New PseudoManuscrypt malware has infected 35,000 systems this year

A new malware botnet named PseudoManyscrypt has infected roughly 35,000 Windows computers this year, security firm Kaspersky said today.

First spotted in January 2021, the botnet is currently distributed via pirated software installers and application cracks advertised on several internet sites.

Kaspersky said it discovered the new malware after it infected systems running industrial control systems monitored by its ICS division.

A deep dive into the malware's code found that PseudoManyscrypt is akin to a malware Frankenstein, being assembled by copying features and code from a variety of other malware strains, ranging from regular commodity malware like Fabookie to some portions being borrowed from malware developed by Chinese (APT41) and North Korean (Lazarus Group) cyber-espionage groups.

Kaspersky also found code comments written in Chinese, but these clues were inconclusive to make an assessment about the malware's creator.

Most of the malware's victims were found in Russia, India, and Brazil. Of the 35,000 systems infected this year, Kaspersky said that 7.2% (roughly 2,500) were computers on ICS-specific networks.


The Russian security firms said this happened because the PseudoManuscrypt group often used cracks for ICS-specific software to hide their malware.

This included cracked installers for an application designed to create a MODBUS Master Device to receive data from a PLC and a key generator for a SolarWinds tool used by network engineers and systems administrators.

Other lures used to distribute the malware included cracked or pirated versions of Call of Duty, Windows 10, Microsoft Office, Adobe tools, and even Kaspersky's own antivirus.

While the group might have intentionally targeted industrial companies through some of the installers it distributed, it's currently unclear if ICS companies were their primary target or if the group targeted any network of value, hoping to monetize access to these networks later on.

"We cannot say for certain whether the campaign is pursuing criminal mercenary goals or goals correlating with some governments' interests. Nevertheless, the fact that attacked systems include computers of high-profile organizations in different countries makes us assess the threat level as high," the Kaspersky team said.

Kaspersky said that one thing was sure from its analysis of the PseudoManuscrypt code, namely that the malware was meant to collect data about infected networks, such as credentials, VPN connection details, clipboard data, and keystrokes, making it a very potent and intrusive spyware.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Catalin Cimpanu

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.