The relatively new PseudoManuscrypt botnet has evolved to ensnare more devices worldwide. According to the latest research, operators behind the botnet have made changes to the Command and Control (C2) infrastructure that enabled them to infect nearly 500,000 systems across 40 countries in the past eight months.

Latest observations

Researchers at BitSight sinkholed many unknown domains generated using Domain Generation Algorithm. These domains garnered huge traffic and were available on multiple search engines, including the Google search page.
  • Large traffic was diverted to multiple domains which made it challenging to find the exact origin of the domain. While running the sandbox, the researchers detected uncommon UDP traffic on port 53.
  • Further analysis revealed that hardcoded URLs were used to deploy the PseudoManuscrypt botnet. The hardcoded URLs enabled threat actors to bypass security checks while continuing their infection process. 
  • It is to be noted that the new version of the botnet is infecting around 7,000 systems daily, as compared to the previous version which infected around 16,000 systems every day. 

Previously, Kaspersky had reported a similar technique being used by different malware families such as Socelars, SmokeLoader, and RedLine. 

Other facts

  • The Pseudomanuscrypt botnet has also been found being dropped by a newly spotted malware dropper named NullMixer, which is often distributed via cracked software hosted on fraudulent websites.
  • The botnet was also associated with a campaign that was aimed at devices in South Korea. Here, the botnet had disguised itself as an installer that was distributed via various malicious sites.


Although PseudoManuscrypt seems to be recent, it has emerged as a fairly large botnet. While the operators continue to evolve their tactics, organizations should frequently check the IOCs to understand the emerging tactics and techniques of the botnet and apply necessary mitigation measures.
Cyware Publisher