article featured image


Molerats APT group also dubbed TA402 returns by leading a new reportedly cyberespionage campaign that employs NimbleMamba malware.

NimbleMamba Malware Leveraged in New Malicious Campaign

A report has been recently published by the Proofpoint researchers on a new email phishing campaign. According to them, various foreign-policy think tanks, Middle Eastern governments, and a state-affiliated airline are targeted.

The threat actors are using this time a malware called NimbleMamba described as a trojan that collects intelligence and is distributed by means of phishing lures. Besides, the experts also noticed the usage of a secondary payload dubbed BrittleBush.

Three types of emails were employed in this malicious campaign, posing as emails from Dropbox, UGG boots, and Quora. The timeframe these were delivered indicates November 2021 and January 2022. In one of the malicious emails, hackers made use of a Gmail account, however, a shift happened as they further used Dropbox URLs to spread compromised .rar files encompassing NimbleMamba malware.

NimbleMamba’s configuration is retrieved from a paste on the website JustPasteIt. NimbleMamba takes the current timestamp from an online real-time service to ensure that the timestamp matches the current time. Some computers may have modified time settings and this method ensures that the time is standardized across infections. (..) NimbleMamba has the traditional capabilities of an intelligence-gathering trojan and is likely designed to be the initial access. Functionalities include capturing screenshots and obtaining process information from the computer. Additionally, it can detect user interaction, such as looking for mouse movement.


The researchers also shared a diagram displaying the attack chain in the timeframe mentioned above.

NimbleMamba Malware attack chain illustration

Image Source

NimbleMamba Similar to LastConn

What’s also interesting to mention is the reportedly noticeable similarity of NimbleMamba with LastConn, another threat initially reported during the month of June last year, according to Cyware.

Similarities between the two types of malware include that they are both written in C#, base64 encoding within the C2 framework. Besides, for the C2 communication, a Dropbox API is made use of. However, the researchers also noticed a code overlap between them.

How Can Heimdal™ Help?

Phishing campaigns are very popular nowadays, with hackers deploying all kinds of malware. That is why organizations need a powerful email security suite to cope efficiently with cyber threats. Use our Email Security, a product that encompasses a mix of Office 365 support with proprietary e-mail threat prevention to counter threats delivered via e-mail.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Andra Andrioaie

Security Enthusiast

linkedin icon

Hi! My name is Andra and I am a passionate writer interested in a variety of topics. I am curious about the cybersecurity world and what I want to achieve through what I write is to keep you curious too!

Leave a Reply

Your email address will not be published. Required fields are marked *