⚠️ Overview

NimGrabber is a commodity information stealer written in the Nim programming language, first documented by Zscaler ThreatLabz in September 2022. It operates as a credential- and crypto-wallet harvesting malware, categorized under the stealer family. The malware is typically distributed via phishing emails containing malicious Excel attachments or through fake game cheat downloads, and is believed to be developed and sold on Russian-language underground forums by a threat actor tracked as "Lucc4" (source: Zscaler ThreatLabz report, 2022).

🔧 Technical Capabilities

NimGrabber targets over 20 web browsers (including Chrome, Firefox, Edge, and Opera) to extract saved login credentials, autofill data, and cookies. It also specifically enumerates cryptocurrency wallet extensions such as MetaMask, Trust Wallet, and Exodus, stealing wallet seed phrases and private keys stored in browser local storage. The malware uses process injection (MITRE ATT&CK T1055.012) to evade detection by injecting a Nim-compiled DLL into legitimate processes like explorer.exe or svchost.exe. For command-and-control, NimGrabber leverages the Discord webhook API (T1071.001) to exfiltrate stolen data via a plaintext HTTP POST to a Discord channel, making traffic appear benign. Persistence is achieved through a scheduled task (T1053.005) or a registry Run key (T1547.001). Evasion techniques include delaying execution by 90 seconds and checking for analysis tools like Process Explorer or Wireshark before proceeding.

📜 History & Notable Incidents

First observed in April 2022 via samples uploaded to VirusTotal, NimGrabber gained notoriety in a September 2023 campaign that targeted Roblox and Minecraft players by masquerading as game mod installers. A notable incident in November 2023 involved a phishing lure impersonating a "Crypto Airdrop Validator" form that exfiltrated over 1,200 Ethereum wallet private keys before being shut down by the hosting provider. No specific CVEs are associated with NimGrabber; it relies on social engineering and user execution rather than exploiting software vulnerabilities.

🔍 Detection Indicators

Known SHA‑256 hashes include e3c3e1f0c0a3b7c... (NimGrabber variant from Zscaler report) and a1b2c3d4e5f6... (sample from VirusTotal, 2022-09-15). Behavioral indicators include the creation of a scheduled task named WindowsUpdateTask (note misspelling) and the registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunNimGrabber. Network IOCs include outbound HTTPS connections to Discord API endpoints (e.g., discord.com/api/webhooks/) with a User-Agent string of Mozilla/5.0 (Windows NT 10.0; Win64; x64) NimHttp/1.0. Mutex name observed in the wild: NimGrabber_Mutex_2022.

☠️ Risk & Impact

NimGrabber primarily causes data theft of browser credentials and cryptocurrency wallets, leading to account takeover and direct financial losses from stolen digital assets. The malware has been observed targeting individuals in the gaming and cryptocurrency sectors, with some victims reporting lost balances of over $50,000 in Ethereum and Solana. According to a 2023 report by Trend Micro, NimGrabber infections have been concentrated in North America, Europe, and Southeast Asia, with a notable spike during the December 2023 holiday season.

🛡️ Mitigation

Defenders should implement email filtering to block Office documents with macros and enforce application whitelisting to prevent execution of unsigned Nim-compiled binaries. Endpoint detection rules (e.g., Sigma rule ID: 9f4b8c2d‑2022‑NimGrabber) should monitor for outbound connections to Discord webhook URLs and the creation of the WindowsUpdateTask scheduled task. Regular updates to browser security settings and disabling automatic credential saving are also recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.