{ "id": "1359dd94-2bcd-4df8-9645-40043d9eeeaa", "created_at": "2026-04-06T00:16:08.690142Z", "updated_at": "2026-04-10T03:36:11.201935Z", "deleted_at": null, "sha1_hash": "cc7a11bdcb66d075b38f0c05978ca998b47d1df3", "title": "Investigation into the state of Nim malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 871487, "plain_text": "Investigation into the state of Nim malware\r\nBy Jason Reaves\r\nPublished: 2021-03-01 · Archived: 2026-04-05 23:00:48 UTC\r\nPress enter or click to view image in full size\r\n7 min read\r\nMar 1, 2021\r\nBy: Jason Reaves and Joshua Platt\r\nWhenever malware is found to be written in new programming languages the AV detections are generally lacking\r\nbecause the new language is producing bytecode sequences that are relatively unknown along with strings of data\r\nthat can throw off static based heuristic models. It also usually causes stress within the malware reverse\r\nengineering community as was seen with GoLang malware initially.\r\nEnter Nim[1], which was used to create a repository of code examples leveraging Nim for red team related\r\nutilities but malware developers take notice of things that can be leveraged for more infections including compiled\r\nprogramming languages that bypass AV detections. This was brought more to light recently in a report we put out\r\ngoing over a new loader being leveraged by the TrickBot cybercrime group that was written in Nim, NimRod[5],\r\nmuch the same as they use BazarLoader[3] and some of the concepts or development requirements for Baza could\r\nof been imposed on NimRod after all they are both being leveraged as loaders to deliver CobaltStrike\r\nprimarily[4].\r\nhttps://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811\r\nPage 1 of 9\n\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThis left me wondering what else was out there in the world of Nim malware, this report is a compilation of my\r\nfindings.\r\nNim Crypter\r\nFirst we have possibly an adversary leveraging code from OffensiveNim to conceal an onboard encrypted binary,\r\nsomething we would normally refer to as a Crypter in the malware world but is a tool that is designed to bypass\r\nAV by wrapping a layer around a binary that would otherwise be detected.\r\nMD5: 507500d9c55ac4db55c7ea4adfe1380b SHA-1:\r\nThis is using publicly available code from OffensiveNim but also step-by-step instructions[6,7] that are available\r\nfor how to use the code to crypt up and deliver a .NET assembly. The standard method in the repo involves storing\r\nthe file AES encrypted and Base64 encoded, we can reverse the process to statically recover the onboard file.\r\n\u003e\u003e\u003e from Crypto.Cipher import AES\r\n\u003e\u003e\u003e from Crypto.Util import Counter\r\n\u003e\u003e\u003e import hashlib\r\n\u003e\u003e\u003e k = hashlib.sha256('TARGETDOMAIN').digest()\r\n\u003e\u003e\u003e import base64\r\n\u003e\u003e\u003e b = base64.b64decode(b)\r\n\u003e\u003e\u003e c = base64.b64decode('VcVWbuX3TM+koCBd+2YHrw==')\r\n\u003e\u003e\u003e int(binascii.hexlify(c),16)\r\n114009015196344035509101775155687196591L\r\n\u003e\u003e\u003e ctr = Counter.new(128, initial_value=114009015196344035509101775155687196591)\r\n\u003e\u003e\u003e aes = AES.new(k, AES.MODE_CTR, counter=ctr)\r\n\u003e\u003e\u003e aes.decrypt(b)\r\n'MZ\\x90\\x00\\x03\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xff\\xff\\x00\\x00\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\\r\nIn this case it is loading a GruntHTTP stager:\r\nhttps://yeshua.vip:443\r\n2E4D5B0FEE977939ED85AAFB89CC40F8B2350385\r\nVXNlci1BZ2VudA==,Q29va2ll\r\nTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xKSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvN\r\nL2VuLXVzL2luZGV4Lmh0bWw=,L2VuLXVzL2RvY3MuaHRtbA==,L2VuLXVzL3Rlc3QuaHRtbA==\r\ni=a19ea23062db990386a3a478cb89d52e\u0026data={0}\u0026session=75db-99b1-25fe4e9afbe58696-320bea73MD5: e65a69688\r\nhttps://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811\r\nPage 2 of 9\n\nAnother usage of OffensiveNim code as a crypter but this time direct references to SharpKatz which was\r\nexplained in the PPN github repo[6]. Decoding out the onboard file in the same manner leaves us with SharpKatz:\r\n\\Users\\chippy\\Desktop\\HACKING_RESOURCES\\SharpKatz-master\\SharpKatz\\obj\\Debug\\SharpKatz.pdb\r\nNim Stagers\r\nA common area where we saw GoLang being used when malware developers started noticing it was with stagers\r\nor Meterpreter or CobaltStrike, the same pattern holds true for Nim as well.\r\nMD5: e65a69688e0c75f41f1388c82e1069ba SHA-1:\r\nThe shellcode is in the clear and appears to be Metasploit code for downloading and executing a next stage, even\r\nwith the shellcode in the clear the detections at time of upload to VirusTotal were 4/66.\r\nPress enter or click to view image in full size\r\nHere we can see that the next stage will be pulled from 45.43.2.118 but this was down at the time I discovered the\r\nfile, the IP address was associated with being a CobaltStrike C2 at one point in time according to VirusTotal data.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811\r\nPage 3 of 9\n\nPhoto credit: VirusTotal\r\nMD5: 78a94df84f31c12a428cbdeeb179dc6b SHA-1:\r\nThis is also a stager but this time the shellcode is obfuscated, the first layer is base64.\r\nuGY9pAPzVQhtiSUAgUPskzKDdniP5h4btXJZaNKEUS6v2MrXnhXA9lv+f85M4Lw3mdlgnWPkq0eVM+GQqoYHspYkh8vWZUJ3Ktqup\r\nAfter Base64 decoding this the sample will then treat the first 256 bytes as a lookup table to deobfuscate the\r\nremaining data.\r\n\u003e\u003e\u003e tbl = a[:256]\r\n\u003e\u003e\u003e data = a[256:]\r\n\u003e\u003e\u003e data = bytearray(a[256:])\r\n\u003e\u003e\u003e out = \"\"\r\n\u003e\u003e\u003e for i in range(len(data)):\r\n... out += tbl[data[i]]\r\n...\r\n\u003e\u003e\u003e out\r\n'\\xfcH\\x83\\xe4\\xf0\\xe8\\xc8\\x00\\x00\\x00AQAPRQVH1\\xd2eH\\x8bR`H\\x8bR\\x18H\\x8bR H\\x8brPH\\x0f\\xb7JJM1\\xc9H\r\nThe decoded data is CobaltStrike stager shellcode with a local IP address. We were able to pivot on this technique\r\nof decoding the shellcode to find another stager using the same decoding mechanism to a live C2:\r\nMD5: 76c7bb63fb46ecd31bee614e2760fc2f\r\nSHA-1: 8dcc70fcbeb7231986fe9420f7cd8bc8a1223ddf\r\nSHA-256: d7cdf7bca8c90d21e64b0c790ce5aa9124623dd2788088c81160703e00ff2052\r\nThe shellcode stager this decodes out goes to:\r\nhttps://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811\r\nPage 4 of 9\n\n35.241.81.15/AdhP\r\nWhich contains a shellcode wrapped CobaltStrike beacon when downloaded.\r\n{'ProcInject_Execute': '\\x06\\x00B\\x00\\x00\\x00\\x06ntdll\\x00\\x00\\x00\\x00\\x13RtlUserThreadStart\\x00\\x01\\\r\nThis also turns out to be a CobaltStrike stager with a local IP address but the data is encrypted using 3DES with\r\nthe key on top of the encrypted data:\r\nThe last stager we are going to look at it has a few more layers of encoding on the stager shellcode but it also\r\ncurrently only has 5 detections on VirusTotal.\r\nMD5: 0a7b2ae58ac40dfd7a972a6cff81315a SHA-1:\r\nThe XOR key for the shellcode is stored single byte XOR encoded itself:\r\nhttps://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811\r\nPage 5 of 9\n\nThen the encoded stager shellcode is copied:\r\nThe encoded shellcode and XOR key are then passed to a function calling itself showStr:\r\nThis function will actually be decoding the shellcode:\r\nThe steps are Base64 decode -\u003e XOR -\u003e unhexlify which leaves us with another stager shellcode blob:\r\n\\xfc\\xe8\\x89\\x00\\x00\\x00`\\x89\\xe51\\xd2d\\x8bR0\\x8bR\\x0c\\x8bR\\x14\\x8br(\\x0f\\xb7J\u00261\\xff1\\xc0\\xac\u003ca|\\x02\r\nhttps://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811\r\nPage 6 of 9\n\nLoaders\r\nAside from NimRod there appears to be other loader malware out there written in Nim that shares some code\r\nsimilarity with NimRod in regards to the string encoding technique, whether this mean they are based on similar\r\ncode bases or were developed by the same person is unsure.\r\nMD5: 325a71e33559a634ec08bccd0d3898f8\r\nSHA-1: de3a15fb7b7571cc697b8c262e56e4be31c74302\r\nSHA-256: bdf20694e32d8305b859bf0d36b62078fd9ec330ece3f37e8192ff738165faee\r\nThe CAB file contains two files in it which are both written in Nim and contain the same string encoding routine\r\nas NimRod.\r\nDate Time Attr Size Compressed Name\r\n------------------- ----- ------------ ------------ ------------------------\r\n2021-01-09 00:22:40 ....A 112248 Loader.exe\r\n2021-01-09 00:22:14 ....A 302200 reader_sl.exe\r\n------------------- ----- ------------ ------------ ------------------------\r\n2021-01-09 00:22:40 414448 136673 2 files\r\nLoader.exe:\r\nMD5: dca780bc42a73d11ddfbc9f44a5f7a87\r\nSHA-1: e3b01fed4799dd38490f49cf974d669b3fa8887f\r\nSHA-256: 63c81b095e6a461587717b5191028f55dc413bf2457f8fc89c8d8dfbf810491e\r\nDecoded strings:\r\nAPPDATA\r\nreader_sl\r\n\\reader_sl.exe\r\nreg add HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v\r\n /t REG_SZ /d\r\nsc create\r\n binPath=\r\ncmd /K start\r\n start= auto error= ignore\r\nreg add HKCU\\Software\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\LocalServer32 /ve /t REG_S\r\n /f\r\ncmd.exe /c\r\n[*] Initializing...\r\ncmd.exe /c start\r\n[!] Unknown Error!\r\nhttps://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811\r\nPage 7 of 9\n\nreader_sl.exe\r\nMD5: a3dbfa1081a6b79cbedda57f859a2942\r\nSHA-1: 86eff4c7c5f0cc587ab94fc0b63d5e771548cf84\r\nSHA-256: 5195ead146c387e55c4e7b00818b30bd80d044a71b9717597de3cbc535344984\r\nClear strings:\r\ncapture\r\nmypid\r\nstart /b\r\nstart\r\ncloneme\r\n[!] Unknown exception!\r\ncmd.exe /c start /b\r\n -Verb RunAs\r\npowershell Start-Process\r\nuac\r\ndeactivate\r\nupdate.php\r\ncmd\r\nkey\r\nMozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)\r\nUser-agent\r\nactivate\r\nget\r\nsleep\r\nDecoded strings:\r\namsi\r\nAmsiScanBuffer\r\n[*] Disabled:\r\n[*] Parsing...\r\nhttp://msbackup.ddns.net/f01c137e-0eb6-4fba-9ef0-40c9cfac3135/\r\n1qaz@WSX\r\n-\r\nUSERNAME\r\n[*] Initializing...\r\n[+] DONE!\r\nUser-agent\r\nMozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)\r\nclients/\r\n.html\r\nkill server\r\nhttps://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811\r\nPage 8 of 9\n\n[!] Unknown exception!\r\n[!] Page Not Found!\r\nid\r\nkey\r\ncmd\r\nndm\r\nupdate.php\r\nWe’ve shown a number of examples that demonstrate a variety of people are experimenting with using Nim for\r\nvarious purposes, most of the testing at this time appears to be red team related but some malicious actors have\r\nalso been utilizing it recently.\r\nIOCs\r\n42.51.12.61\r\n35.241.81.15\r\nss.payl0ad.ga\r\nmsbackup.ddns.net\r\nReferences\r\n1: https://nim-lang.org/\r\n2: https://github.com/byt3bl33d3r/OffensiveNim\r\n3: https://www.crowdstrike.com/blog/wizard-spider-adversary-update/\r\n4: https://www.bleepingcomputer.com/news/security/bazarloader-used-to-deploy-ryuk-ransomware-on-high-value-targets/\r\n5: https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e\r\n6: https://github.com/snovvcrash/PPN\r\n7: https://s3cur3th1ssh1t.github.io/Playing-with-OffensiveNim/\r\nSource: https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811\r\nhttps://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811" ], "report_names": [ "investigation-into-the-state-of-nim-malware-14cc543af811" ], "threat_actors": [ { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434568, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cc7a11bdcb66d075b38f0c05978ca998b47d1df3.pdf", "text": "https://archive.orkl.eu/cc7a11bdcb66d075b38f0c05978ca998b47d1df3.txt", "img": "https://archive.orkl.eu/cc7a11bdcb66d075b38f0c05978ca998b47d1df3.jpg" } }