{
	"id": "af8a004a-7533-4aca-afc0-0adbbbd6e5b8",
	"created_at": "2026-04-06T00:18:06.02967Z",
	"updated_at": "2026-04-10T13:11:55.949254Z",
	"deleted_at": null,
	"sha1_hash": "d9b86bee150b292aa964f4cca41d4f8235fb6873",
	"title": "New NKAbuse malware abuses NKN blockchain for stealthy comms",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2968652,
	"plain_text": "New NKAbuse malware abuses NKN blockchain for stealthy comms\r\nBy Bill Toulas\r\nPublished: 2023-12-14 · Archived: 2026-04-05 21:50:04 UTC\r\nA new Go-based multi-platform malware identified as 'NKAbuse' is the first malware abusing NKN (New Kind of Network)\r\ntechnology for data exchange, making it a stealthy threat.\r\nNKN is a relatively new decentralized peer-to-peer network protocol leveraging blockchain technology to manage resources\r\nand maintain a secure and transparent model for network operations.\r\nOne of the goals of NKN is to optimize data transmission speed and latency across the network, which is achievable by\r\ncalculating efficient data packet travel paths.\r\nhttps://www.bleepingcomputer.com/news/security/new-nkabuse-malware-abuses-nkn-blockchain-for-stealthy-comms/#google_vignette\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-nkabuse-malware-abuses-nkn-blockchain-for-stealthy-comms/#google_vignette\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nIndividuals can participate in the NKN network by running nodes, similar to the Tor network, and currently, there are\r\napproximately 60,710 nodes in it.\r\nThis relatively large number of nodes contributes to robustness, decentralization, and ability to handle significantly high\r\nvolumes of data.\r\nMoving data through NKN (Kaspersky)\r\nNKAbuse details\r\nKaspersky reports the discovery of a novel malware named NKAbuse, which primarily targets Linux desktops in Mexico,\r\nColombia, and Vietnam.\r\nOne NKAbuse infection spotted by Kaspersky involves the exploitation of an old Apache Struts flaw (CVE-2017-5638) to\r\nattack a financial company.\r\nAlthough most attacks target Linux computers, the malware can compromise IoTs and supports MIPS, ARM, and 386\r\narchitectures.\r\nNKAbuse abuses NKN to launch DDoS (distributed denial of service) attacks that are hard to trace back to a specific\r\ninfrastructure and unlikely to be flagged due to originating from a novel protocol not actively monitored by most security\r\ntools.\r\n\"This threat (ab)uses the NKN public blockchain protocol to carry out a large set of flooding attacks and act as a backdoor\r\ninside Linux systems.\" explains Kaspersky\r\nSpecifically, the malware client communicates with the bot master through NKN to send and receive data. At the same time,\r\nits ability to keep multiple concurrent channels alive gives resilience to its communication line.\r\nThe payload commands sent by the C2 include HTTP, TCP, UDP, PING, ICMP, and SSL flood attacks aimed at a specified\r\ntarget.\r\nhttps://www.bleepingcomputer.com/news/security/new-nkabuse-malware-abuses-nkn-blockchain-for-stealthy-comms/#google_vignette\r\nPage 3 of 5\n\nDDoS attack commands (Kaspersky)\r\n\"All these payloads historically have been used by botnets, so, when combined with the NKN as the communication\r\nprotocol, the malware can asynchronously wait for the master to launch a combined attack,\" Kaspersky says.\r\nIn addition to the DDoS capabilities, NKAbuse also acts as a remote access trojan (RAT) on compromised systems, allowing\r\nits operators to perform command execution, data exfiltration, and snap screenshots.\r\nScreenshot functionality (Kaspersky)\r\nThis plethora of capabilities that make NKAbuse highly versatile and adaptive isn't typical in the DDoS botnet space.\r\nAdditionally, using blockchain technology that guarantees availability and obfuscates the source of the attacks makes\r\ndefending against this threat very challenging.\r\nhttps://www.bleepingcomputer.com/news/security/new-nkabuse-malware-abuses-nkn-blockchain-for-stealthy-comms/#google_vignette\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-nkabuse-malware-abuses-nkn-blockchain-for-stealthy-comms/#google_vignette\r\nhttps://www.bleepingcomputer.com/news/security/new-nkabuse-malware-abuses-nkn-blockchain-for-stealthy-comms/#google_vignette\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-nkabuse-malware-abuses-nkn-blockchain-for-stealthy-comms/#google_vignette"
	],
	"report_names": [
		"#google_vignette"
	],
	"threat_actors": [],
	"ts_created_at": 1775434686,
	"ts_updated_at": 1775826715,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d9b86bee150b292aa964f4cca41d4f8235fb6873.pdf",
		"text": "https://archive.orkl.eu/d9b86bee150b292aa964f4cca41d4f8235fb6873.txt",
		"img": "https://archive.orkl.eu/d9b86bee150b292aa964f4cca41d4f8235fb6873.jpg"
	}
}