A new malware botnet known as PseudoManuscrypt has emerged, targeting industrial and government organizations, particularly within military-industrial entities and research laboratories. Reports indicate that this malware strain has compromised approximately 35,000 Windows systems throughout the current year.
The nomenclature for PseudoManuscrypt draws parallels to the well-known Manuscrypt malware, associated with the Lazarus group of advanced persistent threats (APTs). Kaspersky researchers have termed this activity a “mass-scale spyware attack campaign,” highlighting that the first signs of intrusion were detected in June 2021.
Preliminary findings suggest that 7.2% of the infected machines are part of industrial control systems (ICS), utilized in sectors like energy, manufacturing, and utilities. Most of these affected systems are located in India, Vietnam, and Russia. Non-ICS targets are notably concentrated in Russia (10.1%), India (10%), and Brazil (9.3%).
The PseudoManuscrypt loader infiltrates systems via malware-as-a-service (MaaS) platforms, primarily through infected software installer archives. A notable distribution method involves leveraging the Glupteba botnet. The recent crackdown by Google, which dismantled Glupteba’s infrastructure and initiated litigation against two Russian nationals associated with the botnet, highlights the ongoing challenges in combatting such threats.
Investigations reveal that the botnet is fueled by a range of cracked installers for software products, including Windows 10, Microsoft Office, and Kaspersky antivirus. Attackers employ a tactic known as search poisoning, which manipulates search engine results to enhance the visibility of malicious websites among legitimate offerings.
Once activated, PseudoManuscrypt grants attackers extensive control over the infected systems. This includes disabling antivirus measures, capturing sensitive data from VPN connections, logging keystrokes, and recording screen activity, among other intrusive capabilities.
Kaspersky has identified over 100 variants of the PseudoManuscrypt loader, with early iterations traced back to March 2021. Elements of the trojan have drawn from various commodity malware, including references to a KCP protocol library used by the China-based APT41 group.
Although the malware’s code includes comments in Chinese and emphasizes the use of Mandarin for communication with command-and-control servers, this evidence has yet to yield definitive conclusions regarding the operators’ identities. The overarching objectives of the campaign remain ambiguous, leaving open the question of whether it is driven by financial gain or state-sponsored espionage.
The scale of the attack, particularly against engineering systems employed in 3D modeling and digital twin technologies, raises concerns about potential industrial espionage as a significant motive behind the campaign. As the cybersecurity landscape continues to evolve, vigilance remains crucial for organizations facing these emerging threats.
