{ "id": "16930092-09e0-4eef-ab24-8311c93e1888", "created_at": "2026-04-06T00:18:00.938834Z", "updated_at": "2026-04-10T03:33:12.481791Z", "deleted_at": null, "sha1_hash": "fff54162388610d14651b3c22563c42016fca8ab", "title": "NanoCore RAT Under the Microscope", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4729107, "plain_text": "NanoCore RAT Under the Microscope\r\nBy Morphisec Labs\r\nArchived: 2026-04-05 16:43:54 UTC\r\nIn this blog, we will present some findings on how NanoCore RAT 1.2.2.0 is actively being delivered in new and\r\ndifferent ways that we discovered at Morphisec Labs in the last couple of months. Specifically, we will focus on\r\nthe sophisticated fileless methods for delivering the RAT without touching the disk.\r\nBackground\r\nRemote Access Trojans, also known as RATs, remain as one of the most prevalent forms of malware and are\r\nleveraged in many different types of cyber-attacks. Various flavors and versions of these RATs are freely available\r\nand easily modified to fit the unique requirements of any given attack. The primary purpose of using RATs is to\r\ngain unauthorized remote access to the victim’s device after the initial infection of the machine. Once an attacker\r\ngains access to the machine using these RATs, they can try to collect keystrokes, usernames, passwords, browser\r\nhistory, emails, screenshots, etc. A few examples from a much larger list of popular RATs include Poison-Ivy,\r\nJRAT, NjRAT, Orcust-RAT, CyberGate, DarkComet, DreamWare, BlackShades, NetWire. \r\nNanoCore Malware is a RAT that has become popular in recent years as it is commonly used by threat actors and\r\nis believed to be one of the most sophisticated RATs in the market. Since it was discovered in 2013, multiple\r\ndifferent versions have been leaked on underground forums. The latest leaked version was 1.2.2.0 in March 2015\r\nand is available online to download for free. NanoCore RAT comes with a few base plugins and the ability to\r\nexpand its functionality, so threat actors can develop additional features for other malicious actions. There is\r\nalready a wide range of NanoCore plugins available online that can be used for cryptocurrency mining,\r\nransomware attacks, and more.\r\nDefense solutions have been updated to detect NanoCore malware based on multiple metadata and strings that\r\nreside within its Client executable. Fileless and in-memory attacks give the adversaries the advantage of bypassing\r\nbehavior and static scanning attempts without sacrificing functionality.\r\nDistribution Methods\r\nThe most common initial delivery method today is via attachments in spam emails and web download links.\r\nPreviously, security researchers found Microsoft Word documents with malicious auto-executable VBA code and\r\na fake invoice in PDF format that can install the NanoCore RAT.\r\nThe first delivery method we identified is using the actual compiler, Autoit3.exe (version 3.3.8.1) which was used\r\nby renaming the legitimate AutoIT Script interpreter to cxf.exe to bypass basic script control based solutions.\r\nAdditionally, the malicious code was executed as a script instead of as an actual AutoIT executable to further\r\nevade detection from AV. The malicious script demonstrates advanced support for process hollowing for both 32\r\nand 64-bit architectures, VM evasion, and the use of advanced shellcodes such as RunPE. Here we will investigate\r\nhttps://blog.morphisec.com/nanocore-under-the-microscope\r\nPage 1 of 17\n\nthe functionality of the script and how it delivers and executes the NanoCore RAT. A similar type of attack was\r\npreviously reported by TALOS and HornetSecurity, but with a different primary source of the attack and a\r\ndifferent file type for the config file.\r\nThe second distribution method is using a PowerShell command to download and execute the NanoCore malware\r\nfrom a Pastebin account in-memory. The method is well described as part of the “Aggah” campaign that\r\neventually delivers RevengeRat. In this method, a Pastebin link is run via PowerShell which deobfuscates to\r\nNanoCore RAT that was obfuscated with Eazfuscator.\r\nThe third delivery method involves the compilation of the malicious AutoIT script into an executable that includes\r\nadditional functionality. With this method, the executable includes mechanisms for bypassing user control based\r\non the target OS, extended hollowing capabilities for executing the NanoCore RAT from within different\r\nlegitimate Windows processes, and more advanced shellcodes that bypass hooks and monitoring.\r\nPast Abuse of AutoIT\r\nAutoIT script  is a legitimate tool that is used by many IT administrators to automate tasks. At the same time, it is\r\nconstantly leveraged by malware authors to deliver different types of malware. In March 2018, security\r\nresearchers at HornetSecurity witnessed an attack where the NanoCore RAT was distributed via a phishing email\r\nthat had a PDF file with a link that downloaded a self-extracting archive. The archive contained a legitimate\r\nAutoIT interpreter that had been renamed, a malicious script, a configuration file with a .docx extension, and\r\nmany other files with various extensions. \r\nIn April 2019, researchers at SonicWall observed a phishing campaign that spread the NanoCore RAT through\r\nmalicious attachments. The attachments had an iso file that had an AutoIT compiled executable that executed the\r\nNanoCore RAT in memory. \r\nSimilarly, in May 2018, researchers at Fortinet identified usage of AutoIT to distribute Remcos RAT by using\r\nExploit CVE-2017-11882. Researchers also noticed a similar type of approach where AutoIT was used to deliver\r\nMokes/SmokeBot backdoor and Dofoil/Smoke Loader as well.\r\nTechnical Analysis\r\nMethod 1: AutoIT Executes a Malicious FILE\r\nStage 1:\r\nMain Components Involved:\r\n1. ufj=ked \r\n2. cxf.exe \r\n3. qnb.jpg \r\nThe script file ufi=ked contains commented garbage code. Most of the code includes comments that are\r\ndisregarded by the interpreter. After cleaning the garbage code, the size of the script file came down from 203 kb\r\nhttps://blog.morphisec.com/nanocore-under-the-microscope\r\nPage 2 of 17\n\nto 7 kb. Below is the de-obfuscated code in ufj=ked script.\r\nBefore we get into what ufj=ked script does, let’s first look at the third file qnb.jpg, which is the configuration\r\nused by the script and contains a second AutoIT script and a loader. This qnb.jpg file is also riddled with garbage\r\nvalues that required cleaning. Below is an image showing how it looks after cleaning.\r\ncxf.exe, a copy of Autoit3.exe interpreter runs the malicious Autoit script ufj=ked. If we go back to the de-obfuscated code in ufj=ked script (first figure) and understand how the script ufi=ked works, we can clearly see\r\nthat the script is checking for existing Avast AV process avastui.exe. Then it locates the configuration file qnb.jpg\r\nhttps://blog.morphisec.com/nanocore-under-the-microscope\r\nPage 3 of 17\n\nand gets the values of sK and sN. If the values are empty, the script terminates. If the values are not empty, the\r\nscript reads all the data between [sData] and [esData] and gets sK value (which here is 545) to process the decoder\r\nfunction and finally execute the script. During this process, a randomly named file is written to the same directory\r\nwith the data from the configuration file. This new script is also an obfuscated AutoIT script that also sets the\r\nattributes of files in that current directory to read-only and hidden. This first script is similar to the scripts in the\r\nolder attacks mentioned above, except with the addition of the configuration file. \r\nStage 2:\r\nIn this stage, the randomly named AutoIT script dropped by ufj=ked script is also triggered by the same cxf.exe.\r\nThis new script also checks for the values in the configuration file, qnb.jpg, and has different checks before it even\r\nruns the NanoCore RAT payload.\r\nSo, what’s inside this new script?\r\nThe first thing to notice is its obfuscation, which is similar to the main script. After spending a significant amount\r\nof time on de-obfuscation, we were able to find some interesting items inside. The script starts with declared\r\nglobal variables, some of which are dword values for registry checks and modifications. Others are for the values\r\nobtained from the configuration file. We also noticed that it has some unused variables that might just be included\r\nfor use in later versions. As soon as this script is triggered, it sets the attributes of files in that current directory to\r\nread-only and hidden, just like the previous script. The script then performs different checks and makes\r\nmodifications to system configuration and registry values. It checks if it is running inside virtual machines or\r\nsandboxed applications and if so, it terminates. Otherwise, it disables UAC, system restore points, and task\r\nmanager and then adds a Windows Update key to the registry and startup for persistency. Finally, if the config file\r\nhas a URL, it downloads the payload from there. If the config file has raw PE data, it gets a payload from there\r\nand injects it into the process memory of RegSvcs.exe using the RunPE technique.\r\nBelow are a few images of the code from the script that we de-obfuscated, cleaned, and renamed functions and\r\nvariables to show the functionality. The functions are not in exact order, instead, they are presented as below for\r\neasy understanding.\r\nhttps://blog.morphisec.com/nanocore-under-the-microscope\r\nPage 4 of 17\n\nhttps://blog.morphisec.com/nanocore-under-the-microscope\r\nPage 5 of 17\n\nFrom the above figure, we can see that the RunPE_Payload function takes malicious payload data from the config\r\nfile, decrypts using the Keys value. _S0x9A130944BC5ED49CF25A0ABCA629E5FB function, then takes the\r\nvalue and decrypts the payload using CryptDecrypt function. Finally, the RunPE_Payload function injects the\r\npayload into RegSvcs process memory.\r\nNanoCore RAT \u0026 Plugins\r\nMethod 2: PowerShell In-memory Delivered NanoCore\r\nThe second delivery method was already covered by YOROI but in our case, NanoCore was delivered instead of\r\nNjRat.\r\nThe first PowerShell is an array of ASCII and after decoding we get the next PowerShell code.\r\nhttps://blog.morphisec.com/nanocore-under-the-microscope\r\nPage 6 of 17\n\nThe second PowerShell downloads two items from Pastebin; Process Hollowing Injector and the NanoCore RAT.\r\nThe Pastebin is been uploaded by the HAGGA actor.\r\n.NET Process Hollowing Injector:\r\nThe first call to Pastebin downloads a .NET application that uses kernel32 calls to Hollow the NanoCore into\r\nMSBuild.\r\nhttps://blog.morphisec.com/nanocore-under-the-microscope\r\nPage 7 of 17\n\nThe PowerShell invoke exe function that is part of k.Hackitup class.\r\nThe NanoCore RAT (which is downloaded from the second pastbin.com link) is being passed to the exe function.\r\nIn the Injector, a call to POPO class reveals all the kernel32 calls that are used to do the Process Hollowing.\r\nhttps://blog.morphisec.com/nanocore-under-the-microscope\r\nPage 8 of 17\n\nhttps://blog.morphisec.com/nanocore-under-the-microscope\r\nPage 9 of 17\n\nNanoCore:\r\nMethod 3: AutoIT Delivers Compiled Script to Executable\r\nThe AutoIt compiled executable was delivered as a PDF file with an executable extension, using the AutoIt tool\r\n“Exe2Aut” reveals the obfuscated script, the execution steps are controlled by an assigned variable whose value is\r\nvalidated across multiple ‘if’ conditions running in a ‘for’ loop – each time only a single condition is evaluated\r\nand following this the next step is assigned to be evaluated in the loop iteration.\r\nhttps://blog.morphisec.com/nanocore-under-the-microscope\r\nPage 10 of 17\n\nWe have previously encountered this type of “shift” and “Loop” automatic obfuscation in previous AutoIt\r\ncampaigns. Following a de-obfuscation of the script we identified a couple of interesting new additions:\r\nA UAC Bypass implementation that correlates to the OS version update:\r\nPersistence through a shortcut in the start-up directory:\r\nhttps://blog.morphisec.com/nanocore-under-the-microscope\r\nPage 11 of 17\n\nMultiple hollowing modes (configurable):\r\nhttps://blog.morphisec.com/nanocore-under-the-microscope\r\nPage 12 of 17\n\nIn-memory injection of the binary using shellcode:\r\nIn previous versions, we identified the use of simplistic RunPE for injection and hollowing of the NanoCore.\r\nHowever, in the current version, the shellcode was adjusted to implement known methods of bypass and evading\r\nhooks by remapping the relevant executables from the knownDlls section.\r\nThe dlls that are mapped using NtOpenSection on the KnownDlls directory handle are:\r\n\\KnownDlls32\\advapi32.dll\r\n\\KnownDlls32\\kernel32.dll\r\n\\KnownDlls32\\ntdll.dll\r\n\\KnownDlls32\\user32.dll\r\n\\KnownDlls32\\Ole32.dll\r\nhttps://blog.morphisec.com/nanocore-under-the-microscope\r\nPage 13 of 17\n\nAES Decryption of the NanoCore Payload:\r\nThe payload is decrypted using AES_256 algorithm (0x6610).\r\nNanoCore decrypted settings:\r\nhttps://blog.morphisec.com/nanocore-under-the-microscope\r\nPage 14 of 17\n\nThe compiled NanoCore client embeds the encrypted plugins and settings as part of its file resources.\r\nBelow is the decrypted settings snapshot from the three described instances of NanoCore.\r\nConclusions\r\nhttps://blog.morphisec.com/nanocore-under-the-microscope\r\nPage 15 of 17\n\nThis research further exposes the tendency of adversaries to abuse memory for the execution of known RAT\r\nfamilies that are otherwise easily detected when downloaded to disk. We also see a drastic increase in\r\nsophistication over the last year through moving more and more of the attack stages into the memory while using\r\na legitimate Windows process to bypass whitelisting. \r\nAdversaries have the advantage of what, when and where:\r\nAdversaries can choose where to inject their malicious code and when to execute it while the defenders can\r\nnot scan the full memory of a process in every possible millisecond without a significant impact on the\r\ntime and resources.\r\nThe only possible way to cope with such risk is by looking at things differently by applying preventive measures.\r\nAutomated Moving Target Defense, as well as additional preventive controls such as attack surface reduction\r\nor/and proper access control limitation, would be able to help mitigate such a risk. \r\nMorphisec prevents all the described attacks by applying Moving Target Defense on the process memory.\r\nAbout the author\r\nMorphisec Labs\r\nhttps://blog.morphisec.com/nanocore-under-the-microscope\r\nPage 16 of 17\n\nMorphisec Labs continuously researches threats to improve defenses and share insight with the broader cyber\r\ncommunity. The team engages in ongoing cooperation with leading researchers across the cybersecurity spectrum\r\nand is dedicated to fostering collaboration, data sharing and offering investigative assistance.\r\nSource: https://blog.morphisec.com/nanocore-under-the-microscope\r\nhttps://blog.morphisec.com/nanocore-under-the-microscope\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.morphisec.com/nanocore-under-the-microscope" ], "report_names": [ "nanocore-under-the-microscope" ], "threat_actors": [ { "id": "b0d34dd6-ee90-483b-bb6c-441332274160", "created_at": "2022-10-25T16:07:23.296754Z", "updated_at": "2026-04-10T02:00:04.526403Z", "deleted_at": null, "main_name": "Aggah", "aliases": [ "Operation Red Deer", "Operation Roma225" ], "source_name": "ETDA:Aggah", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Aggah", "Atros2.CKPN", "Bladabindi", "Jorik", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "Origin Logger", "Revenge RAT", "RevengeRAT", "Revetrat", "Warzone", "Warzone RAT", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "28851008-77b4-47eb-abcd-1bb5b3f19fc2", "created_at": "2023-06-20T02:02:10.254614Z", "updated_at": "2026-04-10T02:00:03.365336Z", "deleted_at": null, "main_name": "Hagga", "aliases": [ "TH-157", "Aggah" ], "source_name": "MISPGALAXY:Hagga", "tools": [ "Agent Tesla" ], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434680, "ts_updated_at": 1775791992, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fff54162388610d14651b3c22563c42016fca8ab.pdf", "text": "https://archive.orkl.eu/fff54162388610d14651b3c22563c42016fca8ab.txt", "img": "https://archive.orkl.eu/fff54162388610d14651b3c22563c42016fca8ab.jpg" } }