{ "id": "250335ca-6d2f-4d28-98e5-e4e345693404", "created_at": "2026-04-06T00:08:25.254288Z", "updated_at": "2026-04-10T03:38:19.018162Z", "deleted_at": null, "sha1_hash": "c7bc26e1f0f60a81670a1eaae98653493d80cacc", "title": "A Deep-Dive Analysis of the NukeSped RATs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 7015049, "plain_text": "A Deep-Dive Analysis of the NukeSped RATs\r\nBy Minh Tran\r\nPublished: 2019-10-23 · Archived: 2026-04-05 19:36:29 UTC\r\nA FortiGuard Labs Threat Analysis\r\nIntroduction\r\nAdvanced Persistent Threat (APT) groups pose a great threat to global security, especially groups associated with\r\nnation states. Of all APT groups, those groups from North Korea have really stood out due to the great damage\r\nthey have done as well as for their persistence. The U.S. Government, in particular, refers to the malicious threat\r\nactor connected to the North Korean government as HIDDEN COBRA.\r\nFortiGuard Labs has been actively monitoring various APT groups such as HIDDEN COBRA. For example, in a\r\nprevious post we gave an overview of the FALLCHILL Remote Administration Tools (RATs). Recently, we\r\nnoticed some new interesting samples from this group, so we decided to take a further look.\r\nA Bird's Eye View of the RAT Samples\r\nThe RAT samples we analyzed are summarized below:\r\nFigure 1: RAT samples\r\nAt a high level, they share similar characteristics:\r\nMost are 32 bits\r\nStrings are encrypted to hinder analysis\r\nCompilation timestamp are from May 04 10:40:47 2017 to Feb 13 04:06:28 2018\r\nAs we shall see, they actually share more similarities than differences. In some cases, they even reuse functions.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-nukesped-rat.html\r\nPage 1 of 12\n\nFigure 2: Code Reuse\r\nLet’s inspect the resource sections in more detail, as they often give clues to the origin of the malware. \r\nFigure 3: Language ID\r\nAs can be seen, each resource has a language ID associated with it. Curiously, most samples have the language ID\r\nof 1042. \r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-nukesped-rat.html\r\nPage 2 of 12\n\nFigure 4: Most Samples Have the Language ID Of 1042.\r\nAs per this authoritative source, 1042 (0x0412) is the language Identifier for Korean.\r\nFigure 5: LANG_KOREAN\r\nFunctionality of the Malware\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-nukesped-rat.html\r\nPage 3 of 12\n\nOur analysis started by trying to get a feel for what this malware could possibly do on victim’s system. In general,\r\nthe best way to do that is by inspecting the functionality (e.g. from an API) that it wants to invoke from the target\r\nsystem. So, let get right to it.\r\nAt first sight, these malware do not seem to invoke many APIs. The import table is short and does not import\r\nmany common DLLs and functions. Our gut feeling suggested that it will likely resolve functions dynamically.\r\nAnd sure enough, we quickly found instances of GetProcAddress. It even encrypted its API names too. In our\r\nexperience, this is a common technique designed to hinder static analysis, but it does not stop dynamic analysis.\r\nSo, we traced the malware and figured out the encrypted APIs.\r\nFigure 6: Decrypted APIs\r\nAs can be seen, after patching in IDA everything starts to make sense.\r\nThe following shows one special case where function names are not encrypted at all, and hence static analysis is\r\nenough.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-nukesped-rat.html\r\nPage 4 of 12\n\nFigure 7: Function Table\r\nThe hash of this special sample is b05aae59b3c1d024b19c88448811debef1eada2f51761a5c41e70da3db7615a9.\r\nAs astute readers may have noticed, the order of the functions being loaded in this sample is very similar to other\r\nsamples.\r\nFigure 8: Main DLLs\r\nAfter patching up the function names in IDA, we can clearly see that the malware makes use of core\r\nfunctionalities like registry (Advapi32.dll), networking (ws2_32.dll), and so on.\r\nTo persist, the malware inserts itself into a Run key:\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-nukesped-rat.html\r\nPage 5 of 12\n\nFigure 9: Persistence\r\nIn some other cases, the malware installs itself as a service. \r\nFigure 10: Service\r\nAs we can see, here is where the original name of the DLL is hidden.\r\nGhosts in the $hell\r\nLet’s get to the main functionality of NukeSped: Remote Administration Tool.\r\nAfter more reverse-engineering, we figured out the algorithm used to decode the strings.\r\nFigure 11: Decoding Routine\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-nukesped-rat.html\r\nPage 6 of 12\n\nIn a nutshell, the malware uses custom encryption based on xor. In turn, we used decodeCmd on this core function\r\nto decrypt commands from the remote attackers.\r\nFigure 12: Decode Commands\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-nukesped-rat.html\r\nPage 7 of 12\n\nFigure 13: Logic of the Shell\r\nLike a typical RAT, it listens for incoming commands, executes those commands, and then responds. The full\r\ncontrol flow graph (CFG) looks like the following:\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-nukesped-rat.html\r\nPage 8 of 12\n\nFigure 14: Control Flow Graph (CFG)\r\nAs can be seen in Figure 14, the control flow of a typical shell is clear. At the beginning is the common logic of\r\nparsing of the command and its parameters. And then there is a distinctly huge switch-case to handle each\r\ncommand.\r\nWe have reverse-engineered the logic of the RAT and found many classical RAT features:\r\nIterate files in a folder\r\nCreate a process as another user\r\nIterate processes and modules\r\nTerminate a process\r\nCreate a process\r\nWrite a file\r\nRead a file\r\nConnect to a remote host\r\nMove a file\r\nRetrieve and launch additional payloads from the internet\r\nGet information about installed disks, including the disk type and the amount of free space on the disk\r\nGet the current directory\r\nChange to a different directory\r\nRemove itself and artifacts associated with it from the infected system\r\nAttribution\r\nAttribution is almost always an imprecise art, but let’s consider the key evidence:\r\nThe pattern of the encrypted strings, and the way string is used for API loading (Figure 8, etc.)      \r\nThe feature set and the structure of the main function (RAT) are reminiscent of FALLCHILL (below) \r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-nukesped-rat.html\r\nPage 9 of 12\n\nFigure 15: Logic of the Shell in FALLCHILL\r\nMost samples of NukeSped have the following cryptography blob (Figure 16). Interestingly, they also have\r\na cryptography blob similar to this:    \r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-nukesped-rat.html\r\nPage 10 of 12\n\nFigure 16: Cryptography Blob\r\nInterestingly, there are also file name references shared with HOPLIGHT\r\nFigure 17: Dumped File\r\nFigure 18\r\nMost samples (7 out of 10) of NukeSped are in Korean (e.g. Figure 4).\r\nGiven all the evidences so far, we can conclude that the NukeSped RATs have some relation to North Korea threat\r\nactors (HIDDEN COBRA) .\r\nSolution\r\nInternal testing by FortiGuard Labs shows that all networks and devices being protected by Fortinet solutions\r\nrunning the latest subscription service updates were automatically protected from this malware.\r\nIn particular, FortiGuard Antivirus service detects samples as the following:\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-nukesped-rat.html\r\nPage 11 of 12\n\n1a01b8a4c505db70f9e199337ce7f497b3dd42f25ad06487e29385580bca3676 W64/HidCobra.A!tr\r\n8a1d57ee05d29a730864299376b830a7e127f089e500e148d96d0868b7c5b520 W32/NukeSped.AU!tr\r\n32ec329301aa4547b4ef4800159940feb950785f1ab68d85a14d363e0ff2bc11 W32/Trojan.FPIA!tr\r\n73dcb7639c1f81d3f7c4931d32787bdf07bd98550888c4b29b1058b2d5a7ca33 W32/NukeSped.AU!tr\r\n084b21bc32ee19af98f85aee8204a148032ce7eabef668481b919195dd62b319 W32/HidCobra.9CFB!tr\r\n0608e411348905145a267a9beaf5cd3527f11f95c4afde4c45998f066f418571 W32/NukeSped.AU!tr\r\nb05aae59b3c1d024b19c88448811debef1eada2f51761a5c41e70da3db7615a9 W32/HidCobra.9CFB!tr\r\nc66ef8652e15b579b409170658c95d35cfd6231c7ce030b172692f911e7dcff8 W32/NukeSped.AU!tr\r\nf8f7720785f7e75bd6407ac2acd63f90ab6c2907d3619162dc41a8ffa40a5d03 W32/NukeSped.AU!tr\r\nfe43bc385b30796f5e2d94dfa720903c70e66bc91dfdcfb2f3986a1fea3fe8c5 W32/NukeSped.AU!tr\r\nC2\r\nMalicious URLs related to this malware are blocked by FortiGuard Web Filtering Service \u0026 the botnet IP engine:\r\n119[.]18[.]230[.]253\r\n218[.]255[.]24[.]226\r\nThe author wants to thank Artem Semenchenko for additional insights during the attribution process.\r\nAs usual, FortiGuard Labs will keep an eye out for advanced threats like this to help keep everybody protected.\r\n-= FortiGuard Lion Team =-\r\nLearn more about FortiGuard Labs and the FortiGuard Security Services portfolio. Sign up for our weekly\r\nFortiGuard Threat Brief.\r\nRead about the FortiGuard Security Rating Service, which provides security audits and best practices. \r\nSource: https://www.fortinet.com/blog/threat-research/deep-analysis-nukesped-rat.html\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-nukesped-rat.html\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.fortinet.com/blog/threat-research/deep-analysis-nukesped-rat.html" ], "report_names": [ "deep-analysis-nukesped-rat.html" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434105, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c7bc26e1f0f60a81670a1eaae98653493d80cacc.pdf", "text": "https://archive.orkl.eu/c7bc26e1f0f60a81670a1eaae98653493d80cacc.txt", "img": "https://archive.orkl.eu/c7bc26e1f0f60a81670a1eaae98653493d80cacc.jpg" } }