Get in Touch

Contact us to learn more about our elite cybersecurity services and industry-leading technologies.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Emergency Incident Assistance

Is your network under attack? Get in touch with a
BreachQuest Specialist right away with this form.

You can also reach us by calling our 24/7 hotline.

+1 888 409 5811

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

You can also reach us by calling our 24/7 hotline.

+1 888 409 5811

The RAT is out: The new Nerbian Rat on the Market

By: Abbey Mirelli

Nerbian Rat

Nerbian is the name of a recently discovered remote access trojan (RAT). A RAT is a type of malware that allows hackers to monitor and control your infected computer or network remotely, like legitimate remote access programs. The main difference is that RATs are installed without a user’s knowledge, using evasion detection mechanisms to ensure no specific symptoms are clearly visible on an infected machine. It is also important to note that Nerbian, just like any other RAT, has the capability to inject additional malware. What they mainly spread is ransomware.

Origin Story

Researchers at cybersecurity firm Proofpoint published a recent report on the new Nerbian RAT malware. Proofpoint researchers, the ones to first observe the email campaigns, named the malware based on a named function in the malware code.

Proofpoint identified an email distribution campaign that encouraged targeted users to click on a file attachment loaded with malware. The campaign contained COVID-19 information impersonating the World Health Organization (WHO). The campaign asks targeted users to open the attached Microsoft Word document (.doc) to see the ‘latest Health Advice.’ While users are distracted reading the document containing COVID-19 safety precautions, the macros embedded in the document deliver a specific payload behind the scenes. Threat actors continue to utilize COVID-19 themes to distract targeted users with their threatening campaigns. Although currently distributed through low-volume campaigns, authors can open up this campaign to a broader cybercrime community moving forward.


Nerbian is seen to include a rich set of features once the identified payload, ‘UpdateUAV.exe’, is initially downloaded. The RAT is seen to log keystrokes and capture screenshots recording the infected computer’s movement and activity. The screen captures could occur on a variety of different operating systems and could contain usernames, passwords, bank information, or sensitive photos.

How do we avoid Nerbian?

  • Do not download files from sources that are unknown or are not trusted. This includes opening attachments in emails from external addresses or unknown addresses.
  • Do not download games or software from unknown websites.
  • Keep browsers and operating systems up to date with security patches.
  • Install a specialized anti-malware program.

If you think you have been victim to a Nerbian Rat or any other business email compromise, please contact us at

Written by Abbey Mirelli from our Incident Response Team and our BEC specialist.

Share this article:

Sign up for our newsletter to get more industry news and insights.

Related Insights


BlackCat – The New Ransomware on the Block

Read more


Introducing…..Abbey Mirelli

Read more