Cisco Talos team discovers malicious campaign delivering Nanocore, Netwire and Async RATs

The Cisco Talos cybersecurity team discovered a malicious campaign delivering variants of Nanocore, Netwire and Async RATs targeting user’s information.

According to Cisco, the threat actor leveraged public cloud services (such as AWS or Azure) to deploy and deliver variants of commodity remote access trojans (RATs) with the information stealing capability starting around Oct. 26, 2021. Campaign victims are primarily distributed across the United States, Italy and Singapore.

“These variants of Remote Administration Tools (RATs) are packed with multiple features to take control over the victim’s environment to execute arbitrary commands remotely and steal the victim’s information,” Cisco wrote in the blog post.

“The ZIP file contains an ISO image file containing a malicious obfuscated downloader. The payloads of these campaigns are instances of Nanocore, Netwire and AsyncRAT remote access trojans. The RAT payloads are using dynamic DNS servers so they can regularly change the IP addresses of C2 servers and quickly add new subdomains.”

Moreover, the Talo team also discovered an obfuscated PowerShell dropper script built by HCrypt builder, which was linked to the download servers of the malware campaign.


The Nanocore RAT is a 32-bit .NET portable executable RAT first seen in the wild in 2013 and had multiple functions such as keylogger, password stealer and payment card stealer.

After 2017, leaked versions of Nanocore were widely used by the threat actors in their campaigns. In August of 2019, researchers from Trend Micro discovered attackers exploiting a Critical Microsoft Office remote code execution vulnerability CVE-2017-8570 to download Nanocore in malicious campaigns.


The Netwire RAT is also used by the threat actors to steal victim’s passwords, login credentials and payment card data. It also has the ability to remotely execute commands and collect filesystem information on victim’s computers.


The Async RAT is a remote access tool used by attackers to remotely control victim systems through a secured connection to command and control (C2) server.

Related Articles