VERY IMPORTANT

First documented in 2013, Nymaim was originally identified as both a first-stage downloader and second-stage locking malware. Primarily distributed via the Blackhole exploit kit, most users found out they were infected because of the screen lock that demanded varying ransoms. In 2016, we documented distribution of the Ursnif banking Trojan via email campaigns and the presence of webinjects within Nymaim itself. More recently, Nymaim has evolved into an even more robust downloader that includes a range of information stealing and system profiling capabilities. This incarnation of Nymaim has appeared in both global campaigns as well as attacks targeting North America, Germany, Italy, and Poland. In this respect, Nymaim is following global malware trends, with a focus on persistent, non-destructive infection to collect information long-term and flexibly download additional malware of the threat actor’s choosing.