The sub-techniques beta is now live! Read the release blog post for more info.


NOKKI is a modular remote access tool. The earliest observed attack using NOKKI was in January 2018. NOKKI has significant code overlap with the KONNI malware family. There is some evidence potentially linking NOKKI to APT37.[1][2]

ID: S0353
Platforms: Windows
Version: 1.0
Created: 30 January 2019
Last Modified: 31 January 2019

Techniques Used

Domain ID Name Use
Enterprise T1074 Data Staged

NOKKI can collect data from the victim and stage it in LOCALAPPDATA%\MicroSoft Updatea\uplog.tmp.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

NOKKI uses a unique, custom de-obfuscation technique.[1]

Enterprise T1107 File Deletion

NOKKI can delete files to cover tracks.[1]

Enterprise T1179 Hooking

NOKKI uses the Windows call SetWindowsHookEx and begins injecting it into every GUI process running on the victim's machine.[1]

Enterprise T1036 Masquerading

NOKKI is written to %LOCALAPPDATA%\MicroSoft Updatea\svServiceUpdate.exe prior being executed in a new process in an apparent attempt to masquerade as a legitimate folder and file.[1]

Enterprise T1027 Obfuscated Files or Information

NOKKI uses Base64 encoding for strings.[1]

Enterprise T1060 Registry Run Keys / Startup Folder

NOKKI has established persistence by writing the payload to the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run.[1]

Enterprise T1105 Remote File Copy

NOKKI has downloaded a remote module for execution.[1]

Enterprise T1085 Rundll32

NOKKI has used rundll32 for execution.[1]

Enterprise T1071 Standard Application Layer Protocol

NOKKI has used FTP and HTTP for C2 communications.[1]

Enterprise T1082 System Information Discovery

NOKKI can gather information on drives and the operating system on the victim’s machine.[1]

Enterprise T1016 System Network Configuration Discovery

NOKKI can gather information on the victim IP address.[1]

Enterprise T1033 System Owner/User Discovery

NOKKI can collect the username from the victim’s machine.[1]

Enterprise T1124 System Time Discovery

NOKKI can collect the current timestamp of the victim's machine.[1]