⚠️ Overview

NosyDownloader is a lightweight downloader malware first documented in December 2024 by the Qualys Threat Research Unit (TRU) as part of a stealthy initial-access toolchain. It is classified as a downloader trojan and is operated by threat actors linked to the North Korean Lazarus Group (sub-cluster APT38 or BlueNoroff). The malware's primary role is to fetch and execute second-stage payloads from remote command-and-control (C2) servers, facilitating targeted intrusions into cryptocurrency and financial technology organizations.

🔧 Technical Capabilities

NosyDownloader relies on HTTPS-based C2 communications using a hardcoded URL or domain to retrieve encrypted payloads, often disguised as PNG images or JSON files. It employs process hollowing into legitimate processes such as svchost.exe or notepad.exe to evade detection. Persistence is achieved via a scheduled task or registry Run key (HKCUSoftwareMicrosoftWindowsCurrentVersionRun). The malware uses API obfuscation and string decryption to hinder static analysis. It can also modify the Windows Defender exclusions list to disable real-time monitoring. No self-propagation mechanism has been observed; it is delivered via spear-phishing emails containing malicious Office documents or ISO files.

📜 History & Notable Incidents

NosyDownloader was first observed in a campaign targeting employees of a cryptocurrency exchange in South Korea in November 2024 (Qualys TRU report, December 2024). In early 2025, it was linked to the exploitation of a remote code execution vulnerability in Chrome (CVE-2025-0451, patched February 2025) used in watering-hole attacks against blockchain developers. No law enforcement actions have been reported as of March 2025. MITRE ATT&CK techniques include T1059.003 (Windows Command Shell), T1547.001 (Registry Run Keys), and T1055.012 (Process Hollowing).

🔍 Detection Indicators

Known file hashes include SHA-256 a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2 (from Qualys sample analysis). Behavioral indicators include outbound HTTPS connections to domains mimicking legitimate cryptocurrency services (e.g., api-blockchain[.]com). Network IOCs include User-Agent strings such as Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0. Registry mutex names used include NosyMutex_001.

☠️ Risk & Impact

NosyDownloader poses a high risk to cryptocurrency exchanges, fintech firms, and blockchain infrastructure, as it enables the deployment of data-stealing trojans and ransomware. In the November 2024 campaign, it led to the exfiltration of customer wallet credentials and an estimated $1.2 million in cryptocurrency losses (Qualys TRU estimate). The malware's stealth execution and persistence techniques allow long-term undetected access, often leading to lateral movement within targeted networks.

🛡️ Mitigation

Organizations should enforce application control policies (e.g., Microsoft AppLocker) to block unauthorized executables, and deploy endpoint detection and response (EDR) tools with rules for process hollowing and registry run key modifications. Applying the latest Chrome patches (CVE-2025-0451) and blocking known malicious domains via DNS sinkholes are critical. Qualys TRU recommends enabling PowerShell script block logging and periodic memory scanning for hollowed processes.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.