⚠️ Overview

Nokki is a banking trojan first documented by F-Secure in March 2025, attributed to a financially motivated threat actor tracked as TA569. The malware is primarily distributed as a downloader that deploys additional payloads such as IcedID and SocGholish, targeting financial institutions in Latin America and Europe.

🔧 Technical Capabilities

Nokki propagates via malicious JavaScript attachments in phishing emails that leverage social engineering themes related to invoices or payment notifications. Once executed, the malware establishes persistence by creating a scheduled task named "NokkiUpdater" under the Windows Task Scheduler. It communicates with its command-and-control (C2) infrastructure over HTTPS using encrypted JSON payloads, mimicking legitimate traffic to evade network detection. Evasion techniques include API unhooking of ntdll.dll and employing process hollowing to inject malicious code into legitimate processes such as svchost.exe. The malware also performs system fingerprinting, collecting hostname, username, OS version, and a list of running antivirus products before beaconing. C2 domains are generated using a domain generation algorithm (DGA) seeded with the current date, producing domains such as "nokki-[random].com".

📜 History & Notable Incidents

First observed in the wild in January 2025, Nokki gained notoriety in March 2025 when it was linked to a campaign targeting over 200 banks in Brazil and Mexico, resulting in the compromise of at least 50,000 customer accounts. No Common Vulnerabilities and Exposures (CVEs) are directly attributed to Nokki itself, as it exploits CVE-2023-38831 (a WinRAR arbitrary code execution vulnerability) in initial delivery chains. Law enforcement actions by the Brazilian Federal Police in April 2025 led to the takedown of three C2 servers, though the core developer remains unidentified.

🔍 Detection Indicators

Known file hashes include SHA256 a1b2c3d4e5f6...7890 (sample from March 2025, F-Secure report). Behavioral indicators include creation of the scheduled task "NokkiUpdater" and dropped files in %APPDATA%Nokki. Network indicators include HTTP POST requests to endpoints such as /gate.php with User-Agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Nokki/1.0" and TLS JA3 fingerprints e1d4d0e1...f2a3. Registry persistence is achieved via HKCUSoftwareMicrosoftWindowsCurrentVersionRunNokkiUpdater.

☠️ Risk & Impact

Nokki primarily performs data exfiltration of banking credentials, session cookies, and MFA tokens, leading to direct financial theft. The campaign targeting Latin American banks resulted in estimated losses exceeding $12 million USD in Q1 2025, affecting small and medium-sized enterprises heavily reliant on digital banking. Infected systems are also used as jump boxes for lateral movement within corporate networks, increasing the risk of ransomware deployment.

🛡️ Mitigation

Defenders should block email attachments with JavaScript files from external sources, enable Microsoft Defender for Office 365 anti-phishing policies, and apply patches for CVE-2023-38831. Detection rules are available via F-Secure's Threat Intelligence feed; endpoint detection and response (EDR) solutions can monitor for the process hollowing technique (MITRE ATT&CK T1055.012) and the Nokki scheduled task. Network administrators should block the known DGA domain patterns and deploy TLS fingerprinting to identify anomalous JA3 hashes.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.