A new phishing campaign utilizes Microsoft Word documents as bait to distribute a backdoor malware developed in the Nim programming language. Netskope researchers highlight the challenge this poses due to the security community's unfamiliarity with less common programming languages like Nim. Although Nim-based malware is rare, its use is gradually increasing, as seen in loaders like NimzaLoader, Nimbda, IceXLoader, and ransomware such as Dark Power and Kanti.The attack begins with a phishing email featuring a Word document that, once opened, prompts users to enable macros, triggering the deployment of the Nim malware. The email poses as being from a Nepali government official. The malware then checks for analysis tools on the host and self-terminates if any are detected. Otherwise, it connects to a remote server disguised as a Nepali government domain, such as the National Information Technology Center (NITC), and waits for further instructions. These command-and-control servers, however, are currently inaccessible.Nim's cross-compilation feature is particularly advantageous for attackers, allowing them to target different platforms with a single malware variant. This disclosure aligns with Cyble's revelation of a social media-based social engineering campaign delivering Python-based Editbot Stealer malware.Phishing campaigns are also distributing known malware like DarkGate and NetSupport RAT through email and compromised websites. Proofpoint reported over 20 DarkGate malware campaigns from September to November 2023, later switching to NetSupport RAT. One notable attack used dual traffic delivery systems (TDSs) to exploit CVE-2023-36025, a severe Windows SmartScreen security bypass, even before Microsoft publicly disclosed it.DarkGate is known for stealing information and downloading additional malware, while NetSupport RAT, originally a legitimate tool, has evolved into a powerful weapon for remote system control. Proofpoint's analysis reveals a variety of social engineering techniques and TDS tools employed by cybercriminals to deliver these malwares.Furthermore, threat actors like TA571 and TA577 have been using DarkGate alongside other malwares such as AsyncRAT, IcedID, PikaBot, and QakBot in extensive email campaigns, underscoring the diverse and evolving nature of these cyber threats.