The Nemucod trojan is targeting victims the using a phishing campaign in which emails contain fake invoices, attempting to lure victims to open an attached ZIP file. The sender of the malicious email is typically another user infected by Nemucod, as this trojan, unlike many others, self-propagates. The ZIP file contains a ZIP container with a JavaScript file inside. This may help to avoid detection in some mail scanners. The JavaScript file contains arrays in the code that may obfuscate the IPs or web addresses used by the attackers. Nemucod is compatible with Windows XP, Vista, 7, and 8 and serves as a backdoor to push additional malware to the victim. In December 2015, two domains were found spreading a new variant of ransomware, called TeslaCrypt, one of which was downloaded from a compromised website. If a victim executes this malicious file, it begins to encrypt some file types, and then demands a monetary payment from the victim in order to recover the encrypted data. In March 2016, Nemucod was found distributing another ransomware variant via a JavaScript attachment, similar to the distribution tactics of TeslaCrypt. This new variant, however, appends .CRYPTED to the names of encrypted files. Nemucod detection rates have been as high as 10 percent globally but are higher in certain regions, with the United States and Canada detection rate at 15 percent.


  • December 2015: Nemucod was observed delivering the latest version of TeslaCrypt onto victims. (Softpedia)
  • March 2016: Nemucod was found delivering a new variant of ransomware to victims that appends .CRYPTED to the names of encrypted files. (Softpedia)
  • February 2017: Nemucod is distributing Cerber via a Ransomware-as-a-Service platform. (Cyren)
  • April 2017: A USPS-themed spam campaign is using the Nemucod trojan to download additional trojans – Nymaim, Kovter, and Boaxxe – onto the victim’s device. These trojans allow an attacker to gain remote access to the targeted device and steal personal and financial information. (MalwareBytes)
  • May 2017: Threat actors are utilizing malicious Microsoft Office Macros using Visual Basic for Application (VBA) code to infect victims and using obfuscated JavaScript payloads to pad their code in an effort to evade signature-based antivirus detection. (Palo Alto Networks)

Technical Details

  • McAfee Labs provides technical details on the Nemucod trojan, available here. (McAfee)