Advisory ID: ngCERT-2025-110003
SUMMARY
ngCERT is issuing an alert on the infiltration of Pseudomanuscrypt malware, a sophisticated spyware campaign primarily impacting Windows OS. Notably, this mass-scale operation has infected over 35,000 systems globally, focusing mainly on industrial control systems (ICS) and government entities. Particularly, Pseudomanuscrypt infiltration can lead to theft of sensitive credentials and data, potentially enabling follow-on ransomware attacks, financial fraud, and possible sabotage of critical infrastructure across various sectors. This underscores the need for individuals and organisations to take proactive steps to safeguard against Pseudomanuscrypt infiltration.
Damage: Critical
Probability: High
Platform(s): Microsoft Windows (OS)
DESCRIPTION
Attackers spread Pseudomanuscrypt mainly through fake pirated software installers and cracks downloaded from malicious sites, often sourced from Malware-as-a-Service platforms or delivered through botnets like Glupteba. Once downloaded, a 7z self-extracting archive drops loaders (install.dll and install.dat) into the %TEMP% folder, decodes shellcode, and launches the main payload while creating persistence through registry keys and scheduled tasks. The malware subsequently establishes resilient command-and-control communication using KCP protocol or DNS tunnelling, backed by a Domain Generation Algorithm to evade blocking. After gaining a foothold, it performs extensive reconnaissance, including logging keystrokes, capturing screenshots and video, stealing credentials and clipboard data, while monitoring VPNs, and mapping the network. It also pulls additional modules for deeper espionage or secondary infections, such as cryptocurrency miners.
CONSEQUENCES
A successful Pseudomanuscrypt malware infection can lead to:
- Theft of sensitive credentials, intellectual property, and operational data.
- Financial losses through fraud.
- Ransomware attacks.
- Sabotage and disruption of critical services and infrastructure.
- Reputational damage
SOLUTION/MITIGATION
ngCERT recommends the following prioritised actions:
- Patch and update all systems, especially Windows and ICS software, disable unnecessary services and enforce least-privilege access.
- Deploy reputable antivirus solutions with behavioural detection configured for real-time scanning. Enable application whitelisting to block unauthorised executables.
- Avoid downloading cracked or pirated software; verify sources and use official channels. Educate users on phishing and malicious archives through regular awareness training.
- Implement EDR tools to detect anomalous behaviours like unusual C2 traffic. Segment ICS networks and monitor for persistence artifacts in %TEMP% and registry hives.
- If infected, isolate affected systems, scan with reputable tools, and reset credentials. Report incidents to ngCERT for coordinated response.
HYPERLINK
- https://breachspot.com/news/cyber-attacks/pseudomanuscrypt-malware-spreads-like-cryptbot-targeting-korean-users/
- https://thehackernews.com/2022/02/pseudomanuscrypt-malware-spreading-same.html
- https://thrive.trellix.com/s/article/KB95251?language=en_US
- https://thehackernews.com/2025/08/microsoft-discloses-exchange-server.html