{ "id": "9add9087-e0ab-44f9-9a46-72ffc403de82", "created_at": "2026-04-06T00:12:32.440104Z", "updated_at": "2026-04-10T13:11:22.006216Z", "deleted_at": null, "sha1_hash": "629b67f5b259dd2eb0995050658755ddcf8bd3d4", "title": "PseudoManuscrypt: a mass-scale spyware attack campaign | Kaspersky ICS CERT EN", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 952492, "plain_text": "PseudoManuscrypt: a mass-scale spyware attack campaign |\r\nKaspersky ICS CERT EN\r\nBy Kaspersky ICS CERT Team\r\nPublished: 2021-12-16 · Archived: 2026-04-05 22:38:15 UTC\r\nTechnical details\r\nIdentifying the loader. General information\r\nSystem infection\r\nExecution flow\r\nVariant 1.\r\nVariant 2.\r\nSearching for other components of the malware\r\nMain component of the malware\r\nInstallation\r\nDestructive activity, version 1\r\nDestructive activity, version 2\r\nSending data to the threat actor\r\nVictims\r\nAbout the attackers\r\nConclusion\r\nRecommendations\r\nIndicators of compromise (IOC)\r\nChecksums (MD5)\r\nFile paths\r\nSecurity solution verdicts\r\nURL addresses\r\nIn June 2021, Kaspersky ICS CERT experts identified malware whose loader has some similarities to the\r\nManuscrypt malware, which is part of the Lazarus APT group’s arsenal. In 2020, the group used Manuscrypt in\r\nattacks on defense enterprises in different countries. These attacks are described in the report “Lazarus targets\r\ndefense industry with ThreatNeedle”.\r\nCuriously, the data exfiltration channel of the malware uses an implementation of the KCP protocol that has\r\npreviously been seen in the wild only as part of the APT41 group’s toolset.\r\nWe dubbed the newly-identified malware PseudoManuscrypt.\r\nThe PseudoManuscrypt loader makes its way onto user systems via a MaaS platform that distributes malware in\r\npirated software installer archives. One specific case of the PseudoManuscrypt downloader’s distribution is its\r\ninstallation via the Glupteba botnet (whose main installer is also distributed via the pirated software installer\r\nhttps://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/\r\nPage 1 of 18\n\ndistribution platform). This means that the malware distribution tactics used by the threat actor behind\r\nPseudoManuscrypt demonstrate no particular targeting.\r\nDuring the period from January 20 to November 10, 2021, Kaspersky products blocked PseudoManuscrypt on\r\nmore than 35,000 computers in 195 countries of the world. Such a large number of attacked systems is not\r\ncharacteristic of the Lazarus group or APT attacks as a whole.\r\nTargets of PseudoManuscrypt attacks include a significant number of industrial and government organizations,\r\nincluding enterprises in the military-industrial complex and research laboratories.\r\nAccording to our telemetry, at least 7.2% of all computers attacked by the PseudoManuscrypt malware are part of\r\nindustrial control systems (ICS) used by organizations in various industries, including Engineering, Building\r\nAutomation, Energy, Manufacturing, Construction, Utilities, and Water Management.\r\nThe main PseudoManuscrypt module has extensive and varied spying functionality. It includes stealing VPN\r\nconnection data, logging keypresses, capturing screenshots and videos of the screen, recording sound with the\r\nmicrophone, stealing clipboard data and operating system event log data (which also makes stealing RDP\r\nauthentication data possible), and much more. Essentially, the functionality of PseudoManuscrypt provides the\r\nattackers with virtually full control of the infected system.\r\nThe full report is available on the Kaspersky Threat Intelligence portal.\r\nFor more information please contact: ics-cert@kaspersky.com.\r\nTechnical details\r\nIdentifying the loader. General information\r\nIn June 2021, Kaspersky ICS CERT experts uncovered a series of attacks targeting organizations across the globe,\r\nincluding government organizations and industrial enterprises.\r\nInitially, the malware was detected when it triggered antivirus solutions’ detection logic designed to detect the\r\nactivity of the Lazarus APT. However, the overall picture of what was going on was too unusual to link the\r\nmalicious activity to Lazarus. Specifically, the newly-identified malware had attacked at least 35,000 systems,\r\nwhich is uncharacteristic of a targeted attack.\r\nResearch has revealed that the malware used in the attack loads its payload from the system registry and decrypts\r\nit. The payload’s location in the registry is unique for each infected system.\r\nThe newly-identified malware loader has some similarities to the loader used by the Manuscrypt malware, which\r\nwas used by the Lazarus group in 2020 to attack defense enterprises in different countries. (More detailed\r\ninformation on the attack can be found in the following report: “Lazarus Targets Defense Industry with\r\nThreatNeedle”.)\r\nBoth malicious programs load a payload from the system registry and decrypt it; in both cases, a special value in\r\nthe CLSID format is used to determine the payload’s location in the registry. The executable files of both\r\nmalicious programs have virtually identical export tables:\r\nhttps://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/\r\nPage 2 of 18\n\nComparison of the two malicious programs’ export tables\r\nIn addition, the two malicious programs use similar executable file naming formats:\r\nExecutable file names\r\nTo emphasize the similarity of the newly-identified malware with Manuscrypt, while at the same time there was\r\nnothing else to link it to the Lazarus group, we decided to dub the Trojan PseudoManuscrypt.\r\nSystem infection\r\nThe PseudoManuscrypt loader makes its way onto a user system via complicated chains of numerous other\r\nmalicious files’ installations and the creation of many different processes. These chains are diverse, but they all\r\nbegin with fake pirated software installer archives. Examples of archive names, which contain references to\r\nsoftware of diverse types and purposes, are provided below:\r\nhttps://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/\r\nPage 3 of 18\n\nmicrosoft_office_365_july_keygen_by_keygensumo.zip\r\nwindows_10_pro_full_keygen_by_keygensumo.zip\r\nadobe_acrobat_v8_0_keygen_by_keygensumo.zip\r\ngarmin_1_serial_keygen.zip\r\ncall_of_duty_black_ops_keygen_by_keygensumo.zip\r\nkaspersky_antivirus_keys_july_keygen_by_keygensumo\r\nsolarwinds_broadband_engineers_keymaker.zip\r\nmodscan32_v8_a00_crack.zip\r\nIt is worth noting that these archives include fake installers of ICS-specific software, such as an application\r\ndesigned to create a MODBUS Master Device to receive data from a PLC, as well as more general-purpose\r\nsoftware, which is nevertheless used on OT networks, such as a key generator for a SolarWinds tool for network\r\nengineers and systems administrators.\r\nMalicious web pages with installers in search-engine results\r\nResources used to distribute such installers can be found in top positions on search engine results pages. This\r\nindicates that the attackers are actively performing search-engine optimization for these resources.\r\nExecution flow\r\nThere are numerous possible variants of the execution flow of a sequence of different malicious programs leading\r\nto PseudoManuscrypt installation.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/\r\nPage 4 of 18\n\nIn addition to the file analyzed in this paper, malware installers download and execute numerous other malicious\r\nprograms, including spyware, backdoors, cryptocurrency miners, and adware.\r\nAt each stage, we detected a large number of different droppers installed and modules downloaded, with the data\r\ntheft functionality duplicated in different modules and with each module using its own command-and-control\r\nservers. This could indicate that the installers are offered by threat actors via a MaaS platform, possibly to many\r\noperators of different malicious campaigns, one of which is apparently the PseudoManuscrypt distribution\r\ncampaign.\r\nThe examples and graph fragments shown below illustrate the process chains leading to PseudoManuscrypt\r\ninstallation.\r\nVariant 1.\r\nExecution flow, variant 1\r\nIn the first variant:\r\nthe file key.bat is extracted from a fake installer,\r\nkey.bat executes Keygen-step-4.exe (e41826b342686c7f879474c49c7eed98),\r\nKeygen-step-4.exe installs and executes flash player.exe (2aab0ec738374db4e872812a84a0bc11),\r\nflash player.exe installs and executes 2.exe (8b9f6b0c98c0afdd75c2322f1ca4d0e8).\r\nThe file 2.exe uses the link hxxps://google[.]diragame[.]com/userf/3002/gogonami.exe to download the main\r\nPseudoManuscrypt module – game.exe (0001759655eacb4e57bdf5e49c6e7585).\r\nVariant 2.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/\r\nPage 5 of 18\n\nExecution flow, variant 2\r\nIn the second variant:\r\nthe file main_setup_x86x64.exe (1fecb6eb98e8ee72bb5f006dd79c6f2f) is extracted from a fake installer,\r\nmain_setup_x86x64.exe installs and executes setup_installer.exe (5de2818ced29a1fedb9b24c1044ebd45),\r\nsetup_installer.exe installs and executes setup_install.exe (58efaf6fa04a8d7201ab19170785ce85).\r\nsetup_install.exe installs and executes the file metina_8.exe (839e9e4d6289eba53e40916283f73ca6).\r\nThe file metina_8.exe extracts and executes PseudoManuscrypt – crack.exe\r\n(89c8e5a1e24f05ede53b1cab721c53d8).\r\nThis variant involves the Glupteba infrastructure and malware installers (such as setup_installer.exe). The\r\nGlupteba botnet has been known to researchers since 2011. It is a multi-module platform that has at different times\r\ndownloaded adware, spyware, cryptocurrency miners, ransomware, spam modules, and other software\r\ntraditionally associated with cybercriminal activities. The Glupteba platform is quite complicated and includes\r\nnumerous different modules, such as exploits for various vulnerabilities, including exploits for routers, as well as\r\nrootkits. This is why rootkits, modules of the EternalBlue exploit, and other Glupteba modules are found on\r\ncomputers infected with PseudoManuscrypt via the Glupteba botnet.\r\nIn another variant, which was described by BitDefender, a PseudoManuscrypt installer\r\n(8acd95006ac6d1eabf37683d7ce31052) was downloaded using the link\r\nhxxps://jom[.]diregame[.]live/userf/2201/google-game.exe – according to our telemetry, at least on May 17, 2021.\r\nIt is worth noting that at different times the link could be used to download malware from different families.\r\nSearching for other components of the malware\r\nIn the course of searching for other components and versions of the malware, we were able to find over 100\r\ndifferent versions of the PseudoManuscrypt loader.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/\r\nPage 6 of 18\n\nAccording to our telemetry data, the mass distribution of the loader variant described in this paper began on May\r\n10, 2021. However, its early variants were first identified on March 27, 2021, long before the attack started.\r\nMost of the files identified in March were ‘test builds’. The developer removed parts of the malicious program’s\r\ncode one after another, apparently trying to find out which parts of the code trigger detection by antivirus\r\nsolutions.\r\nAround the same time, the developer of the malware added dynamic import of the VirtualAlloc function. The\r\nfunction is used to allocate the memory needed to store the payload, which is loaded from the system registry.\r\nCuriously, some test builds of the loader contained comments in the executable file’s metadata fields. These\r\ncomments were written in Chinese, which indicates that the malware developer may speak and write Chinese:\r\nMetadata in the executable file of the malware\r\nMain component of the malware\r\nFinally, we were able to identify the main module of PseudoManuscrypt, whose functionality includes installing\r\nthe malware on the system and which contains a payload that gives us an idea of the types of data that are of\r\ninterest to the threat actor.\r\nInstallation\r\nThe main module of the malware writes its code to a special registry value in the\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID key. The value name (CLSID value) is unique for each\r\nsystem, since it is generated using the registry key\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid, which contains the system’s\r\nunique identifier. The malicious program’s code is stored in the system registry in encrypted form.\r\nNext, the malware extracts, to the %TEMP% folder or the %WinDir% folder (depending on the malware\r\nmodification), the loader component, which is a DLL library and has a random file name in the [0-Z]{10}.tmp\r\nhttps://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/\r\nPage 7 of 18\n\nformat, e.g., I59RFRLY9J.tmp.\r\nTo ensure that the payload is automatically executed after system startup, the Trojan creates a service, which has\r\nthe loader component as its executable file. In the earliest malware samples found, the service created by the\r\nmalware had the name AppService.\r\nFinally, the malware adds itself to the exclusions list of the Windows Defender antivirus solution by modifying the\r\nregistry key HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths.\r\nAfter this and, subsequently, after system restarts, the malware loader is executed. Using the value of the\r\nMachineGuid key to determine the location of the payload in the system registry, the loader loads, decrypts and\r\nexecutes the main component of the malware.\r\nMalware installation and execution\r\nDestructive activity, version 1\r\nThe first variant of the PseudoManuscrypt main module to be identified includes several modules which have the\r\ncommon goal of stealing confidential information from the victim’s computer.\r\n1. Keylogger. Enables the malware to intercept the codes of keys pressed by the user on the keyboard. In\r\naddition to the key codes, the malware also records the name of the application window in which the data\r\nwas entered, as well as the date and time when the information was entered. The threat actor borrowed this\r\nmalicious component from other malware – Fabookie (Trojan.Win32.Fabookie), which has several\r\nmodules for stealing authentication credentials for various services and websites.\r\nThe authors of PseudoManuscrypt borrowed only the keylogger module from Fabookie, ignoring the\r\nmodules designed for monetizing the attack in the quickest possible way, e.g., the module for stealing bank\r\ndetails from web pages. This offers an insight, albeit indirect, into the goals of the attack.\r\n2. Stealing data from the clipboard. Enables the attackers to intercept information copied by the user who\r\nworks on an infected system.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/\r\nPage 8 of 18\n\n3. Stealing VPN connection data. The malware gets the contents of the Windows service files used to store\r\ndata on VPN connections configured on the infected system:\r\n%UserProfile%\\Application Data\\Microsoft\\Network\\Connections\\pbk\\rasphone.pbk\r\n%ProgramData%\\Microsoft\\Network\\Connections\\pbk\\rasphone.pbk\r\nThe Trojan attempts to extract the following data from the above files:\r\nAddress of the server to which to connect\r\nLogin and password, if they have been saved\r\nIt is worth emphasizing the fact that different components of the malware operate at the same time,\r\nproviding the attackers with information from different sources. The attackers can combine that\r\ninformation and use all of it together.\r\nFor example, the malware can get the VPN server address saved in connection parameters from the file\r\nrasphone.pbk. At the same time, the login and password required to connect can be intercepted by the\r\nkeylogger module. If the user copies the connection parameters using the clipboard, the data will be\r\nintercepted by the relevant module of the malware.\r\n4. In addition to stealing VPN connection data, PseudoManuscrypt functionality includes reading Windows\r\nApplication, System, and Security event logs. It cannot be said for sure what the threat actor uses the data\r\nfrom operating system log files for, but, in theory, it can be used (in conjunction with other bits of the\r\nPseudoManuscrypt functionality) to steal authentication data for RDP. This looks quite reasonable since the\r\nmalware has VPN credential-stealing capabilities.\r\n5. Recording sound from microphones connected to an infected system. This feature is activated upon\r\ncommand from the malware command-and-control server.\r\nDestructive activity, version 2\r\nA second variant of the malware was discovered in July 2021. The threat actor had added extended spying\r\nfunctionality to that variant. The following modules were added:\r\n1. Capturing videos from the computer’s screen. This feature works in conjunction with other modules\r\ndesigned to intercept information, such as the keylogger and the module that steals data from the clipboard.\r\nCapturing screen videos enables the attackers to see which fields the user filled in and in which windows,\r\nas well as to follow the cursor’s movement and see on what areas the user clicked with the mouse. The\r\nmodule’s features that are worth mentioning include transparent window support (the aero peek\r\ntechnology) and video compression using the GNU GPL XviD 1.3.0 codec.\r\n2. Stealing authentication credentials from QQ and WeChat messaging applications, which are popular in\r\nAsia.\r\n3. Collecting detailed system information: Windows version, build number, Service Pack, information on\r\ninstalled updates and the Windows edition, as well as the system’s role, e.g., whether the system performs\r\nthe domain controller function.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/\r\nPage 9 of 18\n\n4. Collecting network connection data. The malware collects the names of network adapters, as well as\r\nconnection type information (wired connection, Wi-Fi, fiber-optic connection, etc.).\r\n5. Disabling antivirus solutions. The malware attempts to gain the SeDebugPrivilege privileges and terminate\r\nthe following processes of security solutions:\r\nsepWscSvc.exe\r\nHipsTray.exe\r\nUnThreat.exe\r\nDF5Serve.exe\r\nDefenderDaemon.exe\r\nPowerRemind.exe\r\nSafeDogSiteIIS.exe\r\nSafeDogTray.exe\r\nSPIDer.exe\r\nf-secure.exe\r\navgwdsvc.exe\r\nBaiduSdSvc.exe\r\nServUDaemon.exe\r\n1433.exe\r\nvsserv.exe\r\nremupd.exe\r\nPSafeSysTray.exe\r\nAliIM.exe\r\nmssecess.exe\r\nMsMpEng.exe\r\nQUICK HEAL\r\nQUHLPSVC.EXE\r\nV3Svc.exe\r\npatray.exe\r\nAYAgent.aye\r\nMiner.exe\r\nTMBMSRV.exe\r\nknsdtray.exe\r\nK7TSecurity.exe\r\nQQPCTray.exe\r\nksafe.exe\r\nrtvscan.exe\r\nashDisp.exe\r\navcenter.exe\r\nkxetray.exe\r\negui.exe\r\nMcshield.exe\r\nRavMonD.exe\r\nKvMonXP.exe\r\n360sd.exe\r\n360tray.exe\r\nhttps://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/\r\nPage 10 of 18\n\nDR.WEB\r\ncfp.exe\r\nDUB.exe\r\navp.exe\r\nThe malware also deletes registry keys for services belonging to security solutions whose names include\r\nthe following substrings:\r\nSymantec\r\nUnThreat\r\nDefender\r\nPowerShadow\r\nQuickHeal\r\nF-Secure\r\nBitDefender\r\nWindows Defender\r\n1433\r\nNOD32\r\n6. Collecting information on processes that accept network connections on TCP and UDP ports.\r\n7. One of the PseudoManuscrypt functions removes a file named “TestDown”, which is located in the same\r\nfolder as the malicious program, then it clears the URL address htt[p]://sw.bos.baidu.com/sw-search-sp/software/df60f52e0e897/qqpcmgr_12.7.18996.207_1328_0.exe from the browser’s cache, downloads a\r\nfile from the above URL address again to replace the deleted file “TestDown” and sets the newly created\r\nfile’s attributes to “hidden” and “system”.\r\n8. Clearing Windows Application, Security, and System event logs.\r\n9. Writing data received from the malware command-and-control server to the system file\r\n%System32%\\drivers\\etc\\hosts, thereby enabling the attackers to redirect the user to malicious web\r\nresources or block access to selected sites.\r\n10. Exchanging text messages between the command-and-control server and the malware. The malware can\r\nopen a window with a chat of sorts.\r\nThe service of the new PseudoManuscrypt version is installed in the system under the name “iexplore” and\r\nhas the display name “System Remote Data Simulation Layeerr”. The new malware version’s feature set\r\nalso includes updating its executable file and removing itself from the system upon command from the\r\nmalware command-and-control server.\r\nCuriously, one of the malware samples uses the IP address 192.168.1.2 as a proxy server. This could\r\nindicate that in some cases the attackers prepare a malware sample based on the specific network\r\narchitecture used by the victim.\r\nIn the new version of PseudoManuscrypt, the threat actor has also added the functionality of writing the\r\ncodes of keys pressed by the user to a local log file:\r\n%System32%\\9cda11af69ab0a2b6a9167f7131e7b93.key.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/\r\nPage 11 of 18\n\nFinally, the new version of the Trojan sends the following HTTP headers when connecting to the malware\r\ncommand-and-control server:\r\nHTTP/1.1\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, ap\r\nAccept-Language: zh-cn\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\nConnection: Close\r\nCache-Control: no-cache\r\nIt can be seen that the malware tells the server that the preferred language of the reply is Chinese.\r\nSending data to the threat actor\r\nData collected by the malware is sent to the malware command-and-control server. In the course of our research,\r\nfour such servers were identified: email.yg9[.]me, google.vrthcobj[.]com, toa.mygametoa[.]com and\r\ntob.mygametob[.]com.\r\nThe KCP protocol is used to connect to the server. According to its developers, the protocol is 10%-20% faster\r\nthan TCP. The threat actor used a specific implementation of the KCP protocol.\r\nCuriously, according to a FireEye report, the KCP library used by PseudoManuscrypt malware had been used by\r\nthe APT41 group in its attacks on industrial organizations from various industries, including engineering and\r\ndefense industry enterprises. An analysis of malware collections that we were able to access yielded no instances\r\nof that library being used in malware other than the two cases mentioned above.\r\nSome of the malware samples identified also use a dedicated server, d.diragame.com, to send information on new\r\nsystem infections. We believe that this could be a MaaS platform’s statistics collection mechanism.\r\nVictims\r\nDuring the period from January 20 to November 10, 2021, Kaspersky products blocked PseudoManuscrypt on\r\nmore than 35,000 computers in 195 countries of the world.\r\nThe graph below shows day-to-day changes in the number of computers on which PseudoManuscrypt was\r\nblocked. The two obvious surges on the graph – on March 27 and May 15 – correspond to the dates of release /\r\ndistribution start of new PseudoManuscrypt versions.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/\r\nPage 12 of 18\n\nNumber of systems on which PseudoManuscrypt was detected, by day\r\nAt least 7.2% of all computers on which PseudoManuscrypt was blocked are ICS computers.\r\nShare of industrial systems in the overall set of computers attacked by PseudoManuscrypt\r\nAs shown in the diagram below, nearly a third (29.4%) of non-ICS computers are located in Russia (10.1%), India\r\n(10%), and Brazil (9.3%).\r\nhttps://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/\r\nPage 13 of 18\n\nPercentage of non-ICS computers attacked by PseudoManuscrypt in different countries\r\nThe  distribution of non-ICS computers attacked by PseudoManuscrypt by country is similar to that for ICS\r\ncomputers. However, some countries, most of which are located in Asia and the Middle East, show significantly\r\nhigher percentages (by factors of 1.5 – 2) in the country ranking for ICS computers attacked than in the country\r\nranking for non-ICS computers attacked.\r\nPercentage of ICS computers attacked by PseudoManuscrypt, by country\r\nhttps://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/\r\nPage 14 of 18\n\nA significant proportion (31.5%) of industrial systems on which PseudoManuscrypt was blocked are apparently\r\nused for engineering, i.e., developing and launching the production of various industrial products, as well as for\r\nICS development and integration – in different industries, including the defense and energy industries. This\r\nincludes computers used for 3D modeling and physical simulations, as well as computers that have software for\r\ncreating ‘digital twins’ installed on them.\r\nIn addition, about 12.5% of computers on which PseudoManuscrypt was blocked belong to building automation\r\nsystems (including video surveillance, access control systems, notification systems, etc.), 1.8% in the energy\r\nsector, 2.1% in various manufacturing facilities, 0.7% in construction (structural engineering), 0.1% in public\r\nutility computers and 0.1% on computers used in water treatment systems.\r\nAbout 51.2% of industrial computers on which PseudoManuscrypt was blocked are general-purpose ICS, which\r\nwe cannot link to a specific industry with sufficient confidence.\r\nDistribution of industrial systems attacked by PseudoManuscrypt by industry\r\nIt was established in the course of the research that attack victims include, among others, enterprises connected\r\nwith the military-industrial complex (such as research labs).\r\nAnother curious fact is that, judging by information from public sources, some of the organizations attacked by\r\nPseudoManuscrypt have business and production ties with organizations that fell victim to the attack described in\r\nthe following Kaspersky report: “Lazarus Targets Defense Industry with ThreatNeedle”.\r\nAbout the attackers\r\nA set of clues we have found may potentially point at the origin of the adversary or its ties:\r\n1. Some malware samples contain comments in Chinese in executable file metadata.\r\n2. Data is sent to the attackers’ server using a library that has previously been used only in malware of the\r\nChinese group APT41.\r\n3. When connecting to the command-and-control server, the malware specifies Chinese as the preferred\r\nlanguage.\r\n4. The malicious file contains code for connecting to Baidu, a popular Chinese cloud storage for files.\r\n5. The time of day at which new versions of the PseudoManuscrypt loader were uploaded by the developer\r\nfalls within the 11 am to 7 pm interval in the GMT+8 time zone, in which several East Asian and Asia-https://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/\r\nPage 15 of 18\n\nPacific countries are located.\r\nThreat actor malware testing activity times\r\nConclusion\r\nDespite collecting and analyzing a large amount of data, it seems to us that many of our findings remain\r\nunexplained and do not fit any known schemes.\r\nThus, we cannot say for certain whether the campaign is pursuing criminal mercenary goals or goals correlating\r\nwith some governments’ interests. Nevertheless, the fact that attacked systems include computers of high-profile\r\norganizations in different countries makes us assess the threat level as high.\r\nThe number of attacked systems is large and we see no clear focus on specific industrial organizations. However,\r\nthe fact that a large number of ICS computers across the globe (many hundreds according to our telemetry alone –\r\nand in reality very likely to be much more) have been attacked in this campaign certainly makes it a threat that\r\nmerits the very closest attention of specialists responsible for the security and safety of shop-floor systems and\r\ntheir continuous operation.\r\nThe large number of engineering computers attacked, including systems used for 3D and physical modeling, the\r\ndevelopment and use of digital twins raises the issue of industrial espionage as one of the possible objectives of\r\nthe campaign.\r\nWe are not wrapping up our investigation as yet and will release information on new findings as they appear.\r\nIf you have any questions or comments after reading this report or if you have any additional information that is\r\nrelevant to the malicious campaign described in it, please do not hesitate to get in touch with us by sending an\r\nemail to ics-cert@kaspersky.com.\r\nRecommendations\r\nhttps://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/\r\nPage 16 of 18\n\n1. Install endpoint protection software on all servers and workstations, be sure to enable centralized security\r\npolicy management for it (with no administration rights assigned to the end-user), and ensure that the\r\ndatabases and program modules of the security solution are kept up-to-date.\r\n2. Check that all endpoint protection components are enabled on all systems and that a policy is in place\r\nwhich requires the administrator password to be entered in the event of attempts to disable protection.\r\n3. Check that Active Directory policies include restrictions on user attempts to log in to systems. Users should\r\nonly be allowed to log in to those systems which they need to access to perform their job responsibilities.\r\n4. Restrict network connections, including VPN, between systems on the OT network; block connections on\r\nall those ports the use of which is not required for the continuity and safety of operations.\r\n5. Use smart cards (tokens) or one-time codes as the second authentication factor when establishing a VPN\r\nconnection. In cases where this is applicable, use the Access Control List (ACL) technology to restrict the\r\nlist of IP addresses from which a VPN connection can be initiated.\r\n6. Train employees of the enterprise in working with the internet, email and other communication channels\r\nsecurely and, specifically, explain the possible consequences of downloading and executing files from\r\nunverified sources.\r\n7. Use accounts with local administrator and domain administrator privileges only when this is necessary to\r\nperform the job responsibilities.\r\n8. Restrict the ability of programs to gain SeDebugPrivilege privileges (where possible).\r\n9. Enforce a password policy that has password complexity requirements and requires passwords to be\r\nchanged on a regular basis.\r\n10. Consider using Managed Detection and Response class services to gain quick access to high-level\r\nknowledge and expertise of security professionals.\r\n11. Use dedicated protection for shop-floor systems. Kaspersky Industrial CyberSecurity protects industrial\r\nendpoints and enables OT network monitoring to identify and block malicious activity.\r\nIndicators of compromise (IOC)\r\nChecksums (MD5)\r\nIn this section, we list MD5 hashes of those files which we believe were used in the attack but not those of test\r\nmalware samples\r\n1fecb6eb98e8ee72bb5f006dd79c6f2f\r\n4da2c2abcf1df9749b64b34160bd3ebf\r\n5dc7fbf2141f7dfe5215c94895bf959c\r\n70e9416833b2f933b765042f8e1ea0bc\r\n8074f73f7742309b033676cd03eb0928\r\n8ae40c8418b2c36b58d2a43153544ddd\r\nFile paths\r\n%WinDir%\\System32\\[0-Z]{10}.tmp e.g. I59RFRLY9J.tmp\r\n%TEMP%\\[0-Z]{10}.tmp e.g. I59RFRLY9J.tmp\r\nhttps://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/\r\nPage 17 of 18\n\n%WinDir%\\System32\\9cda11af69ab0a2b6a9167f7131e7b93.key\r\nSecurity solution verdicts\r\nTrojan.Win64.Manuscrypt.do\r\nURL addresses\r\nhxxp://email.yg9[.]me\r\nhxxp://google.vrthcobj[.]com\r\nhxxp://d.diragame[.]com\r\ntoa.mygametoa[.]com\r\ntob.mygametob[.]com\r\nSource: https://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/\r\nhttps://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/" ], "report_names": [ "pseudomanuscrypt-a-mass-scale-spyware-attack-campaign" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434352, "ts_updated_at": 1775826682, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/629b67f5b259dd2eb0995050658755ddcf8bd3d4.pdf", "text": "https://archive.orkl.eu/629b67f5b259dd2eb0995050658755ddcf8bd3d4.txt", "img": "https://archive.orkl.eu/629b67f5b259dd2eb0995050658755ddcf8bd3d4.jpg" } }