NanoCore RAT, which first appeared in 2013, is still actively used in 2020 for its highly functional and user-friendly interace. Around Feburary to March in 2020, NanoCore RAT was used in the malspam campaign on COVID-19. We managed to sinkhole the NanoCore C&C domain and have monitored the liveliness of NanoCore C&C servers. We also experimented luring NanoCore operators into our mimetic enterprise network and succeeded in monitoring the actual behavior of live NanoCore operators.