minute read
Share this article:
Spear-phishing emails are spreading the NimzaLoader malware loader, which some say may be used to download Cobalt Strike.
The TA800 threat group is distributing a malware loader, which researchers call NimzaLoader, via ongoing, highly-targeted spear-phishing emails.
While previous Twitter analysis identified this loader as a mere variant of TA800’s existing BazaLoader malware, new research cites evidence that NimzaLoader is a disparate strain — with its own separate string-decryption methods and hashing algorithm techniques.
The malware loader is unique in that it is written in the Nim programming language. The use of Nim is uncommon for malware in the threat landscape, except in rare cases, such as a Nim-based downloader recently seen being used by the Zebrocy threat group. Because of this, researchers say malware developers may be using Nim to avoid detection by defense teams who may not be familiar with the language.