Mass PseudoManuscrypt campaign affects 35k computers in 2021 alone

Spyware targetting organizations in an untargeted wave of attacks

Full spyware capabilities similar to LazarusNew spyware discovered to already affect 35 000 devices.

New malware named PseudoManuscrypt targets industrial and government organizations, enterprises, the military-industrial complex, and research laboratories. The infection affected around 35 000 Windows OS-based machines this year alone.[1] The malware is similar to the well-known Lazarus APT[2] and Manuscrypt malware that is part of this APT group toolsets. Researchers state that the advanced persistent threat group managed to target devices in at least 195 different countries this year.[3]

During the period from January 20 to November 10, 2021, Kaspersky products blocked PseudoManuscrypt on more than 35,000 computers in 195 countries of the world.

The particular malware is characterized as the mass-scale spyware attack campaign because it managed to affect this huge number of targets even though the first intrusion was detected in January 2021. Kaspersky's research team noticed these activities that took place between January 20th and November 10th. At least 7.2 percent of these affected devices are part of ICS.

Fake pirated software installers used to download spyware

PseudoManuscrypt analysis and research showed that fake pirated software installers got used to spreading the malware when the packer and archives got downloaded on the particularly targeted machines. These fake installers are commonly used to spread various malware.

The particular campaign spreading the spyware used the fake file for ICS-specific software.[4] These applications are created for the development of the MODBUS Master Device to receive data from a PLC. Also installer for ofter software like key generators for SolarWinds tools, for network engineers and system administrators.

The malware-as-a-service platforms got used for the distribution of the particular fake installers delivering PseudoManuscrypt. Operators of various malicious campaigns could access these files on the platform. The research shows that malware samples found include major spyware capabilities.

Both module variants discovered are described as full tool kits for spying with these functionalities:

  • stealing VPN connection data;
  • logging keystrokes;
  • screengrabbing;
  • taking screen videos;
  • using the microphone to eavesdrop and record sound;
  • collect clipboard data;
  • steal OS log information;
  • stealing Remote Desktop Protocol authentication data.

Similarities to other major spyware

Such tools like Manuscyprt or NukeSped get used as vectors in various espionage campaigns. Lazarus APT group is famous for such attacks and major targets. February marked reports about spear-phishing[5] campaign related to Lazarus North Korean threat actors. During the attack, Manuscrypt-related ThreatNeedle malware was used to target particular defense companies.

Multiple analyses and searches for these PseudoManuscrypt malware versions revealed 100 versions. The earliest release of them dates back to march, and it seems that those speculations on what relations to other threat actor groups and malware are real. The threat showed that components got borrowed by other trojans like commodity malware Fabookie. Also, the KCP protocol library got employed by the Chinese APT41 group. For the particular procedure of sending data back to attackers' command-and-control servers.

Another discovery showed links to China further. Comments written in Chinese were found specifying Chinese as the perfect language when the connection to the c2 server was initiated. However, there is no particular proof or major clues to make assumptions or direct links to any group or attacker. Particular goals of the campaign are not clear too, so it is not determined if the purpose is financial gains or if the campaigns are state-backed.

About the author
Jake Doevan
Jake Doevan - Computer technology expert

Jake Doevan is one of News Editors for He graduated from the Washington and Jefferson College , Communication and Journalism studies.

Contact Jake Doevan
About the company Esolutions