January 23, 2022


Thinking Security ! Always

PseudoManucrypt ICS Spyware

Infinite number of devices around the world, including many industrial control systems (ICS) and government computers, have been targeted in what appears to be an espionage campaign that involves a new piece of malware dubbed PseudoManuscrypt. Approximately seven percent of the targets were ICS, with the engineering and building automation sectors being most impacted. Attacks were also aimed at military industrial enterprises and research laboratories.

The attackers targeted engineering computers, including devices used for 3D and physical modelling, which led to believe that the goal may be industrial espionage. Nearly one-third of the non-ICS devices targeted in this campaign were in Russia, India, and Brazil. As for ICS, the highest percentage of targets was observed in India, Vietnam, and Russia.


Due to similarities with Manuscrypt malware used by the North Korea-linked Lazarus group in attacks on the defense industry, this has been dubbed PseudoManuscrypt. The malware uses the KCP protocol to connect to its C&C server. The KCP protocol, whose use by malware is uncommon, has also been leveraged by the China-linked threat group APT41 in its attacks on industrial organizations.

The malware samples also contain comments written in Chinese, the malware connects to a cloud storage service offered by Chinese company Baidu, and the threat specifies Chinese as the preferred language when connecting to its C&C server.

The malware can steal VPN credentials, log keystrokes, capture the content of the screen, record sound captured by the microphone, and steal clipboard and OS event log data.

PseudoManuscrypt has been distributed using pirated software installer archives including ones related to ICS software likely delivered by a malware-as-a-service platform. In some cases, the malware was delivered by the Glupteba botnet.


Despite collecting and analysing more data researchers cannot come to a conclusion about the primary goal of the malware campaign whether it’s a industrial espionage and credential stealer or mining

Indicators of Compromise

MD5 hash1fecb6eb98e8ee72bb5f006dd79c6f2f
MD5 hash4da2c2abcf1df9749b64b34160bd3ebf
MD5 hash5dc7fbf2141f7dfe5215c94895bf959c
MD5 hash70e9416833b2f933b765042f8e1ea0bc
MD5 hash8074f73f7742309b033676cd03eb0928
MD5 hash8ae40c8418b2c36b58d2a43153544ddd
FilePath%WinDir%\System32\[0-Z]{10}.tmp e.g. I59RFRLY9J.tmp
FilePath%TEMP%\[0-Z]{10}.tmp e.g. I59RFRLY9J.tmp
%d bloggers like this: