NETWIRE
NetWire is a publicly available remote access trojan (RAT)/backdoor, identified in ATT&CK as S0198, with cross-platform support including Windows and macOS. Reported capabilities include command-and-control over web protocols and web services, encrypted communications using symmetric cryptography, keylogging, screen capture, reverse shell access, system and process discovery, file and directory discovery, system information collection, CPU usage monitoring, archive/staging of collected data, and credential theft from multiple sources. Specifically, the content states that NetWire can retrieve passwords from messaging and mail client applications and steal credentials from web browsers including Internet Explorer, Opera, Yandex, and Chrome; decoded strings also showed targeting of Outlook profile data, Windows Vault, Mozilla login storage, Chromium-based browsers, Comodo Dragon, and Internet Explorer IntelliForms. FireEye reporting cited additional capabilities including mouse and keyboard event recording, session logon capture, and creation of a fake HTTP proxy.
Persistence mechanisms directly mentioned include Windows Registry Run keys, scheduled tasks, and on macOS LaunchAgents; ATT&CK-style mappings also note XDG autostart entries, login items, and cron. The content specifically notes creation of HKCU\SOFTWARE\NetWire and an autorun entry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, as well as use of scheduled tasks for persistence. NetWire has also been observed using process injection/process hollowing, including injection into notepad.exe, svchost.exe, and vbc.exe. In one documented 2019 campaign, a phishing-delivered VBScript/PowerShell/.NET fileless chain loaded a .NET assembly in memory and hollowed a suspended InstallUtil.exe process to execute the final NetWire payload without writing PE files to disk.
Initial access and delivery vectors mentioned include phishing emails with malicious attachments, malicious documents, phishing links, and malicious files. The content states NetWire has been spread via email campaigns utilizing malicious attachments and executed by luring victims into opening malicious documents. GuLoader has also been observed distributing NetWire. A documented campaign targeted airline industry victims using a malicious VBS hosted on Google Drive, with subsequent stages fetched from paste.ee, persistence established via a scheduled task running every 15 minutes, and the payload executed in memory.
Threat actor and campaign associations directly mentioned in the content include Bahamut, which used NetWire alongside Revenge RAT for remote control; Nigerian BEC actors tracked as SilverTerrier, for whom NetWire was one of the top RAT families used; and the Nigerian BEC group TMT, which used NetWire along with AgentTesla, Lokibot, AzoRult, and Pony to steal credentials and compromise mailboxes. The content also notes NetWire use in malware-assisted BEC activity and references shared infrastructure analysis in which C2 IP 34.41.139.193 was associated with NetWire RAT along with other malware families, though this is infrastructure co-occurrence rather than exclusive attribution.
Known indicators and artifacts explicitly mentioned in the content include Registry key HKCU\SOFTWARE\NetWire; C2 IP/domain pairs 178.239.21.62:1919 / kingshakes.linkpc.net and 105.112.35.72:3575 / homi.myddns.rocks; a LOGS directory used to store encrypted collected data; the malicious VBS hash dac4ed7c1c56de7d74eb238c566637aa from the 2019 campaign; and import hash ad9d11227a86b863e31ddf6019cc7ab5, which has been associated with NetWire distribution in past MalwareBazaar reporting, though the source explicitly warns that this hash is not definitive for NetWire.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Bahamut utilized the publicly available, cross-platform remote administration tools (RATs) NETWIRE and Revenge RAT for remote control.
The top 10 of the RATs used in Nigerian BEC scams is formed by NetWire, DarkComet, NanoCore, LuminosityLink, Remcos, ImminentMonitor, NJRat, Quasar, Adwind, and Hworm.
The group relied exclusively on a variety of publicly available spyware and Remote Access Trojans (RATs), including AgentTesla, Lokibot, AzoRult, Pony, and NetWire.
"...identified at least 5 different malware families used as final payload—all of them InfoStealer or RAT malware: ... Netwire"
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueThe content repeatedly describes threat actors and malware being delivered through phishing or spearphishing emails containing malicious attachments such as Microsoft Office documents, PDFs, RAR/ZIP archives, CHM, ISO, IMG, HTA, LNK, and executable files disguised as documents.
Execution
6 techniquesDuring the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Lokibot ... Command and Scripting Interpreter: Visual Basic ... NanoCore ... Visual Basic ... NETWIRE ... Visual Basic
The content repeatedly describes victims being lured into opening malicious attachments, enabling macros, launching installers, clicking embedded files/links, or otherwise directly executing malicious content.
Examples include: "Sandworm Team leveraged Microsoft Office attachments which contained malicious macros..."; "Bumblebee has relied upon a user opening an ISO file to enable execution of malicious shortcut files and DLLs"; "Lumma Stealer has gained initial execution through victims opening malicious executable files embedded in zip archives, and MSI files within RAR files."
Persistence
4 techniquesDuring the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Many malware families store configuration, payloads, encryption keys, C2 addresses, or other operational data in Registry keys, such as QakBot storing configuration in a randomly named subkey under HKCU\Software\Microsoft and PolyglotDuke writing encrypted JSON configuration files to the Registry. | The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.
Bundlore can persist via a LaunchAgent. Calisto adds a .plist file to the /Library/LaunchAgents folder to maintain persistence. CoinTicker creates user launch agents named .espl.plist and com.apple.[random string].plist to establish persistence.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Privilege Escalation
4 techniquesDuring the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The content repeatedly describes adversaries and malware injecting code, shellcode, DLLs, or payloads into legitimate processes such as svchost.exe, explorer.exe, iexplore.exe, wuauclt.exe, lsass.exe, and browser processes.
Bundlore can persist via a LaunchAgent. Calisto adds a .plist file to the /Library/LaunchAgents folder to maintain persistence. CoinTicker creates user launch agents named .espl.plist and com.apple.[random string].plist to establish persistence.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
Stealth
3 techniquesThe content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
Defense Impairment
1 techniqueMany malware families store configuration, payloads, encryption keys, C2 addresses, or other operational data in Registry keys, such as QakBot storing configuration in a randomly named subkey under HKCU\Software\Microsoft and PolyglotDuke writing encrypted JSON configuration files to the Registry. | The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.
Credential Access
4 techniquesAgent Tesla ... Input Capture: Keylogging ... DarkComet ... Keylogging ... Lokibot ... Keylogging ... NanoCore ... Keylogging ... NETWIRE ... Keylogging
Agent Tesla has the ability to steal credentials from FTP clients and wireless profiles... APT33 has used a variety of publicly available tools like LaZagne to gather credentials... Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the credential vault and DPAPI.
The content repeatedly describes threat actors and malware stealing usernames, passwords, cookies, session tokens, and other saved credentials from web browsers such as Chrome, Firefox, Internet Explorer, Edge, Opera, Safari, and Yandex.
Evilnum can collect email credentials from victims... Malteiro has obtained credentials from mail clients via NirSoft MailPassView... MgBot includes modules for stealing stored credentials from Outlook and Foxmail email client software... PLEAD has the ability to steal saved passwords from Microsoft Outlook.
Discovery
4 techniquesThe content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Lokibot ... File and Directory Discovery ... NETWIRE ... File and Directory Discovery
Collection
3 techniquesAgent Tesla ... Input Capture: Keylogging ... DarkComet ... Keylogging ... Lokibot ... Keylogging ... NanoCore ... Keylogging ... NETWIRE ... Keylogging
The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.
Agent Tesla ... Archive Collected Data ... NETWIRE ... Archive Collected Data
Command and Control
4 techniquesThe content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
This detail "suggests that Nigerian actors are moving away from legacy information stealers in favor of remote administration tools which provide greater capabilities to achieve their goals," the researchers say.
NanoCore ... Encrypted Channel ... NETWIRE ... Encrypted Channel
NanoCore ... Encrypted Channel: Symmetric Cryptography ... NETWIRE ... Symmetric Cryptography
Impact
1 techniqueScammers running business email compromise (BEC) fraud have grown in number, attack more often, and turn to remote access trojans as the preferred malware type to accompany their raids.
IOCs tracked for this family
7 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
90 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
NetWire RAT is identified as another malware family associated with the same shared IP infrastructure, with OTX linking it to ports 5202 and 8081 during Nov 2025-Feb 2026.
NetWire is a remote access trojan that provides attackers with persistent access and control over infected systems.
Remote access trojan used by the TMT gang as part of phishing campaigns to gain access to victim systems and steal credentials.
Cross-platform remote administration tool used by Bahamut for remote control of compromised systems.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.