The ‘TA800’ Group Is Using a New Initial Access Tool Called ‘NimzaLoader’

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

The threat group tracked as "TA800" has apparently shifted from using BazaLoader to a new malware called "NimzaLoader." The naming suggests that this initial access tool was written in Nim, a general-purpose programming language that is rarely used by malware authors.

According to the detailed report compiled by researchers at Proofpoint, who were the first to sample the new tool, the unusual choice of Nim could be an attempt to help TA800 fly under the radar and raise the effectiveness of its latest campaign.

NimzaLoader has been used in a new campaign that appears to have started on February 3, 2021, and is ongoing. The actors are attempting to trick their victims by sending them emails containing personalized details like real employee and colleague names that one can easily find on LinkedIn.

These emails supposedly carry a PDF preview link - which, if clicked, takes the victim to a NimzaLoader download page. The actors are using an Adobe icon for the downloaded executable so as not to raise any suspicions.

Source: Proofpoint

Apart from the fact that NimzaLoader is written in Nim, the researchers have noticed the following differences compared to BazaLoader:

The researchers were able to analyze a sample through reverse-engineering, but by the time they got to that point, the C&C server was down, so not much about the infrastructure could be determined this time. They were still able to discern a handshake system based on the exchange of an X2551 key between the server and the malware, so all back and forth communications are encrypted.

Source: Proofpoint

As for the commands supported by NimzaLoader, these are the following:

Source: Proofpoint

Finally, as for which tool is the secondary payload fetched by NimzaLoader, Cobalt Strike had the lion’s share in that regard. Still, Proofpoint doesn’t have an extensive dataset with which to determine the entire possible spectrum for the second stage just yet.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: