Nanobot

Category: rat · Aliases: None known · Sample count (EMBER 2018): 306 · Enrichment: expert-seo · Updated: 2026-06-09

Overview

Backdoor:Win32/Nanobot is a modular, highly customizable Remote Access Trojan (RAT) and botnet agent known for its small footprint, evasive network communications, and plugin-based architecture.

Understanding Nanobot
To a layman, Nanobot is a silent observer that grants a hacker total access to their files and webcam. For cybersecurity experts, Nanobot is a dangerous, flexible threat. Unlike monolithic RATs, Nanobot consists of a tiny core executable that establishes a secure connection to the C2 server. The attacker can then push down specific 'plugins' on demand—such as a keylogger module, a cryptominer, or a DDoS attack engine—minimizing the malware's footprint on the disk and evading static analysis.

Execution and Evasion Strategies
Nanobot is frequently deployed as a second-stage payload by initial access brokers or exploit kits. Upon execution, the core module injects itself into legitimate Windows processes (like explorer.exe or svchost.exe). It heavily utilizes encrypted communications, often communicating over port 443 (HTTPS) to blend in with normal web traffic. Threat hunters will rarely find the full suite of hacking tools on the disk; instead, they must analyze the memory of the injected process to find the dynamically loaded plugins.

Indicators of Compromise & Impact
The impact of a Nanobot infection is total system compromise. The attacker can exfiltrate sensitive data, monitor the user in real-time, or pivot to attack other machines on the network. Incident responders should look for anomalous, persistent HTTPS connections originating from system processes to unknown IP addresses. Memory forensics is critical to extract the RC4 or AES decryption keys used by Nanobot to communicate with its C2 infrastructure.

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1055Process InjectionDefense Evasion
T1105Ingress Tool TransferCommand and Control
T1056.001Input Capture: KeyloggingCollection
T1125Video CaptureCollection
T1573.001Encrypted Channel: Symmetric CryptographyCommand and Control

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_NANOBOT {
    meta:
        description = "Detects Nanobot (rat)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "nanobot" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Nanobot Activity
id: e19499496fbf486bc0dbe4546fb06f0a
status: experimental
description: Detects generic indicators of the nanobot malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*nanobot*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Immediately sever the network connection; Nanobot provides the attacker with a live, interactive shell on the endpoint.
  2. Capture a full forensic memory image of the machine to extract the dynamically loaded plugins and the C2 encryption keys.
  3. Analyze firewall logs to identify the C2 IP address and block it across the enterprise perimeter.
  4. Rebuild the operating system from a known-good image, as Nanobot's deep process injection and modularity make it difficult to guarantee full eradication.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not leave the machine powered on and connected to the network; the attacker can quickly deploy a ransomware module if they detect an investigation.
  2. Avoid assuming a simple AV scan will remove the threat; the core module is often highly obfuscated and the plugins exist only in memory.

References & External Analysis

Related Families (Category: rat)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/nanobot.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.