{
	"id": "8d4ffed3-85f3-491c-939e-279d11b54acb",
	"created_at": "2026-04-06T00:10:48.326771Z",
	"updated_at": "2026-04-10T13:13:04.178928Z",
	"deleted_at": null,
	"sha1_hash": "e0e5855481df295c3376a41644ffd0c2f456e99f",
	"title": "Break Out Of The Tinynuke Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1118628,
	"plain_text": "Break Out Of The Tinynuke Malware\r\nBy Tiago Pereira\r\nPublished: 2018-02-02 · Archived: 2026-04-05 22:28:14 UTC\r\nNew Tinynuke variant with a DGA in the wild\r\nTinynuke, or Nukebot malware, is a trojan able to perform man in the browser attacks against modern web\r\nbrowsers and equipped with the most common features needed by a bank trojan (e.g. Webinjects, Socks proxy,\r\nVNC, Remote command execution). This malware was in the spotlight in 2017 after the complete bot source code\r\nwas leaked in March by someone claiming to be the author of the malware.\r\nThe leaked source contained a fully working bot, builder and botnet control panel and, as we have seen in past,\r\nleaks of working malware usually lead to that malware being used increasingly and new variants and adaptations\r\nof it start to emerge.\r\nWe at Bitsight constantly monitor the internet for new threats that may affect the security of organizations\r\nworldwide. A few months ago we first noticed an unknown DGA showing up in our network traffic analysis\r\nsystem that we could not identify. After some research we managed to identify the malware behind it, and found a\r\nmalware operation targeting users in the United Kingdom and Canada using a new variant of Tinynuke with some\r\nimprovements, such as the use of a DGA (Domain Generation Algorithm) for it’s command and control channel or\r\nasymmetric cryptography for C2 authentication.\r\nThe malware is being distributed through fake websites (fake product website or fake blogs) promoted through\r\nsocial networking and advertising, that contain links to malicious software installers.\r\nThe following is an example of one of these websites being used to distribute a trojanized pdf reader software\r\ninstaller.\r\nhttps://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet\r\nPage 1 of 7\n\nAnother interesting example is a fake cryptocurrency security advice blog that was set-up to make available a set\r\nof fake installers of known tools that can be used to make a PC more secure. This fake blog was reported to be\r\npromoted through facebook advertising by a user who found it suspicious. He wrote about it on his blog (see\r\nreferences). The following image shows this website:\r\nhttps://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet\r\nPage 2 of 7\n\nThe software installers contain both the trojan and a legitimate software installer and are, in most cases, digitally\r\nsigned by a company called “AGM 1980 Limited” with a valid certificate signed by Comodo CA.\r\nOnce the user executes the fake installer:\r\nRequests administrative privileges to continue with the installation;\r\nPerforms several checks to verify if it is running on a sandboxed environment (e.g. number of CPU’s,\r\nInstalled RAM, Virtualization software);\r\nIf the installer is running on a sandbox it proceeds with the legitimate tool installer and does not install the\r\nmalware;\r\nIf the installer is not on a sandbox it installs the malware and then proceeds with the legitimate installer;\r\nAfter the trojan is installed and running, the user’s system is compromised and it’s data at risk.\r\nIn order to gather some data about the geographies targeted by the malware we have sinkholed it’s DGA domains\r\nand observed that there are currently at least 2 different botnets, each using a different TLD on the DGA and each\r\ntargeting users in a specific country. In particular, one botnet seems to be targeting users in Canada and other users\r\nin the United Kingdom.\r\nhttps://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet\r\nPage 3 of 7\n\nWebinjects and targets\r\nLooking at the webinject configuration we found that besides a few test injects there were also specific injects for\r\ntwo targets. Amazon and Lloyds bank, as shown in the following excerpt (the full webinjects are listed in the\r\nIOC’s section):\r\nhttps://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet\r\nPage 4 of 7\n\nThese injects include additional javascript from domains that were registered using the same email address that\r\nwas used to register the hardcoded domains and the active DGA domains, indicating that these are possibly being\r\ndeveloped by the same person or group.\r\nIt is also worth noting that besides these two webinjects, the normal bot behaviour is to collect HTTP POST\r\nrequest data on IE, Firefox and Chrome for all hosts not listed in the fg_blacklist object in the config. The\r\nfollowing blacklist was found active:\r\nThe malware is mostly the same as the TinyNuke bot that was leaked. However, there are some new features, of\r\nwhich the following are the most relevant:\r\nDGA\r\nPerhaps the most interesting modification is the introduction of a DGA. This DGA increases the resiliency of the\r\nbotnet against takedown requests and is triggered when the hardcoded C2 is unreachable.\r\nIts implementation is very simple, it consists of the md5 of a number concatenated with the current day. The\r\nfollowing is an example implementation of the DGA in python:\r\nhttps://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet\r\nPage 5 of 7\n\nC2 authentication using public RSA key\r\nThe bot uses asymmetric cryptography to authenticate the C2, as a measure to prevent botnet takeover. To do this,\r\nthe malware:\r\nGenerates a random 8 byte long string and calculates it’s md5 value;\r\nEncrypts this value using the C2 RSA Public key that is hard coded on the bot;\r\nChecks if the md5 of the send value is present in the response to the ping command;\r\nIf it is, the malware stores this C2 as the active C2 in a global variable and communicates with it directly\r\non further interactions;\r\nThe following public key was found in use:\r\nhttps://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet\r\nPage 6 of 7\n\nC2 Proxy layer\r\nThe bot has been modified to support what appears to be a proxy layer between the C2 and the infected bots. The\r\nHTTP requests now have the following format:\r\nSandbox/malware analysis detection\r\nThe new version includes a few self protection features not present in the leaked source. These are the same that\r\nexist in the fake software installers used to drop the malware:\r\nCheck for sandbox related usernames by looking for the strings:\r\nCheck physical memory on the device is higher than 1Gb;\r\nCheck if the system has more than one CPU;\r\nCheck if the Sleep command is being bypassed by calling Sleep and checking if the process actually sleeps;\r\nCheck for VMWare tools registry keys;\r\nCheck for VirtualBox guest additions files;\r\nCheck if the user is connected through remote desktop;\r\nThis is an interesting evolution on the TinyNuke malware family and we will continue to monitor this threat as it\r\nprogresses.\r\nhttps://securingtomorrow.mcafee.com/business/tinynuke-may-ticking-time-bomb/\r\nhttps://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/\r\nhttps://krebsonsecurity.com/2017/04/self-proclaimed-nuclear-bot-author-weighs-u-s-job-offer/\r\nhttps://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/\r\nhttps://rootvideochannel.blogspot.pt/2017/12/suspicious-website-cryptocurrencysecuri.html\r\ne2a3bf38387c751bcb971f0234a7a89f74f2b7c807bf6503b4b58fcfbaafa1d6\r\nSource: https://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet\r\nhttps://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet"
	],
	"report_names": [
		"break-out-of-the-tinynuke-botnet"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434248,
	"ts_updated_at": 1775826784,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e0e5855481df295c3376a41644ffd0c2f456e99f.pdf",
		"text": "https://archive.orkl.eu/e0e5855481df295c3376a41644ffd0c2f456e99f.txt",
		"img": "https://archive.orkl.eu/e0e5855481df295c3376a41644ffd0c2f456e99f.jpg"
	}
}