{
	"id": "de0a4e44-05f4-47d5-9434-ee7a696dc2d6",
	"created_at": "2026-04-06T00:08:14.407916Z",
	"updated_at": "2026-04-10T13:13:04.116104Z",
	"deleted_at": null,
	"sha1_hash": "9777d27972ea359b72461b6e330563a4027ad769",
	"title": "Nemucod malware spreads ransomware Teslacrypt around the world",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 728145,
	"plain_text": "Nemucod malware spreads ransomware Teslacrypt around the\r\nworld\r\nBy Josep Albors\r\nArchived: 2026-04-05 16:32:38 UTC\r\nESET has recently observed a huge increase in detections of the Nemucod trojan, a threat that usually tries to\r\ndownload another malware from the internet. Those detections ratios were very high in some countries.\r\n16 Dec 2015  •  , 4 min. read\r\nFrom time to time, some malware propagation campaigns reach high propagation levels in one or several\r\ncountries during a few days. In those cases, the users are specially vulnerable if they don’t protect their systems\r\nproperly.\r\nWe have seen one of these scenarios during last week, when we observed a huge increase in detections of the\r\nNemucod trojan, a threat that usually tries to download another malware from the internet. Those detections ratios\r\nwere very high in some countries but also globally, and could indicate a campaign that is not focused on one\r\ncountry in particular but trying to affect as many users as possible throughout the world.\r\nYou’ve got an (infected) email\r\nAs with many other malware campaigns that we’ve analyzed recently, the attackers used the email as the attack\r\nvector. Posing as a fake invoice, they try to convince the users into opening an attached ZIP file. The sender of the\r\nemail is usually another user that has been affected previously so the malware continues to propagate as long as it\r\nhas possible victims.\r\nIf we open the attached ZIP file we find a difference compared to recently analyzed samples. Instead of finding an\r\nEXE file, the ZIP container has a Javascript file inside. This technique might have been used by the attackers to\r\nhttps://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/\r\nPage 1 of 8\n\navoid detection in some mail scanners and reach as many victims as possible.\r\nUsing Javascript to download the payload\r\nAnyway, a Javascript file is something that a user can execute and can be as dangerous as an EXE file. If we take\r\na look at the code of the file we find several interesting things. One is that most of the variables used seems to be\r\nusing random names. Also, we found two arrays in the code that could be a way of obfuscating the IPs or web\r\naddresses used by these criminals to spread the malware.\r\nIn fact we found two domains that were used to spread a new variant of Teslacrypt ransomware (detected by ESET\r\nas Win32/Filecoder.EM) among other threats. One of these domains belongs to a compromised German website\r\nbut the other was created recently as we can see in this whois info.\r\nhttps://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/\r\nPage 2 of 8\n\nIn fact, this web contained nothing but a warning saying that the web was empty because the site was just being\r\ncreated. We cannot say for sure that the web was generated just for spreading the threat but the registration date of\r\nthe domain is suspicious at least.\r\nInfection of the user by Teslacrypt\r\nAs we have already said, one of the malwares that was being downloaded from the malicious or compromised\r\nweb sites was a variant of the Teslacrypt ransomware. The malicious file was an executable with just numbers as a\r\nname.\r\nhttps://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/\r\nPage 3 of 8\n\nIf the victim executes this file, the ransomware begins to encrypt some types of files usually used to store images,\r\nvideos, office files and more, launching the following screen in the web browser when it finishes. This template\r\nhas been used by other ransomware families and explains to the victims that they need to pay a ransom if they\r\nwant to recover their personal files.\r\nhttps://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/\r\nPage 4 of 8\n\nThere is also another TXT file generated in each folder that contains encrypted files. In this TXT we can read\r\nsimilar instructions to the ones found in the HTML file but also some contradictions. For example, in the HTML\r\nfile says that the ransomware is using RSA-2048 encryption, while in the TXT file it says that the encryption used\r\nis RSA-4096.\r\nhttps://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/\r\nPage 5 of 8\n\nThis can be explained by the use of the template of other families of ransomware like Cryptowall. Anyway,\r\ndespite of the encryption algorithm used, most of the times the files can’t be reversed to its original state so the\r\ncustomer loses access to this information.\r\nNemucod impact around the world\r\nThis malware propagation campaign has been quite interesting because the detection rates have been unusually\r\nhigh. We have seen peaks as high as more than 10% globally, but the impact has been much higher in some\r\nspecific countries. In Europe we saw detection ratios of this threat above 20% in several countries (23% in Spain\r\nor 30% in Italy, for example).\r\nIn other regions such as the Americas we saw a lower detection ratio but also higher than usual (around 14% in\r\nArgentina or 15% in the US and Canada).\r\nhttps://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/\r\nPage 6 of 8\n\nBut the highest infection ratio detected was, by far, in Japan. During more than two days Nemucod detections\r\nreached above 75% percent of detections in that country. We still have to investigate why the detection was so\r\nhigh in Japan but it has been something that we have not seen in a very long time.\r\nConclusion\r\nThis new malware campaign didn’t affected as many users as previous ones but the detection rates shows us that,\r\nfor some days, the amount of emails used to spread the threats had to be significantly high to achieve those\r\npercentages.\r\nThe fact that the numbers of affected users has not been as high as previous ransomware campaigns despite the\r\nelevated number of detections is good news. It means that the users are using protection measures capable of\r\nhttps://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/\r\nPage 7 of 8\n\ndetecting new threats and it can also mean that they are not executing suspicious files attached to emails as the one\r\nwe’ve analyzed.\r\nAnyway, we still can improve our security measures and, to avoid problems created by a ransomware infection,\r\none of those measures has to be an updated backup of all our important files in order to recover them as soon as\r\npossible.\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/\r\nhttps://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/"
	],
	"report_names": [
		"nemucod-malware-spreads-ransomware-teslacrypt-around-world"
	],
	"threat_actors": [],
	"ts_created_at": 1775434094,
	"ts_updated_at": 1775826784,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9777d27972ea359b72461b6e330563a4027ad769.pdf",
		"text": "https://archive.orkl.eu/9777d27972ea359b72461b6e330563a4027ad769.txt",
		"img": "https://archive.orkl.eu/9777d27972ea359b72461b6e330563a4027ad769.jpg"
	}
}