Nimbus RAT: How Threat Actors Are Abusing Microsoft Teams and Google Drive to Deploy a Java RAT
Nimbus RAT is a Java-based remote access Trojan deployed in April 2026 targeting the legal industry via Microsoft Teams voice phishing. The attack involved an initial email bombing campaign followed by social engineering through a fake IT helpdesk contact on Teams, convincing the victim to grant Quick Assist remote access. The RAT uses Google Drive and Google Sheets for command-and-control, blending its network traffic with benign cloud service usage. It includes its own Java runtime, two credential theft methods, and supports in-memory second-stage code execution. Post-compromise activities targeted Signal Desktop attachments and Outlook mailboxes. Analysis showed many suspicious Teams messages originated from throwaway Microsoft tenants with IT-themed names. No official patch or vendor advisory is available for this threat.
AI Analysis
Technical Summary
Nimbus RAT is a Java-based remote access Trojan that threat actors deployed using social engineering techniques involving Microsoft Teams and Quick Assist. The attack started with an email bombing campaign and a fake IT helpdesk contact to gain remote access. The malware uses Google Drive and Google Sheets as its command-and-control infrastructure, making its network traffic appear legitimate. It bundles its own Java runtime environment, implements two credential theft mechanisms, and allows execution of second-stage code in memory. The campaign analysis revealed a high volume of suspicious Teams messages originating from throwaway onmicrosoft.com tenants. Post-compromise activities include targeting Signal Desktop and Outlook mailboxes. There is no known exploit in the wild beyond this reported campaign, and no patch or official remediation guidance has been published.
Potential Impact
The threat enables attackers to gain remote access to victim systems through social engineering and Quick Assist, allowing credential theft and execution of additional malicious code in memory. The use of legitimate cloud services for command-and-control helps evade detection by blending malicious traffic with normal network activity. Post-compromise targeting of communication tools like Signal Desktop and Outlook mailboxes could lead to further data exfiltration or lateral movement. The attack vector relies heavily on social engineering rather than exploiting software vulnerabilities. No known exploits beyond the described campaign have been reported.
Mitigation Recommendations
No official patch or vendor advisory is currently available for Nimbus RAT. Mitigation should focus on user awareness training to recognize social engineering and voice phishing attempts, especially those involving IT helpdesk impersonation. Restricting or monitoring Quick Assist usage and implementing multi-factor authentication can reduce risk. Network monitoring should consider unusual use of cloud services like Google Drive and Google Sheets for command-and-control. Organizations should review and restrict the creation of throwaway Microsoft 365 tenants with IT-themed names to reduce attack surface. Since no official fix exists, these preventive measures are critical.
Indicators of Compromise
- domain: helpdock.top
- domain: scanseq.top
- domain: serviceprohub.top
- domain: system-clean.top
- hash: 44f6101dd8171133f53317bfd752300e
- hash: fab69acd743f4111b749e3268690825c38822e62
- hash: 91e523a46f3bb860ac2e5800b7e1ec89d75a2408410b9cd25eebc17c8d7a92bc
- hash: 99813f3d0625e880158c68039c0e2fbf488db0be3db77cd1ce6d382644193f0e
- hash: 9e5b1e10ad6904d3f5b48d38470cd57263974640a27d13cf793ef026d3d6b886
- domain: info-secure.top
- domain: scan-security.top
- domain: updt-scansecurity.top
Nimbus RAT: How Threat Actors Are Abusing Microsoft Teams and Google Drive to Deploy a Java RAT
Description
Nimbus RAT is a Java-based remote access Trojan deployed in April 2026 targeting the legal industry via Microsoft Teams voice phishing. The attack involved an initial email bombing campaign followed by social engineering through a fake IT helpdesk contact on Teams, convincing the victim to grant Quick Assist remote access. The RAT uses Google Drive and Google Sheets for command-and-control, blending its network traffic with benign cloud service usage. It includes its own Java runtime, two credential theft methods, and supports in-memory second-stage code execution. Post-compromise activities targeted Signal Desktop attachments and Outlook mailboxes. Analysis showed many suspicious Teams messages originated from throwaway Microsoft tenants with IT-themed names. No official patch or vendor advisory is available for this threat.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Nimbus RAT is a Java-based remote access Trojan that threat actors deployed using social engineering techniques involving Microsoft Teams and Quick Assist. The attack started with an email bombing campaign and a fake IT helpdesk contact to gain remote access. The malware uses Google Drive and Google Sheets as its command-and-control infrastructure, making its network traffic appear legitimate. It bundles its own Java runtime environment, implements two credential theft mechanisms, and allows execution of second-stage code in memory. The campaign analysis revealed a high volume of suspicious Teams messages originating from throwaway onmicrosoft.com tenants. Post-compromise activities include targeting Signal Desktop and Outlook mailboxes. There is no known exploit in the wild beyond this reported campaign, and no patch or official remediation guidance has been published.
Potential Impact
The threat enables attackers to gain remote access to victim systems through social engineering and Quick Assist, allowing credential theft and execution of additional malicious code in memory. The use of legitimate cloud services for command-and-control helps evade detection by blending malicious traffic with normal network activity. Post-compromise targeting of communication tools like Signal Desktop and Outlook mailboxes could lead to further data exfiltration or lateral movement. The attack vector relies heavily on social engineering rather than exploiting software vulnerabilities. No known exploits beyond the described campaign have been reported.
Mitigation Recommendations
No official patch or vendor advisory is currently available for Nimbus RAT. Mitigation should focus on user awareness training to recognize social engineering and voice phishing attempts, especially those involving IT helpdesk impersonation. Restricting or monitoring Quick Assist usage and implementing multi-factor authentication can reduce risk. Network monitoring should consider unusual use of cloud services like Google Drive and Google Sheets for command-and-control. Organizations should review and restrict the creation of throwaway Microsoft 365 tenants with IT-themed names to reduce attack surface. Since no official fix exists, these preventive measures are critical.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.esentire.com/blog/nimbus-rat-how-threat-actors-are-abusing-microsoft-teams-and-google-drive-to-deploy-a-java-rat"]
- Adversary
- null
- Pulse Id
- 6a1ac91f182b86c3c2bcfc15
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainhelpdock.top | — | |
domainscanseq.top | — | |
domainserviceprohub.top | — | |
domainsystem-clean.top | — | |
domaininfo-secure.top | — | |
domainscan-security.top | — | |
domainupdt-scansecurity.top | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash44f6101dd8171133f53317bfd752300e | — | |
hashfab69acd743f4111b749e3268690825c38822e62 | — | |
hash91e523a46f3bb860ac2e5800b7e1ec89d75a2408410b9cd25eebc17c8d7a92bc | — | |
hash99813f3d0625e880158c68039c0e2fbf488db0be3db77cd1ce6d382644193f0e | — | |
hash9e5b1e10ad6904d3f5b48d38470cd57263974640a27d13cf793ef026d3d6b886 | — |
Threat ID: 6a1ea6fae29bf47b50ba292c
Added to database: 6/2/2026, 9:48:42 AM
Last enriched: 6/2/2026, 10:03:33 AM
Last updated: 6/2/2026, 5:45:39 PM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.