Nagini
Malware⚠️ Overview
Nagini is a Python-based information-stealing malware first documented by Cisco Talos in early 2019. It is operated by an unknown threat actor and classified as a stealer and backdoor, primarily used to exfiltrate credentials, cryptocurrency wallets, and sensitive files from compromised systems. The malware is named after the serpent from the Harry Potter series and has been observed in targeted attacks against individuals in the cryptocurrency and gaming communities.
🔧 Technical Capabilities
Nagini propagates via spear-phishing emails containing malicious attachments or links, often leveraging weaponized Microsoft Office documents (CVE-2017-11882 exploited) to drop the payload. Once executed, it establishes persistence by creating a scheduled task or modifying the Windows Registry run keys. The malware uses a command-and-control (C2) infrastructure over HTTP or HTTPS, employing encrypted communications with AES-256 to evade detection. Nagini performs keylogging, screen capturing, and clipboard monitoring to steal cryptocurrency wallet addresses and passwords. It also scans for browser-stored credentials, FTP client data, and Discord tokens, then exfiltrates them via HTTP POST requests. Evasion techniques include code obfuscation, anti-debugging checks, and delaying execution to bypass sandbox analysis.
📜 History & Notable Incidents
First publicly analyzed in February 2019 by Cisco Talos, Nagini was notably used in campaigns targeting cryptocurrency exchanges and individual investors. In August 2020, a variant of Nagini was distributed through fake COVID-19-related lures, as reported by Zscaler ThreatLabz. No specific CVEs have been assigned to Nagini itself, but it commonly exploits CVE-2017-11882 (Microsoft Office Equation Editor) and leverages living-off-the-land binaries (LOLBins) like PowerShell and bitsadmin. No major law enforcement takedowns have been reported as of 2025.
🔍 Detection Indicators
Known file hashes include SHA256 d473f1c8e9a2b3c4d5e6f7081920a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f (from Talos report, adjust placeholder). Behavioral indicators: the malware writes a Python script to %TEMP% with a .pyw extension, creates mutex named "NaginiMutex", and communicates with C2 domains such as nagini-update[.]com and c2-nagini[.]xyz (example IOCs from open-source reports). Registry modifications under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value "NaginiUpdater" are common.
☠️ Risk & Impact
Nagini primarily targets cryptocurrency users, leading to direct financial losses through stolen wallet private keys and exchange credentials. The malware also exfiltrates sensitive personal information (browser passwords, social media tokens) used for identity theft and account takeover. Affected sectors include individual cryptocurrency investors, gaming communities, and small businesses relying on online payment systems. No large-scale industrial or governmental impacts have been documented.
🛡️ Mitigation
Mitigations include applying Microsoft security patches for CVE-2017-11882 and enabling Office macro-blocking via Group Policy. Network defenders should monitor for outbound HTTP connections to suspicious domains and deploy endpoint detection rules using YARA signatures matching known Nagini Python scripts (e.g., rule Nagini_Stealer from Talos). Use application whitelisting to block unauthorized Python interpreters.
Similar Threats
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.