{
  "family": "nanocore",
  "sample_count": 2400,
  "category": "rat",
  "description": "NanoCore is a commodity remote access trojan (RAT) widely sold on underground forums since 2013, offering keylogging, password theft, webcam capture, remote desktop, file management, and a plugin architecture for extended capabilities. Its low price and ease of use made NanoCore extremely popular with low-skilled threat actors. The author was convicted in US federal court in 2017, though leaked builders continue to circulate. NanoCore typically spreads through phishing with malicious attachments.",
  "cta": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.",
  "aliases": [
    "nanobot"
  ],
  "enrichment_level": "hand-curated",
  "faq": [
    {
      "@type": "Question",
      "name": "What is Nanocore?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "NanoCore is a commodity remote access trojan (RAT) widely sold on underground forums since 2013, offering keylogging, password theft, webcam capture, remote desktop, file management, and a plugin architecture for extended capabilities. Its low price and ease of use made NanoCore extremely popular with low-skilled threat actors. The author was convicted in US federal court in 2017, though leaked builders continue to circulate. NanoCore typically spreads through phishing with malicious attachments."
      }
    },
    {
      "@type": "Question",
      "name": "How does Nanocore spread?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "NanoCore is sold as a commercial remote administration tool on underground forums and delivered through phishing emails with malicious Office documents, ISO archives, and weaponized PDF attachments."
      }
    },
    {
      "@type": "Question",
      "name": "What are the signs of a Nanocore infection?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Unsigned NanoCore.exe processes, persistence via Run registry keys or scheduled tasks, encrypted outbound traffic to attacker-controlled C2, and AV detections for NanoCore are diagnostic."
      }
    },
    {
      "@type": "Question",
      "name": "What should I do if I think I have Nanocore on my system?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance."
      }
    }
  ],
  "faq_count": 4,
  "mitre_attack": [
    "T1566.001",
    "T1056.001",
    "T1547.001"
  ],
  "cisa_advisory": null,
  "last_updated": "2026-05-27"
}