NimImplant
Implant/backdoor written in Nim programming language. MinGW-W64 is compiled with GCC and makes Windows API calls thanks to the winim library. Thread injection with SetThreadContext, encrypted communication with BCryptGenRandom, overlapped TCP C2 with WSAID_CONNECTEX. Anti-analysis with 20 PE section structure. To evade AV detection, Nim has become the language of choice.
Threat Profile
Type
Backdoor
Programming LanguageNim
C2 ProtocolTCP
First Seen2023
Targets
Kurumsal/Kuresel
Purpose / Capabilities
- Backdoor/Process Injection/Encrypted C2
No C2 servers have been identified for this family yet.
Research Reports (1)
NimImplant 11ddebd9 -- Nim MinGW GCC x64 SetThreadContext BCryptGenRandom WSAID_CONNECTEX 20-section winim Process-Injection CNG | Yuksek
NimImplant 11ddebd9 Nim + MinGW-W64 GCC 11.1. SetThreadContext thread injection. BCryptGenRandom CNG. WSAID_CONNECTEX overlapped TCP. 20 PE section. winim assembly. TLS anti-debug.
Read Report →