NanoCore is a modular remote access tool developed in .NET that, per MITRE ATT&CK, can be used to spy on victims and steal information, and has been used by threat actors since 2013. Marketed originally as a remote-administration product, it was widely abused; its author was prosecuted, but cracked builds continued to circulate. Its plugin architecture supports a broad range of surveillance and data-theft capabilities.
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1059.003 T1056.001 T1113 T1496 T1041 T1547.001
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_NANOCORE {
meta:
description = "Detects Nanocore (rat)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "nanocore" ascii wide nocase
$s2 = "nanocore" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Nanocore Activity
id: d98e0313121270011bcbe8c6d3921a12
status: experimental
description: Detects generic indicators of the nanocore malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*nanocore*"
- "*nanocore*"
condition: selection
level: mediumA modular .NET remote access tool, used by threat actors since 2013, capable of spying on victims and stealing information.
It was marketed as remote-administration software but became widely abused as a RAT; its developer was prosecuted for facilitating malicious use.
Through its plugin system it can provide remote control, keylogging, credential theft, and surveillance such as webcam access.
Commonly through phishing emails carrying malicious attachments or downloaders.
Cracked versions of the builder circulated publicly, so many different actors continue to deploy their own variants.
Be cautious with email attachments and downloads, keep endpoint protection updated, and avoid pirated software that often bundles such tools.
MITRE ATT&CK's NanoCore entry (S0336), linked on this page.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/nanocore.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.