Hacker Group Magnet Goblin is Using One-Day Exploits to Install Nerbian RAT

One-day security vulnerabilities are being quickly adopted by Magnet Goblin, a financially driven threat actor, into its toolkit to opportunistically attack edge devices and public-facing services and implant malware on affected hosts.

Magnet Goblin is a threat actor organization known for its ability to quickly take advantage of freshly discovered vulnerabilities; it focuses mostly on edge devices and servers that are visible to the public. In certain instances, the exploits are released just one day after a [proof-of-concept] is released, thus escalating the danger this actor poses. stated Check Point.

The adversary has launched attacks using unpatched Magento, Qlik Sense, Ivanti Connect Secure VPN, and maybe Apache ActiveMQ servers as an initial infection vector to obtain unauthorized access. At least January 2022 is claimed to have seen activity from the group.

The deployment of a cross-platform Remote Access Trojan (RAT) known as Nerbian RAT, which was initially made public by Proofpoint in May 2022, along with its condensed version known as MiniNerbian, occurs after a successful exploitation. Darktrace previously brought attention to the use of the Linux version of Nerbian RAT.


Both strains can execute random commands that are sent from a Command-and-Control (C2) server and exfiltrate the data that is backed up to the server. Magnet Goblin also uses legal remote desktop services like AnyDesk and ScreenConnect, the Go-based tunneling program Ligolo, and the WARPWIRE JavaScript credential stealer.

Magnet Goblin has been quick to use 1-day vulnerabilities to distribute their proprietary Linux malware, Nerbian RAT, and MiniNerbian. Their campaigns seem to be driven by financial gain. Since those tools are primarily found on edge devices, they have functioned covertly. Threat actors have been targeting unsecured regions for some time, and this is part of their ongoing trend, according to the company.