A recent phishing campaign is employing decoy Microsoft Word documents to deliver a backdoor written in the Nim programming language. Nim-based malware is less common, putting security experts at a disadvantage due to their unfamiliarity with the language. The attack begins with a phishing email containing a Word document attachment that prompts the recipient to enable macros, initiating the deployment of the Nim malware. The backdoor then connects to a remote server mimicking a government domain from Nepal. Nim’s cross-compilation features allow attackers to create one malware variant that can be cross-compiled to target different platforms. This disclosure coincides with the revelation of a social engineering campaign distributing a new Python-based stealer malware called Editbot Stealer via social media platforms. Meanwhile, phishing campaigns continue to distribute known malware like DarkGate and NetSupport RAT, using various attack chains and social engineering techniques. The use of both email and fake update lures demonstrates cybercriminals’ creativity in attempting to install the final payload.
