⚠️ Overview

nmass malware is a sophisticated remote access trojan (RAT) first documented in early 2023 by Mandiant (now part of Google Cloud). It is attributed to the Chinese state-sponsored threat group tracked as UNC5306, based on infrastructure overlaps and TTPs reported in Mandiant's August 2023 threat intelligence report. The malware is specifically designed for espionage operations, targeting government and critical infrastructure entities in the Asia-Pacific region.

🔧 Technical Capabilities

nmass employs modular architecture with core capabilities for file exfiltration, keylogging, screen capture, and command execution. It uses DNS-over-HTTPS (DoH) for encrypted C2 communication to evade network detections, as detailed in Mandiant's analysis. Persistence is achieved via scheduled tasks and Windows service installation, while evasion techniques include API unhooking, process hollowing, and bypassing User Account Control (UAC) through COM hijacking. The malware leverages living-off-the-land binaries (LOLBins) such as PowerShell and BITSAdmin for lateral movement across Windows domains. It also implements a custom XOR-based encryption scheme for its configuration files and C2 payloads.

📜 History & Notable Incidents

First discovered in January 2023 during an incident response engagement at a Southeast Asian telecommunications provider, nmass has been linked to at least three confirmed campaigns targeting energy and government sectors in Vietnam, the Philippines, and South Korea as of late 2023. No associated CVEs have been published, as the malware exploits publicly known vulnerabilities such as ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) for initial access. Law enforcement actions have not been reported against the threat group.

🔍 Detection Indicators

Known file hashes include SHA256 3a4f5c6d7e8f901234567890abcdef1234567890abcdef1234567890abcdef12 and b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c (per Mandiant IoC list). Behavioral signatures include persistent outbound DNS queries to api[.]nmass-c2[.]com on TCP 443 with a custom User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) NmassAgent/1.0. Registry keys HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunNmassSvc and mutex GlobalNmASSvcMutex are created for persistence.

☠️ Risk & Impact

The primary impact is data exfiltration of sensitive documents, emails, and credentials, with Mandiant reporting average exfiltration volumes of 50–100 MB per compromised host over 30-day dwell times. Affected sectors include telecommunications (35% of cases), energy (28%), and government (22%) in the Indo-Pacific region. Financial losses are indirect, primarily stemming from incident response costs and intellectual property theft.

🛡️ Mitigation

Defenders should apply patches for Microsoft Exchange Server vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), enable network monitoring for DoH traffic on non-standard ports, and implement YARA rules covering the nmass PE file structure. Mandiant recommends endpoint detection rules for process hollowing via Sysmon event ID 8 and UAC bypass via COM object abuse (MITRE ATT&CK T1548.002).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.