SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.nosedive (Back to overview)

Nosedive

Actor(s): Flax Typhoon

VTCollection    

According to Black Lotus Labs, Nosedive is a custom variation of the Mirai implant that is supported on all major SOHO and IoT architectures (e.g. MIPS, ARM, SuperH, PowerPC, etc.). Nosedive implants are typically deployed from Tier 2 payload servers in the Raptor Train infrastructure through a unique URL encoding scheme and domain injection method. Nosedive droppers use this method to request payloads for specific C2s by encoding the requested C2 domain and joining it with a unique "key" that identifies the bot and the target architecture of the compromised device (e.g. MIPS, ARM, etc.), which is then injected into the Nosedive implant payload that is deployed to the Tier 1 node. Once deployed, Nosedive runs in-memory only and allows the operators to execute commands, upload and download files, and run DDoS attacks on compromised devices.

The malware and its associated droppers are memory-resident only and deleted from disk. This, in addition to anti-forensics techniques employed on these devices including the obfuscation of running process names, compromising devices through a multi-stage infection chain, and killing remote management processes, makes detection and forensics much more difficult.

References
2024-09-18LumenBlack Lotus Labs
Derailing The Raptor Train
Nosedive
2024-09-18U.S. Department of Justice
Court-Authorized Operation Disrupts Worldwide Botnet Used by People’s Republic of China State-Sponsored Hackers
Nosedive
2024-09-18LumenBlack Lotus Labs
Derailing the Raptor Train
Nosedive
2024-09-18ASD, CNMF, CSE Canada, FBI, GCSB, NCSC UK, NSA
People’s Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations
Nosedive
Yara Rules
[TLP:WHITE] elf_nosedive_auto (20260504 | Detects elf.nosedive.)
rule elf_nosedive_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects elf.nosedive."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.nosedive"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb1c 8b1486 891487 48ffc0 4839c3 75f2 488d049d00000000 }
            // n = 7, score = 100
            //   eb1c                 | and                 eax, 2
            //   8b1486               | dec                 esp
            //   891487               | mov                 dword ptr [esp + 0x28], edi
            //   48ffc0               | cmp                 al, 1
            //   4839c3               | dec                 eax
            //   75f2                 | mov                 dword ptr [edx + ecx + 8], 0
            //   488d049d00000000     | dec                 eax

        $sequence_1 = { 8b12 83fa7f 0f869a000000 c1ea07 81fa001c0000 750a 4889b42480000000 }
            // n = 7, score = 100
            //   8b12                 | jne                 0x15a
            //   83fa7f               | dec                 esp
            //   0f869a000000         | mov                 esi, dword ptr [0x10]
            //   c1ea07               | dec                 eax
            //   81fa001c0000         | mov                 edi, dword ptr [ebx + 0x88]
            //   750a                 | dec                 esp
            //   4889b42480000000     | cmp                 dword ptr [edi + 8], esi

        $sequence_2 = { 85c0 746a 488d0d2f6c0400 ba6b000000 488d35d0680400 488d3dd5680400 e8???????? }
            // n = 7, score = 100
            //   85c0                 | jle                 0x3a1
            //   746a                 | dec                 esp
            //   488d0d2f6c0400       | mov                 ebp, dword ptr [esp + 8]
            //   ba6b000000           | dec                 eax
            //   488d35d0680400       | mov                 edx, dword ptr [esp]
            //   488d3dd5680400       | dec                 esp
            //   e8????????           |                     

        $sequence_3 = { e8???????? 488b7b10 e8???????? 48c7430801000000 ba08000000 48896b10 eb87 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488b7b10             | je                  0x28a
            //   e8????????           |                     
            //   48c7430801000000     | dec                 esp
            //   ba08000000           | mov                 dword ptr [ebx + 0x108], esi
            //   48896b10             | dec                 esp
            //   eb87                 | mov                 edx, esi

        $sequence_4 = { eb1a 761a 4883ff02 7502 31ff 488d15c20d0e00 488d72f8 }
            // n = 7, score = 100
            //   eb1a                 | lea                 esp, [ebp - 0x28]
            //   761a                 | inc                 esp
            //   4883ff02             | mov                 eax, esi
            //   7502                 | pop                 ebx
            //   31ff                 | inc                 ecx
            //   488d15c20d0e00       | pop                 esp
            //   488d72f8             | inc                 ecx

        $sequence_5 = { 85c0 7460 4983c508 ebdf 4963ca 4889c7 4c89ce }
            // n = 7, score = 100
            //   85c0                 | mov                 ecx, ebx
            //   7460                 | dec                 esp
            //   4983c508             | mov                 esi, edi
            //   ebdf                 | dec                 esp
            //   4963ca               | mov                 edi, edi
            //   4889c7               | dec                 esp
            //   4c89ce               | lea                 eax, [esp + 0xd0]

        $sequence_6 = { 84c9 0f85b7000000 4180fd01 7429 31c0 4c8d0525950f00 4c89e2 }
            // n = 7, score = 100
            //   84c9                 | inc                 ecx
            //   0f85b7000000         | and                 esi, 7
            //   4180fd01             | mov                 edi, 1
            //   7429                 | test                al, al
            //   31c0                 | inc                 ecx
            //   4c8d0525950f00       | movzx               eax, byte ptr [eax + 0x14c]
            //   4c89e2               | jne                 0xb02

        $sequence_7 = { e8???????? 85c0 0f85bc020000 488b542438 488b742448 4c89ef e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | mov                 eax, ebp
            //   0f85bc020000         | dec                 eax
            //   488b542438           | add                 ebx, 2
            //   488b742448           | dec                 esp
            //   4c89ef               | mov                 eax, ebp
            //   e8????????           |                     

        $sequence_8 = { 8b0d???????? 0fbae109 7333 85d2 790d 0fbae21e 488d058cb20100 }
            // n = 7, score = 100
            //   8b0d????????         |                     
            //   0fbae109             | test                ebp, ebp
            //   7333                 | mov                 eax, dword ptr [eax]
            //   85d2                 | cmp                 eax, 0xffff
            //   790d                 | jbe                 0x3b6
            //   0fbae21e             | shr                 eax, 7
            //   488d058cb20100       | cmp                 eax, 0x1c00

        $sequence_9 = { e9???????? 488d3d54b60b00 e8???????? 488d3dc4720c00 31c0 e8???????? 4c8d8c24b0010000 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   488d3d54b60b00       | lea                 esp, [esp + 0x10]
            //   e8????????           |                     
            //   488d3dc4720c00       | mov                 edx, 0x10
            //   31c0                 | mov                 edi, ebp
            //   e8????????           |                     
            //   4c8d8c24b0010000     | mov                 ebp, eax

    condition:
        7 of them and filesize < 3268608
}
Download all Yara Rules