According to security researchers, the TinyNuke banking malware (also known as Nukebot) has resurfaced in a new operation exclusively targeting French users and organizations with invoice-themed email lures.
The targets are working in manufacturing, technology, construction, and business services.
What Is TinyNuke?
TinyNuke is a trojan-type application that gathers login information. When users visit banking websites, TinyNuke info-stealing malware hijacks their browsers and collects information.
TinyNuke malware was sold on several hacker sites after its first release in late 2016, but in early 2017, the malware’s entire source code was published, making it publicly accessible.
The banking malware reached its peak in 2018, dropped considerably in 2019, and nearly disappeared completely entirely in 2020. The re-appearance of the malware in 2021 is not at all unexpected.
This re-emergence, according to Proofpoint analysts who have been monitoring these operations, expresses through two unique sets of activity, each with its own C2 infrastructure, payloads, and enticement themes.
This could also mean that the trojan is being employed by two distinct cybercriminals, one connected to the original TinyNuke operators and the other tied to hackers who normally use commodity software.
To host the payload URL, the attacker hacks reputable French sites,