1. Home
  2. Software
  3. NICECURL

NICECURL

NICECURL is a VBScript-based backdoor used by APT42 to download additional modules.[1]

ID: S1192
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 08 January 2025
Last Modified: 08 January 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

NICECURL has used HTTPS for C2 communications.[1]

Enterprise T1059 Command and Scripting Interpreter

NICECURL has provided an arbitrary command execution interface.[1]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

NICECURL has used HTTPS for C2 communications.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

NICECURL has a function to remove artifacts.[1]

Enterprise T1105 Ingress Tool Transfer

NICECURL has the ability to download additional content onto an infected machine, e.g. by using curl.[1]

Groups That Use This Software

ID Name References
G1044 APT42

[1]

References

  1. Rozmann, O., et al. (2024, May 1). Uncharmed: Untangling Iran's APT42 Operations. Retrieved October 9, 2024.