The detection identifies potential Nanocore RAT activity through suspicious network connections and file artifacts associated with known malicious IOCs. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that leverage Nanocore RAT for command and control.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 3 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | souljaboynft.io | botnet_cc | 2026-06-08 | 75% |
| domain | 88aavn.one | botnet_cc | 2026-06-08 | 75% |
| domain | hexbear.io | botnet_cc | 2026-06-08 | 75% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Nanocore RAT
let malicious_domains = dynamic(["souljaboynft.io", "88aavn.one", "hexbear.io"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using nanocore in a DevOps pipeline
Description: A CI/CD pipeline or automation tool (e.g., Jenkins, GitLab CI) may use nanocore as part of a script or command for testing or debugging purposes.
Filter/Exclusion: Check for presence of nanocore in scripts or commands that are part of a known CI/CD tool or environment. Use a filter like:
(process.name:"nanocore" and process.parent.name:"jenkins.exe") or (process.name:"nanocore" and process.parent.name:"gitlab-runner.exe")Scenario: System administration task using nanocore for diagnostics
Description: An admin might use a tool like nanocore (or a similar utility) for network diagnostics or system monitoring, which could be flagged by the rule.
Filter/Exclusion: Exclude processes that are initiated by known administrative tools (e.g., taskmgr.exe, powershell.exe, cmd.exe) and are associated with system maintenance tasks. Use a filter like:
(process.name:"nanocore" and process.parent.name:"taskmgr.exe") or (process.name:"nanocore" and process.parent.name:"powershell.exe")Scenario: Legitimate software using nanocore as a component
Description: A legitimate enterprise application (e.g., a custom internal tool) may include nanocore as part of its internal logic or API for communication with backend services.
Filter/Exclusion: Filter out processes that are part of known internal applications or services. Use a filter like:
(process.name:"nanocore" and process.parent.name:"myinternalapp.exe") or