{
  "name": "Nimbus RAT: How Threat Actors Are Abusing Microsoft Teams and Google Drive to Deploy a Java RAT",
  "slug": "nimbus-rat-how-threat-actors-are-abusing-microsoft-teams-and-google-drive-to-deploy-a-java-rat",
  "description": "In April 2026, threat actors deployed Nimbus RAT against a legal industry target using Microsoft Teams voice phishing. The attack began with email bombing (282 emails in 90 minutes), followed by a fake IT helpdesk contact via Teams who convinced the victim to grant Quick Assist remote access. Within 20 minutes, a Java-based RAT was deployed that uses Google Drive and Google Sheets for command-and-control, making network traffic appear benign. Analysis of 1,540 suspicious Teams messages across 172 customer environments over 12 months revealed 65% originated from throwaway onmicrosoft.com tenants with IT-themed names. The malware bundles its own Java runtime, implements two credential theft mechanisms, and allows in-memory second-stage code execution. Post-compromise targeting included Signal Desktop attachments and Outlook mailboxes.",
  "published": "2026-05-30T09:25:19+00:00",
  "created_at": "2026-05-30T09:25:19+00:00",
  "modified_at": "2026-06-02T08:00:04+00:00",
  "created_at_opencti": "2026-05-30T09:25:19+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-05-30",
    "email bombing",
    "google drive c2",
    "java rat",
    "microsoft teams",
    "nimbus rat",
    "quick assist",
    "social engineering",
    "vishing"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "99813f3d0625e880158c68039c0e2fbf488db0be3db77cd1ce6d382644193f0e"
      },
      {
        "id": "",
        "name": "9e5b1e10ad6904d3f5b48d38470cd57263974640a27d13cf793ef026d3d6b886"
      },
      {
        "id": "",
        "name": "91e523a46f3bb860ac2e5800b7e1ec89d75a2408410b9cd25eebc17c8d7a92bc"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:0858861c72550760",
        "name": "Nimbus RAT",
        "slug": "nimbus-rat"
      }
    ],
    "attack_patterns": [
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "5fbd38af-69a3-49b9-9ff4-e7ab3e59bd12",
        "name": "T1534"
      },
      {
        "id": "25792a4b-d837-4423-bb77-e15f98c9b0f9",
        "name": "T1114.001"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "8ed8c69f-39b7-445c-8efb-6d3470064374",
        "name": "T1010"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "a72b6e11-a5d5-4f5a-8f0d-8861e90c34f7",
        "name": "T1555"
      },
      {
        "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7",
        "name": "T1016"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "60972cf6-e90b-4600-af3c-13c468391d9c",
        "name": "T1106"
      },
      {
        "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74",
        "name": "T1005"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "1584b551-72fb-4f60-ba7a-bdac106e6f9b",
        "name": "T1560.001"
      },
      {
        "id": "c12e0e03-aab0-4646-a929-e921a3d27f02",
        "name": "T1219"
      },
      {
        "id": "de38dd3a-41d7-4621-8a00-a32d7f0ff420",
        "name": "T1102.002"
      },
      {
        "id": "6efb8bea-11d7-418d-a429-9f4a3e6c50f6",
        "name": "T1087"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "52b92395-d3d3-4e05-976a-0fccccfce8d2",
        "name": "T1566.002"
      },
      {
        "id": "6f00068c-812c-4e2b-9100-2cfa86b3aed9",
        "name": "T1132.001"
      },
      {
        "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b",
        "name": "T1033"
      },
      {
        "id": "14660ccf-ca6b-42f6-8bca-e1b7a04650b3",
        "name": "T1573.001"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "ce39cd5d-9e4c-4138-b546-abd68e57f8c2",
        "name": "T1071.004"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "8e0fea81-4d54-4e88-a7dd-3aa8b26558ed",
        "name": "T1113"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "64e548d5-24de-4894-9c90-c6e17b3b3bee",
        "name": "T1056.002"
      },
      {
        "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e",
        "name": "T1041"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Legal consulting"
      },
      {
        "id": "",
        "name": "scanseq.top"
      },
      {
        "id": "",
        "name": "helpdock.top"
      },
      {
        "id": "",
        "name": "updt-scansecurity.top"
      },
      {
        "id": "",
        "name": "system-clean.top"
      },
      {
        "id": "",
        "name": "serviceprohub.top"
      },
      {
        "id": "",
        "name": "info-secure.top"
      },
      {
        "id": "",
        "name": "scan-security.top"
      }
    ]
  },
  "external_refs": [
    "https://www.esentire.com/blog/nimbus-rat-how-threat-actors-are-abusing-microsoft-teams-and-google-drive-to-deploy-a-java-rat",
    "https://otx.alienvault.com/pulse/6a1ac91f182b86c3c2bcfc15"
  ]
}