A group of hackers has been utilizing a sophisticated phishing campaign to distribute malware through Microsoft Word documents. This malware, written in the uncommon Nim programming language [1] [2] [4] [5], presents a challenge for cybersecurity investigators who are unfamiliar with it [5]. It has been observed in various campaigns, including ransomware families [5].


The attack chain begins with a phishing email that includes a Word document attachment [4] [5], prompting the recipient to enable macros [1] [3] [4] [5]. Once activated [3] [5], the malware scans for analysis tools and establishes a connection with a remote server [5]. The unique statically compiled programming language of Nim enables attackers to create a single malware variant that can be distributed across different platforms [5].


This campaign underscores the importance of heightened vigilance in detecting and mitigating such attacks. The use of the Nim programming language poses difficulties for cybersecurity investigators, emphasizing the need for increased familiarity with this language. As hackers continue to evolve their tactics, it is crucial for cybersecurity professionals to stay updated and adapt their strategies accordingly.


[1] https://thehackernews.com/2023/12/decoy-microsoft-word-documents-used-to.html
[2] https://cyber.vumetric.com/security-news/2023/12/22/decoy-microsoft-word-documents-used-to-deliver-nim-based-malware/
[3] https://vulnera.com/newswire/nim-based-malware-delivered-via-phishing-campaign-using-decoy-microsoft-word-documents/
[4] https://mrhacker.co/vulnerabilities/decoy-microsoft-word-documents-used-to-deliver-nim-based-malware
[5] https://windows8.myblog.it/2023/12/22/risk-of-malware-fictitious-word-documents-used-to-disseminate-nim-threat/