SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nestegg (Back to overview)

NESTEGG

Actor(s): Lazarus Group

VTCollection    

NESTEGG is a memory-only backdoor that can proxy commands to other
infected systems using a custom routing scheme. It accepts commands to
upload and download files, list and delete files, list and terminate processes, and
start processes. NESTEGG also creates Windows Firewall rules that allows the
backdoor to bind to a specified port number to allow for inbound traffic.

References
2018-10-08Youtube VideoSaher Naumaan
BSides Belfast 2018: Lazarus On The Rise: Insights From SWIFT Bank Attacks
NESTEGG
2018-10-01Youtube (FireEye Inc.)Christopher DiGiamo, Jacqueline O’Leary, Nalani Fraser
CDS 2018 | Unmasking APT X
NESTEGG
2018-06-08United States District Court (California)Nathan P. Shields, Rozella A. Oliver
Complaint against Jin Hyok Park
NESTEGG
2018-03-01Kaspersky LabsAnalysis Team, Kaspersky Lab Global Research
Lazarus under the Hood
NESTEGG
2018-01-01FireEyeFireEye
APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
2017-04-03Kaspersky LabsGReAT
Lazarus under the Hood
Alreay DYEPACK HOTWAX NESTEGG RatankbaPOS REDSHAWL WORMHOLE Lazarus Group
Yara Rules
[TLP:WHITE] win_nestegg_auto (20260504 | Detects win.nestegg.)
rule win_nestegg_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.nestegg."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nestegg"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c784242804000000000000 ffd6 8bf8 81e7ff010080 7908 }
            // n = 5, score = 200
            //   c784242804000000000000     | mov    dword ptr [esp + 0x428], 0
            //   ffd6                 | call                esi
            //   8bf8                 | mov                 edi, eax
            //   81e7ff010080         | and                 edi, 0x800001ff
            //   7908                 | jns                 0xa

        $sequence_1 = { 8d54244c c744244c94000000 52 ff15???????? }
            // n = 4, score = 200
            //   8d54244c             | lea                 edx, [esp + 0x4c]
            //   c744244c94000000     | mov                 dword ptr [esp + 0x4c], 0x94
            //   52                   | push                edx
            //   ff15????????         |                     

        $sequence_2 = { 8d44241c 6a08 50 8bce e8???????? 8d4c2424 6a08 }
            // n = 7, score = 200
            //   8d44241c             | lea                 eax, [esp + 0x1c]
            //   6a08                 | push                8
            //   50                   | push                eax
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   8d4c2424             | lea                 ecx, [esp + 0x24]
            //   6a08                 | push                8

        $sequence_3 = { 8b08 8b7004 51 8d4c241c e8???????? 33ff 8d5e01 }
            // n = 7, score = 200
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   8b7004               | mov                 esi, dword ptr [eax + 4]
            //   51                   | push                ecx
            //   8d4c241c             | lea                 ecx, [esp + 0x1c]
            //   e8????????           |                     
            //   33ff                 | xor                 edi, edi
            //   8d5e01               | lea                 ebx, [esi + 1]

        $sequence_4 = { 5f 83c8ff 5b c20800 8b7b08 55 56 }
            // n = 7, score = 200
            //   5f                   | pop                 edi
            //   83c8ff               | or                  eax, 0xffffffff
            //   5b                   | pop                 ebx
            //   c20800               | ret                 8
            //   8b7b08               | mov                 edi, dword ptr [ebx + 8]
            //   55                   | push                ebp
            //   56                   | push                esi

        $sequence_5 = { 8d542410 51 52 8bce c744241004010000 e8???????? 85c0 }
            // n = 7, score = 200
            //   8d542410             | lea                 edx, [esp + 0x10]
            //   51                   | push                ecx
            //   52                   | push                edx
            //   8bce                 | mov                 ecx, esi
            //   c744241004010000     | mov                 dword ptr [esp + 0x10], 0x104
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_6 = { 52 8bce e8???????? 8d44247c }
            // n = 4, score = 200
            //   52                   | push                edx
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   8d44247c             | lea                 eax, [esp + 0x7c]

        $sequence_7 = { ff15???????? 8944242c 8d442424 8d4c241c 50 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   8944242c             | mov                 dword ptr [esp + 0x2c], eax
            //   8d442424             | lea                 eax, [esp + 0x24]
            //   8d4c241c             | lea                 ecx, [esp + 0x1c]
            //   50                   | push                eax

        $sequence_8 = { 8844243e 885c243f c64424506f 88442451 c644245265 c644245361 }
            // n = 6, score = 200
            //   8844243e             | mov                 byte ptr [esp + 0x3e], al
            //   885c243f             | mov                 byte ptr [esp + 0x3f], bl
            //   c64424506f           | mov                 byte ptr [esp + 0x50], 0x6f
            //   88442451             | mov                 byte ptr [esp + 0x51], al
            //   c644245265           | mov                 byte ptr [esp + 0x52], 0x65
            //   c644245361           | mov                 byte ptr [esp + 0x53], 0x61

        $sequence_9 = { ff15???????? e9???????? 8d4c2418 c7842434410000ffffffff e8???????? 8b8c242c410000 }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   e9????????           |                     
            //   8d4c2418             | lea                 ecx, [esp + 0x18]
            //   c7842434410000ffffffff     | mov    dword ptr [esp + 0x4134], 0xffffffff
            //   e8????????           |                     
            //   8b8c242c410000       | mov                 ecx, dword ptr [esp + 0x412c]

    condition:
        7 of them and filesize < 221184
}
Download all Yara Rules