The detection identifies potential Nanocore RAT activity through suspicious IOCs associated with command and control communication, indicating an adversary may be establishing persistent remote access. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before they exfiltrate data or move laterally within the network.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 2 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | gzle.io | botnet_cc | 2026-05-24 | 75% |
| domain | dpalwallet.io | botnet_cc | 2026-05-24 | 75% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Nanocore RAT
let malicious_domains = dynamic(["gzle.io", "dpalwallet.io"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using nanocore.exe for system diagnostics
Description: A system administrator schedules a legitimate diagnostic tool named nanocore.exe to run daily for system health checks.
Filter/Exclusion: Exclude processes where the full path contains "C:\Windows\System32\nanocore.exe" or where the parent process is schtasks.exe.
Scenario: Software update using Nanocore as part of a third-party tool
Description: A legitimate software update process uses a tool named nanocore.exe as part of a third-party application’s update mechanism.
Filter/Exclusion: Exclude processes where the command line includes "--update" or where the parent process is msiexec.exe or setup.exe.
Scenario: Admin task using nanocore.exe for network monitoring
Description: A network administrator uses a custom tool named nanocore.exe to monitor internal network traffic as part of a security monitoring setup.
Filter/Exclusion: Exclude processes where the command line includes "--monitor" or where the user is a member of the Administrators group and the process is initiated via task scheduler.
Scenario: Legitimate file integrity monitoring tool with similar name
Description: A file integrity monitoring tool with a similar name to nanocore.exe is used to monitor system files for unauthorized changes.
Filter/Exclusion: Exclude processes where the full path contains "C:\Program Files\FileMonitor\nanocore.exe" or where the process is initiated by services.exe.
Scenario: False positive from a malware analysis tool during sandbox testing
Description: A malware analysis tool or sandbox environment generates a false positive by executing a file named nanocore.exe as part of its testing process.
*