Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
20
Global rank
53 infographic chevron month
Month rank
52 infographic chevron week
Week rank
0
IOCs

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Trojan
Type
USA
Origin
1 January, 2013
First seen
10 October, 2025
Last seen

How to analyze Nanocore with ANY.RUN

Type
USA
Origin
1 January, 2013
First seen
10 October, 2025
Last seen

IOCs

Hashes
c1f0191249ee31873759df0a43e7ac82ae281ec9042175ffeacde3901b4533b0
2217f2ef759944b3a6212c2b5b2084d449e2b07ddf1b9dba36e44f20cee4bc32
91b9e5401ca19ff3f45d8c3acce6a793f7cb713bc6920d9c5371197ad6a3b582
193c070baea2c3e2a5d57b48d541ddd83f3179218ec24aed283074ac2f68535a
961eed6583aec9800b12d74221184caefc5b26093b814910cf4028457100f2ab
40f544cf0d5d1a7e935016612c0d84edea6bee9e6445c8321fd542b653a5470f
8dff3bcf71cc1b17281390c5d8edb8dc4e6e71d4706e5db6c1145d5634ae24ec
2b0600ea0345932a1503b3c52bf76efcb5d77e030c39db9473e18a9249335bc2
a8f81977e25ae6a32e4bc4623c944f5881eb105ca9384f19543c960cc5a31cc1
20757400275ea3d12e4b572b8f8c6d3cfb886e549d3e3a40126e484298a8a1dc
6e3412ca534c3aa70274d848271d99f3572c37edb7a768151c77b16846bd4b50
cea1d36e04dc9357211734f659dfe352056afc40779ee251fee4e72ceec619bf
02e919a3677da26fa32ce5c0d829a6084bafcf71d2058b8c4ce9ea550629ef8a
f79ae4f63b3a1805bc6901fcc1408a7088b20c44b9625adeb2488df56a545f21
5f497989335a6b6ed5f1ccd8c57b0b87849b313f896285be0bb1a5350feab863
e87cfabfeaeddfd8c696d33c8602b0dd63b0d2530e481fa580cda39ed4cd3f53
94e5036b01ba9f028c6de0d8048dae64cb9d87659172621b5cba9cbdf542e55f
8fd75a183566a86d500dd270a0532fab1c16de455c23d00882b8f2bbd7a32874
ca3e57c49196565174338515bb0924434d7842a9d8ab80491d6ce760d25d330f
e8b0e9c7313215133bbda6e218a090b572b03836233bee60a459470d674e95f8
Domains
myhop.hopto.org
whois.dzbc.org
URLs
http://lazyshare.net/PluginStats/Functions/getPluginName.php
http://lazyshare.net/PluginStats/Functions/newLog.php
http://lazyshare.net/PluginStats/Functions/checkInstall.php
Last Seen at
Last Seen at

Recent blog posts

post image
How to Grow SOC Team Expertise for Ultimate T...
watchers 366
comments 0
post image
Phishing, Cloud Abuse, and Evasion: Advanced...
watchers 1980
comments 0
post image
Release Notes: Palo Alto Networks, Microsoft,...
watchers 4962
comments 0

What is NanoCore malware?

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins that allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

This malware was recorded in the wild for the first time in 2013. Since then it has become extremely popular. It is now used in attacks all around the world. As a modular malware, the functionality of the NanoCore backdoor can be greatly expanded with plugins. This makes an already dangerous RAT potentially even more destructive for the company's cybersecurity.

Distributed on its own website with 24/7 technical support for just $25 with all official plugins included, the malware can also be downloaded from hacking forums where its "cracked" version has been leaked multiple times, making it an extremely accessible trojan to set up and use. Unfortunately, the accessibility, ease of use, and a bunch of information on NanoCore are still contributing to its growing popularity. It’s not completely certain whether the malware was being developed as a commercial program for institutions, or the creator had a goal to create malicious software from the beginning, Regardless, NanoCore author, Taylor Huddleston was tracked down and arrested by the FBI.

General Information about NanoCore RAT

According to the analysis, NanoCore’s first beta appeared in 2013. The latest version of the malware is being openly sold on its own website NANOCORE_dot_io. Unfortunately, this helped ensure the high popularity of the malware. Today NanoCore RAT targets victims worldwide. However, the majority of attacks are taking place in the US.

One of the key characteristics of this RAT is that technically savvy attackers are able to greatly expand the functionality of the malware, fine-tuning it to suit their needs, for instance, by adding screen locker functionality to the virus. Some essential plugins are already provided with the purchase bundle on the “official” website. Other even more sophisticated ones are being developed by the community of cybercriminals, that has formed around NanoCore.

For crooks that don’t want to engage in fiddling with plugins, NanoCore provides a straightforward user interface It allows even novice criminals to launch potentially destructive malicious campaigns. Thus further contributing to the popularity of the malware.

Interactive analysis of NanoCore

A video of the execution process provided by ANY.RUN malware hunting service allows us to perform the analysis of the lifecycle of the trojan or other malware such as WSHRAT or Vidar. We can watch NanoCore behavior as well as all processes as they unfold in a secure online environment.

nanocore execution process graph

Figure 1: A visual graph of NanoCore execution processes generated by ANY.RUN

How does NanoCore spread?

NanoCore RAT is distributed using multiple methods. However, the most commonly used is spam email campaigns. They trick users into downloading malicious documents, often presented as price lists or purchase orders.

The emails sometimes contain malicious attachments with .img or .iso extension. The large size of these files makes it difficult to scan them. Some versions of malware are also spread by a ZIP file which evades secure email gateways. Several file structure works here: one file script will download the payload while the rest are decoys that ensure the malicious content goes unnoticed by the system's security.

PowerPoint files acquire the same scenario as the infection chain takes place over multiple stages before the final payload is executed.

NanoCore RAT execution process

NanoCore is delivered to the victim’s PC using the AutoIt program. Not unlike Agent Tesla malware, which is somewhat typical for this type of RATs. Typically, NanoCore is spread using Microsoft Word documents. Infected files contain an embedded executable file or an exploit.

According to the RAT analysis, once the script file is opened an embedded macros download an executable script file and rename it. The downloaded executable file runs itself and creates a child process. The malware is able to use Regsvcs and Regasm to proxy the code execution through a trusted Windows utility.

nanocore execution process tree

Figure 2: A process tree of NanoCore execution processes generated by ANY.RUN

How to detect NanoCore malware using ANY.RUN?

You can identify whether you are dealing with a sample of NanoCore RAT or not by a quick analysis of the files and scripts created by the malware. Most often NanoCore injects into three processes RegSvcs.exe, RegAsm.exe, and MSBuild.exe.

Open "Advanced details of process" for these processes and look at the "Modified files" tab in the "Events" section. If a file named "run.dat" was created by one of these processes and placed in the %Root%:\Users\username\AppData\Roaming[GUID] folder, you can be sure that the malware you are observing is, in fact, NanoCore trojan.

file created by nanocore Figure 3: File created by Nanocore

Conclusion

Thanks to accessibility, ease of use, customization, and plenty of information, the popularity of NanoCore escalated making it one of the most widespread RATs in the world. Even though NanoCores’ creator has been arrested by officials, due to the appearance of several cracked versions, NanoCore is still openly available on hacker forums.

Often, it can be acquired for free, allowing anybody to set up attacks. The popularity of the malware is further aided by the fact that one does not need much programming knowledge to use this Trojan, as it comes equipped with a user-friendly interface. At the same time, very sophisticated and destructive attacks can be carried out with NanoCore RAT by skillful hackers, since its malicious capabilities can be extended with custom plugins. Thankfully, modern analysis tools such as ANY.RUN allow researchers to examine malware in detail, learn about its behavior patterns and set up an appropriate cybersecurity response.

HAVE A LOOK AT

HijackLoader screenshot
HijackLoader
hijackloader
HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.
Read More
Chaos Ransomware screenshot
Chaos ransomware is a malware family known for its destructive capabilities and diverse variants. It first appeared in 2021 as a ransomware builder and later acted as a wiper. Unlike most ransomware strains that encrypt data to extort payment, early Chaos variants permanently corrupted files, while later versions adopted more conventional encryption techniques.
Read More
Cerber screenshot
Cerber
cerber
Cerber is a Ransomware-as-a-Service (RaaS) that appeared in 2016, spread quickly and has been evolving since. It became well-known for its file encryption, offline capabilities, and sophisticated evasion techniques. It primarily targets enterprises, financial institutions, and government entities, encrypting their data and demanding ransom payments in Bitcoin. It also targets everyday users encrypting personal files (photos, documents) with the risk of their permanent loss.
Read More
Lumma screenshot
Lumma
lumma
Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.
Read More
Bumblebee Loader screenshot
Bumblebee Loader
bumblebee
Bumblebee is a highly adaptable malware loader, often used by threat actors linked to the Conti and TrickBot cybercrime groups. Since its discovery in 2021, Bumblebee has been leveraged in phishing campaigns and email thread hijacking, primarily to distribute payloads like Cobalt Strike and ransomware. The malware employs obfuscation techniques, such as DLL injection and virtual environment detection, to avoid detection and sandbox analysis. Its command-and-control infrastructure and anti-analysis features allow it to persist on infected devices, where it enables further payload downloads and system compromise.
Read More
VanHelsing Ransomware screenshot
VanHelsing is a sophisticated ransomware strain that appeared in early 2025, operating via the Ransomware-as-a-Service (RaaS) model and targeting primarily USA and France. It threatens mostly Windows systems but has variants for Linux, BSD, ARM, and ESXi, making it a multi-platform malware. It is also notable for its advanced evasion techniques, double extortion tactics, and rapid evolution.
Read More