The detection identifies potential Nanocore RAT activity through known IOCs, indicating an adversary may be establishing persistence and remote control over compromised systems. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Nanocore RAT in their Azure Sentinel environment.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 3 IOC Types: url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://menangmulu.jp.net/ | botnet_cc | 2026-05-10 | 50% |
| url | hxxps://www.menangmulu.jp.net/ | botnet_cc | 2026-05-10 | 50% |
| url | hxxps://playgamesonline.in.net:54984 | botnet_cc | 2026-05-10 | 50% |
// Hunt for access to known malicious URLs
// Source: ThreatFox - Nanocore RAT
let malicious_urls = dynamic(["https://menangmulu.jp.net/", "https://www.menangmulu.jp.net/", "https://playgamesonline.in.net:54984"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using nanocore.exe for backup purposes
Description: A system administrator schedules a backup task using a tool named nanocore.exe, which is a legitimate backup utility in the organization.
Filter/Exclusion: Exclude processes where the full path contains C:\Tools\Backup\ or where the parent process is schtasks.exe.
Scenario: Admin using nanocore.exe for network monitoring
Description: A network administrator uses a tool named nanocore.exe as part of a network monitoring solution that captures traffic for analysis.
Filter/Exclusion: Exclude processes where the command line includes --monitor or where the parent process is nsm.exe (network security monitor).
Scenario: Legitimate software update using nanocore.dll
Description: A software update process includes nanocore.dll as part of a legitimate application update, which is signed and trusted by the enterprise.
Filter/Exclusion: Exclude processes where the file hash matches a known trusted hash or where the parent process is msiexec.exe.
Scenario: System cleanup task using nanocore.exe
Description: A system cleanup task, such as a disk cleanup utility, uses nanocore.exe as part of its process to remove temporary files.
Filter/Exclusion: Exclude processes where the command line includes --clean or where the parent process is cleanmgr.exe.
Scenario: Development environment using nanocore.exe for testing
Description: A developer uses nanocore.exe in a sandboxed development environment to test a custom application that interacts with network services.
Filter/Exclusion: Exclude processes running from a virtual machine or container, or where the user account is a development