Bangladesh e-Government Computer Incident Response Team (BGD e-GOV CIRT) has reported the detection of widespread malware activity linked to the Nymaim, or Avalanche-Nymaim, loader, indicating a significant number of potentially compromised systems across networks in Bangladesh.
In a recent advisory, the agency said it had identified more than 27,000 malware-related events within the country, based on threat monitoring and telemetry data. These events indicate that infected devices are trying to connect with known botnet control servers.
Nymaim, also known as the Gozi ISFB loader, is a multi-stage malware framework historically used to distribute a range of secondary threats, including banking trojans, ransomware and credential-stealing programmes. It has previously been associated with the Avalanche botnet, a large-scale cybercriminal ecosystem disrupted during the international Operation Avalanche.
Despite that disruption, CIRT says older infections and related activity are still being detected worldwide, including in Bangladesh. This suggests that some systems may still be infected or that new versions of the malware are spreading.
CIRT found signs of malicious activity across at least 20 network providers. Infected systems were seen trying to communicate with known command servers, confirming that some devices in Bangladesh remain compromised.
The malware works in stages. After infecting a device, it can download additional harmful software. This allows attackers to change what the malware does over time, making it harder to detect. Nymaim is designed to steal sensitive information such as banking details, card data and system information. This data can be used for fraud, account hacking and identity theft.
According to CIRT, sectors such as banking, government, retail and healthcare are often targeted, though ordinary users may also be affected.
Detected Nymaim/Avalanche- Nymaim malware communications from Bangladeshi IP addresses. Image: CIRT
The malware usually spreads through malicious ads, infected email attachments and compromised websites. In some cases, users can become infected simply by visiting a harmful webpage.
Once inside a system, it hides itself by modifying system settings and placing files in common folders. It also uses techniques to avoid detection by security software.
CIRT has advised organisations to strengthen network monitoring, particularly for unusual outbound connections, suspicious domain activity and unauthorised executable files. It also recommended blocking known malicious domains and IP addresses, deploying endpoint detection tools and conducting regular forensic analysis of systems.
In cases where infection is suspected, organisations are urged to isolate affected devices, reset compromised credentials and restore systems from secure backups. The agency has encouraged reporting of suspected incidents to its official contact channels as part of broader efforts to contain potential threats.
