Skip to content


NOKKI is a modular remote access tool. The earliest observed attack using NOKKI was in January 2018. NOKKI has significant code overlap with the KONNI malware family. There is some evidence potentially linking NOKKI to APT37.12

Item Value
ID S0353
Associated Names
Version 1.1
Created 30 January 2019
Last Modified 18 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols NOKKI has used HTTP for C2 communications.1
enterprise T1071.002 File Transfer Protocols NOKKI has used FTP for C2 communications.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder NOKKI has established persistence by writing the payload to the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging NOKKI can collect data from the victim and stage it in LOCALAPPDATA%\MicroSoft Updatea\uplog.tmp.1
enterprise T1140 Deobfuscate/Decode Files or Information NOKKI uses a unique, custom de-obfuscation technique.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion NOKKI can delete files to cover tracks.1
enterprise T1105 Ingress Tool Transfer NOKKI has downloaded a remote module for execution.1
enterprise T1056 Input Capture -
enterprise T1056.004 Credential API Hooking NOKKI uses the Windows call SetWindowsHookEx and begins injecting it into every GUI process running on the victim’s machine.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location NOKKI is written to %LOCALAPPDATA%\MicroSoft Updatea\svServiceUpdate.exe prior being executed in a new process in an apparent attempt to masquerade as a legitimate folder and file.1
enterprise T1027 Obfuscated Files or Information NOKKI uses Base64 encoding for strings.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 NOKKI has used rundll32 for execution.1
enterprise T1082 System Information Discovery NOKKI can gather information on drives and the operating system on the victim’s machine.1
enterprise T1016 System Network Configuration Discovery NOKKI can gather information on the victim IP address.1
enterprise T1033 System Owner/User Discovery NOKKI can collect the username from the victim’s machine.1
enterprise T1124 System Time Discovery NOKKI can collect the current timestamp of the victim’s machine.1

Groups That Use This Software

ID Name References
G0094 Kimsuky 3