NukeSped RAT

The North Korean hacking group called Lazarus is back in the news. This is one of the most prominent APTs (Advanced Persistent Threat) in the world and has carried out numerous successful attacks globally. They also are known under the alias Hidden Cobra. It has long been speculated that the Lazarus hacking group is being funded by the North Korean government and used for doing the bidding of Kim Jong-Un. Malware researchers have reported that North Korean hacking groups are cooperating closely and are likely sharing members and infrastructure, making them even more threatening to anyone who stands against the interests of the government of North Korea.

How the NukeSped RAT Functions

One of their latest threats is the NukeSped RAT (Remote Access Trojan). This RAT was designed to target 32-bit systems. The authors of the NukeSped RAT have made sure to obfuscate the code of their creation to make it more difficult for cybersecurity researchers to dissect and study the threat. The NukeSped RAT will either be installed as a service or have its payload injected into a Run Registry key, to gain persistence on the infiltrated system. For this malware strain, a small set of APIs (Application Programming Interface) is invoked for resolving functions dynamically. A list of generic DLLs (Dynamic Link Libraries) and functions are then imported by a short import table.


For the most part, the NukeSped RAT serves as a tool that allows its operators to gain control of the compromised host. This would allow them to execute remote commands on the system. The NukeSped RAT also can:

  • Create a process.
  • Kill a process.
  • Read files.
  • Write files.
  • Move files.
  • Collect data regarding the installed disks – type, size and remaining space.
  • Run a set of processes and modules repeatedly.
  • Remove itself from the host.

The NukeSped RAT connects to the attackers’ C&C (Command & Control) server, which allows it to siphon the gathered information and receive additional payloads that can be planted on the infiltrated system potentially.


Most Viewed