A new spyware, dubbed PseudoManuscrypt, has been targeting thousands of devices around the world, including several ICS systems. The malware name comes from its similarities with the Manuscrypt backdoor malware used by Lazarus APT.

What has happened?

According to Kaspersky experts, around 7.2% of targeted systems are part of ICS used in engineering, manufacturing, construction, building automation, utilities, water management, and energy industries.
  • Between January and November, the malware targeted around 35,000 systems across 195 countries. This is an uncommon phenomenon observed in targeted attacks by nation-state actors.
  • PseudoManuscrypt spreads using a malware-as-a-service platform that delivers the malicious code inside pirated software installers. Additionally, it spreads via the Glupteba botnet.
  • Around 29.4% of computers were non-ICS and the targeted entities were mostly based in Russia (10.1%), India (10%), and Brazil (9.3%), while targeted ICS were mostly based in India, Russia, and Vietnam.

Spyware features and capabilities

The spyware uses KCP protocol for communication with the C2 servers. Earlier, the KCP protocol was seen in attacks by the APT41 group aimed at industrial organizations.
  • The spyware supports multiple capabilities, such as logging keypresses, capturing screenshots and videos of the screen, stealing VPN connection data, and recording sound.
  • The malware contains comments written in Chinese and connects to Baidu cloud storage service.
  • Despite many insights on the threat, researchers still think that many of the findings remained unexplained.


The threat group behind the PseudoManuscrypt malware has attacked systems of high-profile organizations in different countries, which leads to the conclusion that the attackers are very much focused and dangerous. In order to stay protected, organizations should focus on intelligence sharing and protecting their intellectual property and operational technology networks.

Cyware Publisher