{
	"id": "fe24bd47-9800-4bd6-b1dd-2f441f256a88",
	"created_at": "2026-04-06T01:32:34.59038Z",
	"updated_at": "2026-04-10T03:22:05.066917Z",
	"deleted_at": null,
	"sha1_hash": "c7798c855261d6334f41413d84a80bae087d3bb5",
	"title": "Virus Bulletin :: Linking Xpaj and Nymaim",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 68740,
	"plain_text": "Virus Bulletin :: Linking Xpaj and Nymaim\r\nArchived: 2026-04-06 00:46:09 UTC\r\nThursday 5 October 10:00 - 10:30, Red room\r\nDoina Cosovan (Security Scorecard)\r\nCatalin Valeriu Lita (Security Scorecard)\r\nInteresting things have been written before about the Xpaj and Nymaim malware families. Xpaj has been known\r\nsince 2008 and was dubbed one of the most advanced file infectors. Its purpose is click fraud achieved through\r\nvarious sophisticated mechanisms. Meanwhile, Nymaim, which appeared on the malware scene in 2013, is a\r\ndownloader that spreads various malware families. It is well known for using an advanced custom obfuscation\r\nengine, which makes it very difficult to analyse the code.\r\nAlthough there are many technical articles and white papers describing each of these malware families separately\r\nand in great detail, up until now, we are not aware of any correlation having been made between the two families.\r\nIndeed, from a high level overview, they don’t seem to share any similarities other than the fact that both of them\r\nare hard to analyse. However, at a reverse engineer's level, we have discovered interesting similarities in the\r\ndomain generation algorithm, the communication protocol, the compression technique (the custom \"ARCH\"\r\nstructure known to be used by Nymaim in order to keep the aplib32 compressed data is also used by Xpaj), the\r\nencryption/decryption algorithms (for example, all Nymaim and Xpaj samples have been using the same\r\nalgorithm for decrypting strings since 2008, when the first Xpaj samples were identified in the wild), and the way\r\nin which the code is written and obfuscated.\r\nThere are two interesting details which we would like to highlight in order to make the similarity incontestable.\r\nOne of these is that we came across Xpaj and Nymaim samples that were using the same RC4 encryption key. The\r\nother is that we found an Xpaj dropper from 2012 that has the same MZPE header stub as some Nymaim samples\r\nfrom 2014. The only differences between the header of that particular Xpaj dropper and the header of the\r\nunpacked Nymaim samples were the size of image, the checksum, and the entry point. This means they have the\r\nsame value even for fields such as the linker version (1.67) or the timestamp (2007-10-31 11:11:38). These fields\r\nare usually generated by a compiler, but it is not unusual for malware writers to generate an MZPE header and use\r\nit for multiple samples by changing only some specific fields required for the code to execute properly. One of the\r\nreasons for doing this is to avoid using tools which will add traceable information inside the headers. Thus, the\r\nfact that we found so many similarities, and the fact that the same MZPE header stub and the same RC4 key were\r\nused for samples from both malware families, suggests they were created by the same cybercriminals. The reason\r\nthe link between these malware families has gone unnoticed for so long is partly because of the advanced\r\npolymorphic engine which managed to make the code unrecognizable. At this moment, we can confidently claim\r\nthat there is a strong connection between the two malware families.\r\nDoina Cosovan \r\nhttps://www.virusbulletin.com/conference/vb2017/abstracts/linking-xpaj-and-nymaim\r\nPage 1 of 2\n\nDoina Cosovan received Bachelor's and Master's degrees from the Alexandru Ioan Cuza University of\r\nIași, Faculty of Computer Science, where she is currently pursuing a Ph.D. She was recruited for\r\nBitdefender's malware research team in her second year of college, where she worked for five years\r\nprior to joining Security Scorecard. Some of her interests include malware, botnets, reverse engineering\r\nand machine learning.\r\nCătălin Valeriu Liță\r\nCătălin Valeriu Liță received a Bachelor's degree in computer science from the Technical University\r\nGheorghe Asachi, Romania, Iasi, Faculty of Automatics and Computer Science. He also has a Master's\r\ndegree in information security from the Alexandru Ioan Cuza University of Iași, Faculty of Computer\r\nScience, and another Master's degree in business administration from the Alexandru Ioan Cuza\r\nUniversity of Iași, Faculty of Economics and Business Administration. Currently he is pursuing a\r\nPh.D. at the Faculty of Computer Science. Prior to joining Security Scorecard he worked for nine years\r\nin Bitdefender's anti-malware team.\r\nSource: https://www.virusbulletin.com/conference/vb2017/abstracts/linking-xpaj-and-nymaim\r\nhttps://www.virusbulletin.com/conference/vb2017/abstracts/linking-xpaj-and-nymaim\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.virusbulletin.com/conference/vb2017/abstracts/linking-xpaj-and-nymaim"
	],
	"report_names": [
		"linking-xpaj-and-nymaim"
	],
	"threat_actors": [],
	"ts_created_at": 1775439154,
	"ts_updated_at": 1775791325,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c7798c855261d6334f41413d84a80bae087d3bb5.pdf",
		"text": "https://archive.orkl.eu/c7798c855261d6334f41413d84a80bae087d3bb5.txt",
		"img": "https://archive.orkl.eu/c7798c855261d6334f41413d84a80bae087d3bb5.jpg"
	}
}