Nymaim (also known as nymain) is a Windows trojan downloader. As documented by Malpedia (Fraunhofer FKIE), it downloads and runs other malware on affected systems and was one of the primary malware families hosted on the Avalanche infrastructure. A distinguishing feature is that Nymaim displays a localized lockscreen on the victim's machine while it downloads additional malware in the background. According to Malpedia, Nymaim is usually delivered through exploit kits and malvertising.
This family has been observed using the following ATT&CK techniques: T1547.001 T1071.001
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_NYMAIM {
meta:
description = "Detects Nymaim (downloader)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "nymaim" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Nymaim Activity
id: 6e680be7a47bed29c2657b2bd819671a
status: experimental
description: Detects generic indicators of the nymaim malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*nymaim*"
condition: selection
level: mediumNymaim (also known as nymain) is a Windows trojan downloader. According to Malpedia, its main role is to download and run other malware on infected systems, acting as a delivery mechanism for additional threats.
Per Malpedia, Nymaim is usually delivered through exploit kits and malvertising (malicious online advertising). It was also one of the primary malware families hosted on the Avalanche infrastructure, a large criminal hosting network.
Malpedia notes that Nymaim is distinctive in that it displays a localized lockscreen to the victim while it downloads additional malware in the background. The lockscreen behavior overlaps with ransomware-style tactics, even though its core function is as a downloader.
According to Malpedia, Nymaim was one of the primary malware families hosted on Avalanche, a large bulletproof-hosting and malware-distribution network. Avalanche was the subject of a major international law-enforcement takedown.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/nymaim.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.