NimzaLoader – TA800’s New Malware

Researchers have observed a new type of malware called NimzaLoader. One of the differences of is that it is written in Nim programming language. Malware developers use this programming language to avoid analysis and detection.

Researchers associate with TA800, a threat group targeting many industries in North America, using banking Trojan horses and malware loaders to infect victims. The Group has mainly used BazaLoader since April 2020 , but in February 2021, they distributed a new malware called NimzaLoader.


Consistent with previous campaigns, this campaign uses personalized detailed information in the bait. TA800 sent malicious emails containing the recipient’s name, job title and employer in previous malicious campaigns. The email contains a link and is included in the body of the message. It claims that the link points to the PDF preview page.


The PDF is actually a executable file hosted by the and uses fake Adobe icons to deceive users.


C2 commands in NimzaLoader:

  • cmd – execute cmd.exe command
  •  – execute powershell.exe command
  • handshake – redo handshake
  • shellcode – inject shellcode into a process as a thread
  • command arguments are a JSON object containing:
  • sc – hex-encoded and compressed shellcode
  • prog – program to inject shellcode into
  • heartbeat – used to update expiration date of the malware in memory
  • command arguments are a JSON object containing:
  • heartbeat – new expiration time
  • sig – used in a signature check with an encrypted string