Nimbo-C2 (Malware Family)

Nimbo-C2

VTCollection
According to the author, Nimbo-C2 is yet another (simple and lightweight) C2 framework. The agent currently supports Windows x64 and Linux. It's written in Nim, with some usage of .NET (by dynamically loading the CLR to the process).
References

2024-02-06 ⋅ Knownsec ⋅ K&XWS@Knownsec 404
APT-K-47 Organization Launches Espionage Attacks Using a New Trojan Tool
Nimbo-C2 ORPCBackdoor
2024-02-06 ⋅ Knownsec ⋅ Knownsec 404 Team
APT-K-47 Organization Launches Espionage Attacks Using a New Trojan Tool
Nimbo-C2 ORPCBackdoor
2022-10-08 ⋅ Github (itaymigdal) ⋅ Itay Migdal
Nimbo-C2 - A new C2 Framework
Nimbo-C2 Nimbo-C2
Yara Rules

[TLP:WHITE] win_nimbo_c2_auto (20260504 | Detects win.nimbo_c2.)
rule win_nimbo_c2_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.nimbo_c2."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nimbo_c2"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c3 4883ec38 4c8b4928 498b00 4d8b4008 4d85c9 7517 }
            // n = 7, score = 500
            //   c3                   | dec                 eax
            //   4883ec38             | inc                 eax
            //   4c8b4928             | inc                 dword ptr [esi + edx*4]
            //   498b00               | jmp                 0x1ee
            //   4d8b4008             | dec                 esp
            //   4d85c9               | add                 eax, dword ptr [ebx]
            //   7517                 | jmp                 0x241

        $sequence_1 = { 6683bd90feffff0d 488b4d10 742a e8???????? 488d8dc0feffff 4889c2 e8???????? }
            // n = 7, score = 500
            //   6683bd90feffff0d     | dec                 eax
            //   488b4d10             | mov                 ebx, dword ptr [esp + 0x178]
            //   742a                 | mov                 dword ptr [esp + 0xb8], 1
            //   e8????????           |                     
            //   488d8dc0feffff       | dec                 eax
            //   4889c2               | mov                 dword ptr [ecx + 0x14], eax
            //   e8????????           |                     

        $sequence_2 = { 4983c704 4d39fc 75bd 49be1111111111111111 31ed 49bd2222222222222222 49bc4444444444444444 }
            // n = 7, score = 500
            //   4983c704             | dec                 eax
            //   4d39fc               | lea                 ecx, [ebp - 0x550]
            //   75bd                 | dec                 eax
            //   49be1111111111111111     | mov    dword ptr [ebp - 0x630], 0
            //   31ed                 | push                esi
            //   49bd2222222222222222     | push    ebx
            //   49bc4444444444444444     | dec    eax

        $sequence_3 = { c3 4155 4154 4883ec48 4989cc 488b09 4c8d442438 }
            // n = 7, score = 500
            //   c3                   | dec                 ecx
            //   4155                 | lea                 esi, [eax + 2]
            //   4154                 | inc                 ebp
            //   4883ec48             | xor                 ecx, ecx
            //   4989cc               | inc                 ebp
            //   488b09               | xor                 edx, edx
            //   4c8d442438           | dec                 eax

        $sequence_4 = { 410f9fc0 4901c0 31c0 4885c9 7412 488b01 eb0d }
            // n = 7, score = 500
            //   410f9fc0             | dec                 eax
            //   4901c0               | mov                 ecx, dword ptr [esp + 0x50]
            //   31c0                 | dec                 eax
            //   4885c9               | add                 esp, 0x468
            //   7412                 | pop                 ebx
            //   488b01               | pop                 esi
            //   eb0d                 | pop                 edi

        $sequence_5 = { 741a 49837d0000 7e13 4c89e1 e8???????? 4c89ea }
            // n = 6, score = 500
            //   741a                 | dec                 ebx
            //   49837d0000           | add                 eax, dword ptr [ebx + ecx*8]
            //   7e13                 | jmp                 0xb
            //   4c89e1               | inc                 ebx
            //   e8????????           |                     
            //   4c89ea               | lea                 edx, [ebx + ecx - 0x433]

        $sequence_6 = { 6605bb01 488b4c2450 0fb7d0 41b901000000 41b806000000 e8???????? 4889d9 }
            // n = 7, score = 500
            //   6605bb01             | mov                 byte ptr [ebp - 0x111], 1
            //   488b4c2450           | mov                 al, byte ptr [ebp - 0x111]
            //   0fb7d0               | dec                 eax
            //   41b901000000         | add                 esp, 0x150
            //   41b806000000         | inc                 ecx
            //   e8????????           |                     
            //   4889d9               | pop                 esp

        $sequence_7 = { c3 4157 b848800000 4156 4155 4154 55 }
            // n = 7, score = 500
            //   c3                   | dec                 esp
            //   4157                 | mov                 ecx, ebp
            //   b848800000           | dec                 eax
            //   4156                 | mov                 edi, eax
            //   4155                 | jmp                 0x156
            //   4154                 | inc                 eax
            //   55                   | mov                 bh, 0

        $sequence_8 = { e8???????? 0fb65310 4c89e1 e8???????? 0fb65318 4c89e1 e8???????? }
            // n = 7, score = 500
            //   e8????????           |                     
            //   0fb65310             | mulsd               xmm0, xmm1
            //   4c89e1               | movsd               xmm1, qword ptr [edx + eax*8]
            //   e8????????           |                     
            //   0fb65318             | dec                 ebp
            //   4c89e1               | test                ebx, ebx
            //   e8????????           |                     

        $sequence_9 = { 4885c9 7407 e8???????? eb18 49634c2418 83f904 7e0e }
            // n = 7, score = 500
            //   4885c9               | dec                 eax
            //   7407                 | lea                 eax, [esp + 0x20]
            //   e8????????           |                     
            //   eb18                 | dec                 eax
            //   49634c2418           | mov                 eax, edi
            //   83f904               | dec                 eax
            //   7e0e                 | sub                 eax, ebx

    condition:
        7 of them and filesize < 1141760
}
Download all Yara Rules
Nimbo-C2 Propose Change

References

Yara Rules

Nimbo-C2
