The Nymaim trojan was initially detected in 2013 and, although its infection rates have varied over the past few years, its activity levels during the first half of 2016 have surpassed those in previous years. ESET researchers reported that Nymaim has caused 2.8 million infections, mainly targeting Poland, Germany, and the United States. After its initial infection, Nymaim’s main function is to funnel additional malware onto the infected system. This trojan is most known for infecting victims with ransomware, delivered through drive-by downloads and malicious links and email attachments. Nymaim has previously targeted individuals, hospitals, and the police. In 2013, Nymaim was discovered delivering ransomware distributed by the Blackhole exploit kit. In 2014, researchers discovered that machines infected with Nymaim were also infected with a range of other malware, including Vawtrak and Pony. Nymaim is one half of the joint Nymaim-Gozi trojan, GozNym, discovered in April of this year targeting North American financial institutions. In June, the trojan was discovered targeting Brazilian financial institutions in a phishing campaign with emails containing malicious macros in Word documents, eventually delivering ransomware to the victim.  


  • February 2016: Nymaim developments. (ProofPoint
  • June 2016: Nymaim phishing campaign targeting Brazilians. (InfoSecurity Magazine)
  • July 2016: Nymaim's increased activity in the first half of the year. (Softpedia)
  • October 2016: Nymaim Dropper Updates Delivery, Obfuscation Methods (Threatpost)
  • March 2017: A spam campaign targeting German users sends an email informing them that they have attempted to pay for something online but the payment was unsuccessful. The user must resubmit the payment or they will be contacted by a collection agency or law enforcement. While this type is scam is common, the attackers have designed their emails to include personal details about the target to make the request appear legitimate. The email is outfitted with a zipped attachment that, when opened, delivers the Nymaim trojan. (Graham Cluley)
  • April 2017: Nemucod trojan is delivering Nymaim to victims in a USPS-themed phishing campaign, allowing attackers to gain remote access and steal personal and financial information. (MalwareBytes)
  • August 2017: Palo Alto Networks researchers discover infrastructure behind Nymaim. (Palo Alto Networks)

Technical Details 

  • Softpedia provides technical details on the Nymaim trojan, available here.
Image Source: Softpedia

Image Source: Softpedia

Trojan VariantsNJCCICNymaim