NanoCore is a commodity remote access trojan (RAT) widely sold on underground forums since 2013, offering keylogging, password theft, webcam capture, remote desktop, file management, and a plugin architecture for extended capabilities. Its low price and ease of use made NanoCore extremely popular with low-skilled threat actors. The author was convicted in US federal court in 2017, though leaked builders continue to circulate. NanoCore typically spreads through phishing with malicious attachments.
This family has been observed using the following ATT&CK techniques: T1566.001 T1056.001 T1547.001
NanoCore is a commodity remote access trojan (RAT) widely sold on underground forums since 2013, offering keylogging, password theft, webcam capture, remote desktop, file management, and a plugin architecture for extended capabilities. Its low price and ease of use made NanoCore extremely popular with low-skilled threat actors. The author was convicted in US federal court in 2017, though leaked builders continue to circulate. NanoCore typically spreads through phishing with malicious attachments.
NanoCore is sold as a commercial remote administration tool on underground forums and delivered through phishing emails with malicious Office documents, ISO archives, and weaponized PDF attachments.
Unsigned NanoCore.exe processes, persistence via Run registry keys or scheduled tasks, encrypted outbound traffic to attacker-controlled C2, and AV detections for NanoCore are diagnostic.
If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/nanocore.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families extracted from the EMBER 2018 benchmark. The catalog is also published on Hugging Face and Kaggle.