Nanobot Backdoor updates their folder names and include the files to exfiltrate inside the folder: “F**theworld” to avoid detection. The first stage contacts a Russian domain to find out the public IP and geolocation. The second stage exfiltrates collected data. Earlier samples used to go through HTTP, but since the release of PTSecurity rules, they moved to HTTPS and to a different domain.
Exposure of sensitive information