Thursday, May 8, 2025
Homecyber securityNanoCore RAT Attack Windows Using Task Scheduler to Captures keystrokes, screenshots

NanoCore RAT Attack Windows Using Task Scheduler to Captures keystrokes, screenshots

Published on

SIEM as a Service

Follow Us on Google News

NanoCore, a notorious Remote Access Trojan (RAT), continues to pose a significant threat to Windows systems.

This malware, known for its espionage capabilities and modular design, is being leveraged by cybercriminals to exfiltrate sensitive data, control infected systems, and maintain persistence using advanced techniques.

A recent analysis of a NanoCore sample (MD5 hash: 18B476D37244CB0B435D7B06912E9193) sheds light on its sophisticated behavior and attack mechanisms.

- Advertisement - Google News

Behavioral Analysis

NanoCore RAT employs multiple methods to ensure its persistence on compromised systems.

Upon execution, it copies itself into hidden directories and modifies the Windows registry.

Specifically, it creates an entry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run to execute its payload (saasmon.exe) during startup.

Additionally, it uses the Windows Task Scheduler (schtasks.exe) to create scheduled tasks, further solidifying its foothold on the system.

NanoCore RAT
Static Analysis

The malware also establishes directories in locations such as C:\Program Files (x86)\SAAS Monitor and C:\Users\User\AppData\Roaming\81E42A3A-6BA0-4784-B7EC-E653E9E1A8ED.

According to the Malware Analysis, these directories store its components, including keylog files and other exfiltrated data.

Data Exfiltration

NanoCore’s primary objective is data theft and espionage.

It captures keystrokes, screenshots, and clipboard content, storing them locally before sending them to a Command-and-Control (C2) server.

During dynamic analysis, the malware was observed communicating with simpletest.ddns.net over port 9632.

NanoCore RAT
Wireshark Analysis

It also uses Google DNS (8.8.8.8) for connectivity checks. The RAT’s modular plugin system enhances its spying capabilities.

For instance, the “SurveillanceEx” plugin enables attackers to monitor victims more effectively by recording user activity in real time.

To evade detection and hinder analysis, NanoCore employs obfuscation techniques such as Eazfuscator.

Analysts used tools like de4dot to deobfuscate the malware, revealing its internal logic and class structures.

String analysis uncovered commands related to task scheduling and C2 communication, further confirming its malicious intent.

Indicators of Compromise (IOCs)

  • File Hash: 18B476D37244CB0B435D7B06912E9193
  • Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\saasmon.exe
  • File System Changes:
  • C:\Program Files (x86)\SAAS Monitor\saasmon.exe
  • C:\Users\User\AppData\Roaming\81E42A3A-6BA0-4784-B7EC-E653E9E1A8ED
  • Network Indicators:
  • C2 Domain: simpletest.ddns.net
  • Port: 9632

NanoCore RAT remains a potent threat due to its adaptability and extensive feature set.

Its use of Windows Task Scheduler for persistence, combined with advanced espionage capabilities, makes it a preferred tool for cybercriminals targeting sensitive data.

Organizations are advised to monitor network traffic for unusual activity, apply robust endpoint protection solutions, and educate users about phishing risks the primary delivery vector for NanoCore.

By staying vigilant and leveraging proactive security measures, defenders can mitigate the risks posed by this persistent malware family.

Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Critical Vulnerability in Ubiquiti UniFi Protect Camera Allows Remote Code Execution by Attackers

Critical security vulnerabilities in Ubiquiti’s UniFi Protect surveillance ecosystem-one rated the maximum severity score...

IXON VPN Client Vulnerability Allows Privilege Escalation for Attackers

A critical security vulnerability in IXON’s widely used VPN client has exposed Windows, Linux,...

Cisco IOS Software SISF Vulnerability Could Enable Attackers to Launch DoS Attacks

Cisco has released security updates addressing a critical vulnerability in the Switch Integrated Security...

Seamless AI Communication: Microsoft Azure Adopts Google’s A2A Protocol

Microsoft has announced its support for the Agent2Agent (A2A) protocol, an open standard developed...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Critical Vulnerability in Ubiquiti UniFi Protect Camera Allows Remote Code Execution by Attackers

Critical security vulnerabilities in Ubiquiti’s UniFi Protect surveillance ecosystem-one rated the maximum severity score...

IXON VPN Client Vulnerability Allows Privilege Escalation for Attackers

A critical security vulnerability in IXON’s widely used VPN client has exposed Windows, Linux,...

Cisco IOS Software SISF Vulnerability Could Enable Attackers to Launch DoS Attacks

Cisco has released security updates addressing a critical vulnerability in the Switch Integrated Security...