PseudoManuscrypt Spyware

The PseudoManuscrypt Spyware is a newly detected malware threat with advanced spying capabilities, including copying data from the clipboard, collecting VPN authentication credentials, logging keystrokes, taking screenshots, etc. Its name comes from its similarities with another malware named Manuscript deployed by the Advanced Persistent Threat (APT) group Lazarus. Yet, at this point, researchers reject a possible link to the Lazarus APT.

The main targets of PseudoManuscript are Industrial Control Systems (ICS) in many different industries, as well as government organizations. Through the attackers do not demonstrate a preference for particular sectors, a large number of engineering computers attacked represent systems used for 3D and physical modeling, which suggests that industrial espionage may be one objective of the hacking group that operates PseudoManustrypt.

Between January and November 2021, cyber security products have detected and blocked the new malware on over 35,000 computers in 195 countries, with many of the targets being military-related enterprises and research laboratories. The initial infection with PseudoManuscript happens through compromised software installers for ICS-specific pirated software primarily. These fake installers are likely being offered via Malware-as-a-Service platforms, while in other cases, the spyware was dropped through the Glupteba botnet.