The story behind the creator, Gosya, is one of the sketchiest legitimate viruses seen on the dark web in a while. In the beginning, Gosya would lurk on dark web forums trying to sell his trojan.
According to various users on the forums, the virus itself can be verified by the forum hosting the vendor (which it wasn’t) – and to make matters worse, Gosya also raised suspicions by acting “defensive and nervous”.
Gosya took a further dive down the hole of crazy after his first failed attempt at selling NukeBot. The trojan was reposted to the same forums . . . but under different names.
Criminals are devious. Some are considered “stupid”, but most are smart enough to know half of what they’re doing. After Gosya started vending under different names, the criminal community grew even more suspicious that he was trying to sell a product he didn’t have.
This led to the eventual release of the trojan’s source code at the end of 2016. Since then, Gosya has at least gotten some credibility back.
“NukeBot, also known as Nuclear Bot, first surfaced on underground marketplaces back in December. Researchers with Arbor Networks were among the first to dissect the Trojan and claimed it was replete with commands, a man-in-the-browser functionality, and the ability to download webinjects from its command and control server.”
“When X-Force analyzed NukeBot, also in December, researchers said the malware could be considered an “HTTP bot” that can steal login data on the fly.”
Although cyber security experts can’t be sure that NukeBot is a colossal threat, they do confirm that the source code has caused a bit of rift raft in the banking world.