NKAbuse is a Go-based multi-platform malware family and backdoor/RAT that abuses the NKN (New Kind of Network) decentralized peer-to-peer blockchain protocol for command-and-control and data exchange, making its communications more resilient and harder to monitor or block. It was reported by Kaspersky in late 2023 as the first known malware to abuse NKN technology. The malware primarily targets Linux desktops, but reported support includes MIPS, ARM, and 386 architectures, and it can also compromise IoT devices. Observed activity has included infections in Mexico, Colombia, and Vietnam, and one reported intrusion involved exploitation of Apache Struts CVE-2017-5638 against a financial company.
NKAbuse supports both botnet and backdoor functionality. Reported capabilities include launching DDoS attacks using HTTP, TCP, UDP, PING, ICMP, and SSL flooding commands; executing shell commands on infected systems; exfiltrating data; capturing screenshots; and sending command output back to the operator. It can maintain multiple concurrent communication channels via NKN, and one observed variant used external services such as ifconfig.me to determine the victim host's IP address.
In 2026, researchers observed a previously undocumented NKAbuse variant deployed through exploitation of Marimo Notebook pre-authentication RCE CVE-2026-39987. In that campaign, payloads were hosted on Hugging Face Spaces, including a typosquatted Space named vsccode-modetx and a malware binary named kagent. Sysdig identified the payload as a stripped Go ELF binary packed with UPX and linked it to NKAbuse based on strings and behavior, including references to NKN client protocol, WebRTC, ICE, STUN, proxy management, heartbeat telemetry, shell output handling, and structured command handling. The observed Marimo exploitation campaign paired NKAbuse deployment with credential theft and lateral movement into PostgreSQL and Redis.
Known hashes from the 2026 campaign include install-linux.sh SHA256 25e4b2c4bb37f125b693a9c57b0e743eab2a3d98234f7519cd389e788252fd13, packed kagent SHA256 27c62a041cc3c88df60dfceb50aa5f2217e1ac2ef9e796d7369e9e1be52ebb64, and unpacked payload SHA256 f2960805f89990cb28898e892bbdc5a2f86b6089c68f4ab7f2f5e456a8d0c21d.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Root in One Request: Pre-Auth RCE in Marimo (CVE-2026-39987) ... a critical pre-authentication remote code execution flaw in Marimo ... exploited in the wild within hours of public disclosure and was added to the CISA Known Exploited Vulnerabilities catalog on April 23, 2026. | Researchers have tracked a campaign that uses the flaw to deploy a NKAbuse backdoor variant hosted on Hugging Face Spaces, pairing pre-auth RCE with credential theft, lateral movement into PostgreSQL and Redis, and a blockchain-based (NKN) command-and-control channel that is hard to monitor or block.
A new Go-based multi-platform malware identified as 'NKAbuse' is the first malware abusing NKN (New Kind of Network) technology for data exchange, making it a stealthy threat. | One NKAbuse infection spotted by Kaspersky involves the exploitation of an old Apache Struts flaw (CVE-2017-5638) to attack a financial company.
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Successful exploitation can result in: ... Persistence through cron jobs or startup scripts.
...the server accepts it with no credentials, allocates a PTY and a shell, and the attacker runs arbitrary commands as the Marimo process...
It directly launches a pseudo-terminal (PTY) session using pty.fork()... Once connected, attackers gain interactive shell access and can execute arbitrary commands on the host system.
CVE-2026-39987 is a critical pre-authentication remote code execution flaw in Marimo... A remote, unauthenticated attacker only has to complete a single WebSocket handshake to an exposed instance to obtain a full interactive shell as the user running the Marimo process.
Successful exploitation can result in: ... Persistence through cron jobs or startup scripts.
The payload (kagent) is a stripped Go ELF binary packed with UPX (4.3 MB → 15.5 MB).
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
...a blockchain-based (NKN) command-and-control channel that is hard to monitor or block.
The binary references NKN Client Protocol, WebRTC/ICE/STUN for NAT traversal, proxy management, and structured command handling.
11 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A backdoor variant deployed after exploitation of CVE-2026-39987. It is used for credential theft, lateral movement into PostgreSQL and Redis, and uses NKN blockchain-based command-and-control.
NKAbuse is being deployed after exploitation of the Marimo pre-auth RCE vulnerability, indicating it is used as a post-exploitation payload to compromise exposed systems.
A malware family originally described as DDoS-focused that abuses the NKN decentralized peer-to-peer network for communications. In the newly observed variant, it functions as a remote access trojan capable of executing shell commands on infected systems, returning output to the operator, and using WebRTC/ICE/STUN and proxy features for connectivity and NAT traversal.
NKAbuse is the malware explicitly mentioned as being delivered via exploitation of the Marimo pre-auth RCE vulnerability.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.