Nimplant
NimPlant is a publicly released lightweight first-stage command-and-control implant and server framework associated with red team and post-exploitation use. The provided content describes it as written in Nim, with supporting server components in Rust and Python, and primarily supporting x64 Windows implants; separate references also describe Nimplant/NimPlant as a Nim-based implant used on Linux and Windows and as a basis for modified Nim backdoors observed in the wild. Documented payload formats include .exe, self-deleting .exe, .dll, and .bin shellcode. Traffic is encrypted and compressed by default, and static strings in implant artifacts are obfuscated.
Capabilities directly mentioned in the content include local enumeration, file management, registry management, web interactions, execution of Beacon Object Files, shellcode injection, PowerShell execution in a custom runspace, and in-memory .NET assembly execution. Related command support described for the implant includes file retrieval and copy operations, directory changes and listing, process listing and termination, environment variable retrieval, shell command execution, file download, job listing, and callback termination. Configuration options mentioned include sleep time, jitter, kill date, user-agent, listener paths, HTTP/HTTPS listener settings, risky command enablement, and an Ekko sleep mask option for regular executable implants. The framework includes a web GUI, console interface, logging, and SQLite-backed state recovery.
The content explicitly states the project was released for transparency and educational purposes and warns that antivirus/EDR evasion is not an out-of-the-box goal. It also notes that the web frontend and API do not support authentication and should not be exposed to untrusted networks without a secured reverse proxy. One source states the Nimplant agent is deprecated because it is only compatible with Mythic 2.1 and the developer can no longer maintain updates needed for newer Mythic versions.
Threat reporting in the content links NimPlant-derived tooling to exploitation of Cisco Catalyst SD-WAN vulnerabilities in 2026. Cisco Talos observed a Cluster 8 deploying a Nim-based backdoor likely based on NimPlant/Nimplant, including a modified implant named "agent1." Reported capabilities of that backdoor include file operations, executing files using bash, and collecting system information. Associated infrastructure and indicators directly mentioned include C2 at hxxp://13[.]62[.]52[.]206:5004 and delivery from a replit[.]dev-hosted URL. The same cluster also used a renamed KScan asset mapping tool called "QScan."
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Cluster 8 (Active since at least March 10, 2026), which deploys the KScan asset mapping tool and Nim-based backdoor that's likely based on NimPlant and comes with capabilities to perform file operations, execute files using bash, and collect system information
Cluster 8 (Active since at least March 10, 2026), which deploys the KScan asset mapping tool and Nim-based backdoor that's likely based on NimPlant and comes with capabilities to perform file operations, execute files using bash, and collect system information
Cluster 8 (Active since at least March 10, 2026), which deploys the KScan asset mapping tool and Nim-based backdoor that's likely based on NimPlant and comes with capabilities to perform file operations, execute files using bash, and collect system information
CVE-2026-20182 carries a CVSSv3.1 score of 10.0 (Critical) and is classified under CWE-287: Improper Authentication. The flaw affects the Cisco Catalyst SD-WAN Controller (formerly vSmart)... The peering authentication mechanism is not functioning correctly, allowing an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on the affected system.
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
4 techniques
Execution
shell shell [command] Run a shell command which will translate to a process being spawned with command line: cmd.exe /r[command]
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
4 techniques
Stealth
shinject (GUI) [targetpid] [localfilepath] Load raw shellcode from a file and inject it into the specified process's memory space using dynamic invocation.
cp cp [source] [destination] Copy a file from source to destination... mv mv [source] [destination] Move a file from source to destination... rm rm [path] Remove a file specified by [path]
Defense Impairment
1 technique
Defense Impairment
Discovery
8 techniques
Discovery
ipconfig List IP address information of the currently selected NimPlant.
getenv getenv Get all of the current environment variables.
Command and Control
4 techniques
Command and Control
The filename was βsystemd-resolvedβ and the agentβs command and control (C2) is β194[.]163[.]175[.]135:4445β ... The Sliver sampleβs C2 is βmtls://23.27.143[.]170:443β ... an RSA public key to be used by the agent to communicate with the C2 hosted on βhxxp://13[.]62[.]52[.]206:5004β.
Exfiltration
1 technique
Exfiltration
IOCs tracked for this family
7 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Nim-based backdoor, or likely derivative, used for file operations, bash execution, and system information collection on compromised devices.
A Nim-based backdoor used in post-exploitation against Cisco Catalyst SD-WAN targets.
An open-source Nim-based implant/backdoor referenced as the likely basis for a modified post-compromise implant with expanded file, execution, and system reconnaissance capabilities.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.