\nhttps://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware\r\nPage 3 of 8\n\nhxxps://liqui-technik\\.com \r\njob_id_header \r\npath_adj \r\npath_noun \r\nseq_num \r\nseq_total \r\nserver_public_key \r\nuser_agent \r\nA few strings, mostly command names, are stored as stack strings instead of encrypted strings. \r\nExpiration Date \r\nOne of the encrypted strings is a Unix epoch timestamp and is used as an expiration date for the malware. In the analyzed\r\nsample, the expiration date was set to “1612963255.0039535” (e.g., Wednesday, February 10, 2021 1:20:55.003 PM GMT)\r\nand the malware will not run after this date and time. \r\nConfiguration \r\nThe C\u0026C URLs are stored as encrypted strings and in the analyzed sample were the following: \r\nhxxps://centralbancshares\\.com \r\nhxxps://gariloy\\.com \r\nhxxps://liqui-technik\\.com \r\nThere is also an encrypted string that contains a C\u0026C URL path component used in command requests. In the analyzed\r\nsample this component was “about”. \r\nCommand and Control \r\nC\u0026C is HTTPS based. The initial beacon is called a “handshake” by the malware and an example looks like Figure 4: \r\n Figure 4: Example handshake request and response \r\nEncryption \r\nhttps://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware\r\nPage 4 of 8\n\nThe handshake is used to do a X2551 key exchange with the C\u0026C server and retrieve some configuration items. The “SID”\r\nvalue in the “Cookie” header request is base64 encoded. Once decoded, it contains the malware’s generated public key for\r\nthe key exchange and some additional data to decrypt the handshake response from the C\u0026C server.  \r\nThe C\u0026C response can be decrypted by using this data along with some of the encrypted strings from the malware and some\r\nprimitives from the Monocypher crypto library. A Python snippet using data from the above referenced PCAP and its sample\r\nshowing this decryption process will be available on our GitHub. Once decrypted the response contains a JSON object that\r\nlooks like Figure 5: \r\n \r\nFigure 5: Example handshake response JSON object \r\nIt contains the following pieces: \r\npath_adj – C\u0026C URL component used in future C\u0026C communications \r\npath_noun - C\u0026C URL component used in future C\u0026C communications \r\nseq_num – unknown (doesn’t seem to be used in the analyzed sample) \r\nseq_total – used as a JSON field name in command responses to the C\u0026C server (blue highlight in Figure 7 below) \r\nuser_agent – user agent used in future C\u0026C communications \r\njob_id_header – unknown (doesn’t seem to be used in the analyzed sample) \r\nserver_public_key – the C\u0026C server’s public key used for the key exchange \r\nThe key shared between the malware and C\u0026C server via the key exchange will be used for future C\u0026C\r\ncommunications. Unfortunately, we were unable to derive the shared key used in the referenced PCAP to decrypt further\r\ncommunication examples. \r\nFuture C\u0026C URLs are constructed using the configuration item mentioned above and the\r\nreceived “path_adj” and “path_noun” components. Here is an example C\u0026C URL for the reference PCAP: \r\nhxxp://liqui-technik\\.com/about/disassociation/better-known \r\nUpdated “path_adj” and “path_noun” components are sent in successive C\u0026C responses via a response header whose name\r\nis the previously set “path_noun”. This mechanism can be seen in the red highlights of Figures 6 and 7 below. \r\nOnce the handshake is completed, the remaining C\u0026C communications are command requests and command responses.\r\nAn example command request looks like Figure 6: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware\r\nPage 5 of 8\n\nFigure 6: Example command request \r\nIn the command request, the Cookie header “SID” value changes to a bot identifier. The response is encrypted using the\r\nshared key and once decrypted contains a JSON object. It contains the following fields: \r\njob_id - identifier \r\njob – base64 encoded job details \r\nOnce decoded, “job” contains another JSON object containing: \r\ntype – command \r\nargs - command arguments \r\nCommands will be detailed in the “Commands” section below. \r\nAn example command response looks like: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware\r\nPage 6 of 8\n\nFigure 7: Example command response \r\nCommand responses are similar to requests and contain command outputs or error messages. \r\nCommands \r\nThe following commands have been identified in NimzaLoader: \r\ncmd - execute cmd.exe command \r\npowershell - execute powershell.exe command \r\nhandshake - redo handshake \r\nshellcode - inject shellcode into a process as a thread \r\ncommand arguments are a JSON object containing: \r\nsc – hex-encoded and compressed shellcode \r\nprog - program to inject shellcode into \r\nheartbeat - used to update expiration date of the malware in memory \r\ncommand arguments are a JSON object containing: \r\nheartbeat - new expiration time \r\nsig - used in a signature check with an encrypted string\r\n(\"e8cbd40fda2500cd496b55df43402d8ed077b8cd965701a205c17f2b0389fce1\" in the analyzed sample) \r\nAt the time of research, all known NimzaLoader C2s were already down, but a public malware sandbox run seems to show\r\nit receiving a “powershell” command that ultimately delivered a Cobalt Strike beacon. We are unable to validate or confirm\r\nthis finding, but it does align with past TA800 tactics, techniques, and procedures (TTPs). \r\nConclusion \r\nNimzaLoader is a new initial access malware being distributed and used by the TA800 threat actor. In 2020, we observed the\r\nshift from TA800 distributing the Trick, with intermittent shifts to Buer Loader, and a consistent distribution\r\nof Bazaloader since April 2020. There has been some research community analysis suggesting that NimzaLoader is just\r\nanother variant of BazaLoader, but based on our observations of significant differences, we are tracking this as a distinct\r\nmalware family. There has been some evidence suggesting NimzaLoader is being used to download and execute Cobalt\r\nStrike as its secondary payload, but it is unclear whether this is its primary purpose. It is also unclear if Nimzaloader is just\r\na blip on the radar for TA800—and the wider threat landscape—or if Nimzaloader will be adopted by other threat actors in\r\nthe same way BazaLaoder has gained wide adoption. TA800 continues to integrate different tactics into their campaigns,\r\nwith the latest campaigns delivering Cobalt strike directly. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware\r\nPage 7 of 8\n\nIndicators of Compromise \r\nIndicator  Type  Notes \r\n540c91d46a1aa2bb306f9cc15b93bdab6c4784047d64b95561cf2759368d3d1d \r\nSHA-256 \r\nNimzaLoader Reverse Engineered\r\ncentralbancshares\\.com  Domain  C\u0026C \r\ngariloy\\.com  Domain  C\u0026C \r\nliqui-technik\\.com  Domain  C\u0026C \r\n52bbe09c7150ea66269c71bac8d0237fb0e6b0cae4ca63ab19807c310d6a1a0b \r\nSHA-256 \r\nNimzaLoader (PCAP) \r\nEmerging Threats Signatures \r\nETPRO TROJAN NimzaLoader Initial CnC Host Checkin \r\nETPRO TROJAN NimzaLoader CnC Activity M1 \r\nETPRO TROJAN NimzaLoader CnC Activity M2 \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware\r\nhttps://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware"
	],
	"report_names": [
		"nimzaloader-ta800s-new-initial-access-malware"
	],
	"threat_actors": [
		{
			"id": "cf32661e-7543-4b57-8665-7f8101a000e9",
			"created_at": "2023-01-06T13:46:39.322379Z",
			"updated_at": "2026-04-10T02:00:03.287241Z",
			"deleted_at": null,
			"main_name": "TA800",
			"aliases": [],
			"source_name": "MISPGALAXY:TA800",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434810,
	"ts_updated_at": 1775826681,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c61e25075bf28ac6f35f407b38e70327ad6d179b.pdf",
		"text": "https://archive.orkl.eu/c61e25075bf28ac6f35f407b38e70327ad6d179b.txt",
		"img": "https://archive.orkl.eu/c61e25075bf28ac6f35f407b38e70327ad6d179b.jpg"
	}
}