Nymaim

Category: downloader · Aliases: None known · Sample count (EMBER 2018): 756 · Enrichment: curated_sourced · Updated: 2026-06-10

Overview

Nymaim (also known as nymain) is a Windows trojan downloader. As documented by Malpedia (Fraunhofer FKIE), it downloads and runs other malware on affected systems and was one of the primary malware families hosted on the Avalanche infrastructure. A distinguishing feature is that Nymaim displays a localized lockscreen on the victim's machine while it downloads additional malware in the background. According to Malpedia, Nymaim is usually delivered through exploit kits and malvertising.

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1547.001 T1071.001

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_NYMAIM {
    meta:
        description = "Detects Nymaim (downloader)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "nymaim" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Nymaim Activity
id: 6e680be7a47bed29c2657b2bd819671a
status: experimental
description: Detects generic indicators of the nymaim malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*nymaim*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

What is Nymaim?

Nymaim (also known as nymain) is a Windows trojan downloader. According to Malpedia, its main role is to download and run other malware on infected systems, acting as a delivery mechanism for additional threats.

How does Nymaim spread?

Per Malpedia, Nymaim is usually delivered through exploit kits and malvertising (malicious online advertising). It was also one of the primary malware families hosted on the Avalanche infrastructure, a large criminal hosting network.

What makes Nymaim distinctive?

Malpedia notes that Nymaim is distinctive in that it displays a localized lockscreen to the victim while it downloads additional malware in the background. The lockscreen behavior overlaps with ransomware-style tactics, even though its core function is as a downloader.

What was Nymaim's connection to Avalanche?

According to Malpedia, Nymaim was one of the primary malware families hosted on Avalanche, a large bulletproof-hosting and malware-distribution network. Avalanche was the subject of a major international law-enforcement takedown.

Related Families (Category: downloader)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/nymaim.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.