Nanocore

Category: rat · Aliases: NanoCore · Sample count (EMBER 2018): 2,400 · Enrichment: curated_sourced · Updated: 2026-06-09

Overview

NanoCore is a modular remote access tool developed in .NET that, per MITRE ATT&CK, can be used to spy on victims and steal information, and has been used by threat actors since 2013. Marketed originally as a remote-administration product, it was widely abused; its author was prosecuted, but cracked builds continued to circulate. Its plugin architecture supports a broad range of surveillance and data-theft capabilities.

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1059.003 T1056.001 T1113 T1496 T1041 T1547.001

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_NANOCORE {
    meta:
        description = "Detects Nanocore (rat)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "nanocore" ascii wide nocase
        $s2 = "nanocore" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Nanocore Activity
id: d98e0313121270011bcbe8c6d3921a12
status: experimental
description: Detects generic indicators of the nanocore malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*nanocore*"
            - "*nanocore*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

What is NanoCore?

A modular .NET remote access tool, used by threat actors since 2013, capable of spying on victims and stealing information.

Is NanoCore legitimate software?

It was marketed as remote-administration software but became widely abused as a RAT; its developer was prosecuted for facilitating malicious use.

What can NanoCore do once installed?

Through its plugin system it can provide remote control, keylogging, credential theft, and surveillance such as webcam access.

How is NanoCore delivered?

Commonly through phishing emails carrying malicious attachments or downloaders.

Why does NanoCore keep appearing despite the prosecution?

Cracked versions of the builder circulated publicly, so many different actors continue to deploy their own variants.

How do I reduce the risk of RATs like NanoCore?

Be cautious with email attachments and downloads, keep endpoint protection updated, and avoid pirated software that often bundles such tools.

Where is the authoritative reference?

MITRE ATT&CK's NanoCore entry (S0336), linked on this page.

Related Families (Category: rat)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/nanocore.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.