A threat cluster with ties to a hacking group called Tropic Trooper has been spotted using a previously undocumented malware coded in Nim language to strike targets as part of a newly discovered campaign.

The novel loader, dubbed Nimbda, is "bundled with a Chinese language greyware 'SMS Bomber' tool that is most likely illegally distributed in the Chinese-speaking web," Israeli cybersecurity company Check Point said in a report.

"Whoever crafted the Nim loader took special care to give it the same executable icon as the SMS Bomber that it drops and executes," the researchers said. "Therefore the entire bundle works as a trojanized binary."

SMS Bomber, as the name indicates, allows a user to input a phone number (not their own) so as to flood the victim's device with messages and potentially render it unusable in what's a denial-of-service (DoS) attack.The retrieved binary is an upgraded version of a trojan named Yahoyah that's designed to collect information about local wireless networks in the victim machine's vicinity as well as other system metadata and exfiltrate the details back to a command-and-control (C2) server.

Yahoyah, for its part, also acts as a conduit to fetch the final-stage malware, which is downloaded in the form of an image from the C2 server. The steganographically-encoded payload is a backdoor known as TClient and has been deployed by the group in previous campaigns.

"The observed activity cluster paints a picture of a focused, determined actor with a clear goal in mind," the researchers concluded.

"Usually, when third-party benign (or benign-appearing) tools are hand-picked to be inserted into an infection chain, they are chosen to be the least conspicuous possible; the choice of an 'SMS Bomber' tool for this purpose is unsettling, and tells a whole story the moment one dares to extrapolate a motive and an intended victim."