S0336: NanoCore
Analyst context for executives and security teams
NanoCore is a Windows, .NET-based modular remote access tool associated in ATT&CK with spying and information theft. For leaders, its significance is less the malware name and more the capability cluster it represents: remote control, credential and keystroke collection, audio/video capture, tool transfer, persistence through Windows startup mechanisms, and attempts to hide or protect command-and-control activity. That combination can turn a single compromised Windows endpoint into a long-running visibility, privacy, credential, and incident-response problem.
Executive priority
Treat NanoCore coverage as a practical test of endpoint, identity, and SOC readiness against commodity or commonly available RAT tradecraft. Priority questions include: can the organization prove visibility into Windows persistence points, command shell use, registry changes, suspicious file transfer, keylogging indicators, and peripheral capture activity; can responders quickly identify what credentials or sensitive conversations may have been exposed; and can security teams show audit-ready evidence that endpoint logging, firewall controls, and security-tool health monitoring are operating as intended. Relationship context links NanoCore use to multiple ATT&CK groups, but the supplied data does not support assuming any specific actor is present in a local environment.
Technical view
ATT&CK does not provide a dedicated detection section for NanoCore, so validation should be driven by the related techniques. For Windows endpoints, assess telemetry and detections for Windows Command Shell execution, Visual Basic/.NET-related execution where observable, registry modification, Registry Run Keys or Startup Folder persistence, suspicious inbound tool transfer, keylogging behavior, audio or video capture, obfuscated files or payloads, encrypted C2-like traffic, and attempts to disable or modify security tools or firewall controls. IR playbooks should include credential exposure assessment, user-context review, persistence cleanup validation, and checks for loss of endpoint visibility caused by tool or firewall tampering.
Likely telemetry
- Windows process creation and command-line telemetry, especially cmd.exe and script/runtime execution context
- Windows Registry auditing for Run Keys, startup-related locations, and other suspicious modifications
- Endpoint file creation, modification, and quarantine events for .NET executables, obfuscated files, and transferred tools
- Network connection metadata and proxy/DNS/firewall logs for unusual outbound remote access or encrypted command-and-control-like patterns
- Security tool health telemetry, including stopped services, killed processes, configuration changes, update failures, or sensor degradation
Detection direction
- Because MITRE supplies no NanoCore-specific detection text, avoid relying on malware-name alerts alone; validate behavior-based coverage across the mapped techniques.
- Tune detections around unusual command shell use, registry persistence, and registry modification in user context, while accounting for legitimate administration and software installation activity.
- Correlate endpoint execution, persistence, network connections, and security-tool health changes; a RAT case may only become high-confidence when multiple weak signals align.
- Review blind spots around encrypted outbound traffic: symmetric cryptography may conceal content, so metadata, destination reputation, timing, process ownership, and host context become important.
- Validate whether microphone and camera access logging exists at all; many environments have limited telemetry for audio and video capture behaviors.
Mitigation priorities
- Prioritize reliable Windows endpoint logging and EDR/AV health monitoring so defenders can see execution, persistence, registry, firewall, and security-tool tampering events.
- Harden common persistence paths by monitoring and controlling Registry Run Keys and Startup Folder changes, especially outside approved software deployment workflows.
- Apply least privilege and administrative control discipline to reduce the ability to modify security tools, firewall settings, and sensitive registry locations.
- Strengthen egress monitoring and firewall governance so unexpected remote access traffic and unauthorized rule changes are reviewable.
- Prepare IR procedures for RAT cases that include credential reset scoping, privacy-sensitive collection review, host isolation, persistence removal, and validation that defensive sensors remain trustworthy.
Analyst notes and limits
NanoCore is described by ATT&CK as a modular .NET remote access tool used since 2013 to spy on victims and steal information. Relationship data maps it to techniques spanning discovery, execution, command and control, persistence, credential access, collection, obfuscation, and defense impairment. ATT&CK also records use by Group5, APT33, Gorgon Group, and SilverTerrier; these relationships should guide intelligence enrichment and hunting hypotheses, not attribution conclusions.
The supplied ATT&CK object has no official detection guidance, no specified tactics on the malware object itself, no aliases, and no environment-specific indicators. Platforms should be treated as Windows for NanoCore based on the object field, even though several related techniques have broader platform coverage. Local telemetry quality, endpoint configuration, and business-approved administrative activity are required to determine actual exposure or detection coverage.
NanoCore
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | NanoCore has the capability to download and activate additional modules for execution.CitationDigiTrust NanoCore Jan 2017CitationPaloAlto NanoCore Feb 2016 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1016 | System Network Configuration Discovery | NanoCore gathers the IP address from the victim’s machine.CitationDigiTrust NanoCore Jan 2017 |
| Enterprise | T1125 | Video Capture | NanoCore can access the victim's webcam and capture data.CitationDigiTrust NanoCore Jan 2017CitationPaloAlto NanoCore Feb 2016 |
| Enterprise | T1027 | Obfuscated Files or Information | NanoCore’s plugins were obfuscated with Eazfuscater.NET 3.3.CitationPaloAlto NanoCore Feb 2016 |
| Enterprise | T1685 | Disable or Modify Tools | NanoCore can modify the victim's anti-virus.CitationDigiTrust NanoCore Jan 2017CitationPaloAlto NanoCore Feb 2016 |
| Enterprise | T1123 | Audio Capture | NanoCore can capture audio feeds from the system.CitationDigiTrust NanoCore Jan 2017CitationPaloAlto NanoCore Feb 2016 |
| Enterprise | T1686 | Disable or Modify System Firewall | NanoCore can modify the victim's firewall.CitationDigiTrust NanoCore Jan 2017CitationPaloAlto NanoCore Feb 2016 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | NanoCore uses VBS files.CitationCofense NanoCore Mar 2018 |
| Enterprise | T1056.001 | Keylogging Sub-technique | NanoCore can perform keylogging on the victim’s machine.CitationPaloAlto NanoCore Feb 2016 |
| Enterprise | T1112 | Modify Registry | NanoCore has the capability to edit the Registry.CitationDigiTrust NanoCore Jan 2017CitationPaloAlto NanoCore Feb 2016 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | NanoCore uses DES to encrypt the C2 traffic.CitationPaloAlto NanoCore Feb 2016 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | NanoCore creates a RunOnce key in the Registry to execute its VBS scripts each time the user logs on to the machine.CitationCofense NanoCore Mar 2018 |
Groups, software, and campaigns
G0064: APT33
G0083: SilverTerrier
SilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier mainly targets organizations in high technology, higher education, and manufacturing.[1][2]
G0078: Gorgon Group
Gorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. [1]
G0043: Group5
Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack. [1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | ddf0071721b3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
DigiTrust NanoCore Jan 2017
The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018.
Open source URL -
[2]
Cofense NanoCore Mar 2018
Patel, K. (2018, March 02). The NanoCore RAT Has Resurfaced From the Sewers. Retrieved September 25, 2024.
Open source URL -
[3]
PaloAlto NanoCore Feb 2016
Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
Open source URL -
[4]
Unit 42 Gorgon Group Aug 2018
Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
Open source URL -
[5]
NanoCore
(Citation: DigiTrust NanoCore Jan 2017)(Citation: Cofense NanoCore Mar 2018)(Citation: PaloAlto NanoCore Feb 2016)(Citation: Unit 42 Gorgon Group Aug 2018)
-
[6]
mitre-attack S0336Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.