The detection identifies potential Nanocore RAT activity through known IOCs, indicating an adversary may be establishing persistence and command-and-control communication. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Nanocore RAT in their Azure Sentinel environment.
IOC Summary
Malware Family: Nanocore RAT Total IOCs: 3 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | jnxetp.sa.com | botnet_cc | 2026-05-11 | 75% |
| domain | seriesblog.tv | botnet_cc | 2026-05-11 | 75% |
| domain | u888n.info | botnet_cc | 2026-05-11 | 75% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Nanocore RAT
let malicious_domains = dynamic(["jnxetp.sa.com", "seriesblog.tv", "u888n.info"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using nanocore.exe
Description: A scheduled task runs a legitimate utility named nanocore.exe (e.g., a backup tool or system diagnostic tool) that happens to share the same name as the malicious RAT.
Filter/Exclusion: process.name != "nanocore.exe" OR check for process.parent_process that is a known system or enterprise service (e.g., task scheduler or services.exe).
Scenario: Admin using nanocore.exe for legitimate network monitoring
Description: A system administrator uses a tool named nanocore.exe (e.g., a network monitoring or packet capture tool) that is unrelated to the RAT but shares the same name.
Filter/Exclusion: process.user != "admin_user" OR check for process.command_line containing known legitimate tool arguments (e.g., -monitor or -capture).
Scenario: Legitimate software update using nanocore.exe
Description: A software update process from a trusted vendor includes an executable named nanocore.exe as part of its installation package.
Filter/Exclusion: process.file_path contains known enterprise software directories (e.g., C:\Program Files\Vendor\) OR check for process.parent_process being a known update manager (e.g., Windows Update or msiexec.exe).
Scenario: False positive from a third-party security tool
Description: A third-party security tool or endpoint protection product includes nanocore.exe in its own binaries or as part of its analysis process.
Filter/Exclusion: process.file_path contains known third-party tool directories (e.g., C:\Program Files\ThirdPartyTool\) OR check for `process.parent_process