SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nightshade_c2 (Back to overview)

NightshadeC2

aka: CastleRAT
VTCollection    

According to eSentire, NightshadeC2 demonstrates an extensive capability set, including: Reverse shell via Command Prompt/PowerShell; Download and execute DLL or EXE; Self-deletion; Remote control; Screen capture; Hidden web browsers; Keylogging; clipboard content capturing. Certain variants have been found with stealing capabilities that enable the extraction of browser passwords and cookies from victim systems for both Gecko and Chromium based browsers.

References
2026-01-07MalBeaconMalBeacon
[Op Report] CastleRAT Campaign leads to Hands-on-Keyboard ATO Operations
NightshadeC2
2025-12-09Recorded FutureInsikt Group
GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries
CASTLELOADER Matanbuchus NightshadeC2 GrayBravo
2025-09-04eSentireeSentire Threat Response Unit (TRU)
New Botnet Emerges from the Shadows: NightshadeC2
NightshadeC2 NightshadeC2
2025-09-04Recorded FutureInsikt Group
From CastleLoader to CastleRAT: TAG-150 Advances Operations with Multi-Tiered Infrastructure
NightshadeC2 GrayBravo
2025-08-06IBM X-ForceGolo Mühr
Dissecting the CastleBot Malware-as-a-Service operation
CASTLELOADER NightshadeC2
Yara Rules
[TLP:WHITE] win_nightshade_c2_auto (20260504 | Detects win.nightshade_c2.)
rule win_nightshade_c2_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.nightshade_c2."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nightshade_c2"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85c0 742a 488d1503a00200 488d4c2420 e8???????? 85c0 7415 }
            // n = 7, score = 100
            //   85c0                 | dec                 eax
            //   742a                 | mov                 dword ptr [esp + 0x90], eax
            //   488d1503a00200       | mov                 eax, 8
            //   488d4c2420           | mov                 eax, 8
            //   e8????????           |                     
            //   85c0                 | dec                 eax
            //   7415                 | imul                eax, eax, 0

        $sequence_1 = { 7502 eb3c 837c244000 7402 eb33 448b442450 488b542468 }
            // n = 7, score = 100
            //   7502                 | mov                 dword ptr [esp + 0x20], eax
            //   eb3c                 | dec                 esp
            //   837c244000           | mov                 ecx, dword ptr [esp + 0x58]
            //   7402                 | dec                 esp
            //   eb33                 | mov                 eax, dword ptr [esp + 0x70]
            //   448b442450           | mov                 eax, dword ptr [esp + 0x3c]
            //   488b542468           | inc                 eax

        $sequence_2 = { 4883ec28 488b442430 488b4c2430 8b09 8b4008 2bc1 f30f2ac0 }
            // n = 7, score = 100
            //   4883ec28             | dec                 eax
            //   488b442430           | mov                 ecx, dword ptr [esp + 0x2a0]
            //   488b4c2430           | dec                 eax
            //   8b09                 | mov                 eax, dword ptr [ecx + eax + 8]
            //   8b4008               | dec                 eax
            //   2bc1                 | mov                 dword ptr [esp + 0x60], eax
            //   f30f2ac0             | jmp                 0x1426

        $sequence_3 = { ff15???????? 90 ebcc ba02000000 488b4c2440 ff15???????? }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   90                   | lea                 eax, [esp + 0x70]
            //   ebcc                 | dec                 eax
            //   ba02000000           | mov                 edi, eax
            //   488b4c2440           | xor                 eax, eax
            //   ff15????????         |                     

        $sequence_4 = { b954040000 f3aa 488d842460020000 488bf8 33c0 b918040000 f3aa }
            // n = 7, score = 100
            //   b954040000           | sub                 esp, 0x20
            //   f3aa                 | dec                 eax
            //   488d842460020000     | mov                 esi, dword ptr [ecx]
            //   488bf8               | dec                 eax
            //   33c0                 | mov                 eax, dword ptr [esp + 0x28]
            //   b918040000           | movzx               eax, byte ptr [eax]
            //   f3aa                 | cmp                 eax, 3

        $sequence_5 = { eb0b 8b442440 83c002 89442440 8b8424d8000000 39442440 0f83b9030000 }
            // n = 7, score = 100
            //   eb0b                 | mov                 edx, dword ptr [esp + 0x40]
            //   8b442440             | movzx               eax, al
            //   83c002               | mov                 dword ptr [esp + 0x28], eax
            //   89442440             | mov                 eax, dword ptr [esp + 0x20]
            //   8b8424d8000000       | inc                 eax
            //   39442440             | mov                 eax, eax
            //   0f83b9030000         | dec                 eax

        $sequence_6 = { 488b8c24a0000000 483bc8 732b 4863442450 48634c2450 488d1588ca0200 4c8b442440 }
            // n = 7, score = 100
            //   488b8c24a0000000     | dec                 eax
            //   483bc8               | mov                 dword ptr [esp + 0x70], 0
            //   732b                 | mov                 dword ptr [esp + 0x60], 0
            //   4863442450           | dec                 eax
            //   48634c2450           | mov                 dword ptr [esp + 0x68], 0
            //   488d1588ca0200       | dec                 eax
            //   4c8b442440           | mov                 dword ptr [esp + 0x50], 0

        $sequence_7 = { 85c0 7479 488b542438 488d0d0ce50100 e8???????? 85c0 }
            // n = 6, score = 100
            //   85c0                 | mov                 byte ptr [ecx + eax], 0
            //   7479                 | movzx               edx, byte ptr [esp + 0x24]
            //   488b542438           | mov                 byte ptr [ecx + eax], dl
            //   488d0d0ce50100       | jmp                 0x4a
            //   e8????????           |                     
            //   85c0                 | mov                 dword ptr [esp + 0x20], 0

        $sequence_8 = { 85c0 7552 e8???????? e8???????? 85c0 740c 488d0d46060000 }
            // n = 7, score = 100
            //   85c0                 | mov                 ecx, dword ptr [esp + 0x310]
            //   7552                 | dec                 eax
            //   e8????????           |                     
            //   e8????????           |                     
            //   85c0                 | mov                 eax, dword ptr [ecx + eax]
            //   740c                 | dec                 eax
            //   488d0d46060000       | mov                 dword ptr [esp + 0xd0], eax

        $sequence_9 = { 0fb78c24a6000000 8bc1 99 83e207 03c2 c1f803 8b8c2488000000 }
            // n = 7, score = 100
            //   0fb78c24a6000000     | mov                 dword ptr [esp + 0x50], 0
            //   8bc1                 | mov                 dword ptr [esp + 0x60], 0
            //   99                   | dec                 eax
            //   83e207               | mov                 eax, dword ptr [ecx + eax]
            //   03c2                 | dec                 eax
            //   c1f803               | mov                 dword ptr [esp + 0x70], eax
            //   8b8c2488000000       | mov                 eax, 8

    condition:
        7 of them and filesize < 458752
}
Download all Yara Rules