NukeSped

NukeSped is a remote access trojan/backdoor widely associated with the North Korea-linked Lazarus Group and its subordinate clusters including BlueNoroff/TA444 and Andariel. Public reporting also notes overlap with the name Manuscrypt, and some sources explicitly prefer NukeSped as the public AV-recognized name. It has been observed against Windows and macOS targets, and reporting also describes broader NukeSped lineage malware and variants used by Lazarus since at least 2020.

Capabilities directly described in the source material include remote command execution, file operations, directory listing, drive enumeration, process execution, shell command execution, screenshot capture, keylogging, host reconnaissance, browser history retrieval, process snooping, SOCKS tunneling/port forwarding, configuration updates, and long-term surveillance/data theft. Specific modules named for some variants include ModuleUpdate, ModuleShell, ModuleFileManager, ModuleKeyLogger, ModuleSocksTunnel, ModuleScreenCapture, ModuleInformation, ModulePortForwarder, ModuleUsbDump, and ModuleWebCamera; USB dumping and webcam access were noted as newly observed features in one Log4Shell-related campaign. In one macOS AppleJeus-related case, the backdoor used libcurl APIs for C2 communications, established persistence via a LaunchAgent, and supported reconnaissance, arbitrary shell command execution, and file operations. In another Lazarus cryptocurrency campaign, a macOS updater downloaded encrypted payloads for in-memory execution using mmap and Apple APIs.

Infection and delivery vectors in the content include trojanized cryptocurrency trading applications and fake crypto tools, supply-chain compromises, exploitation of CVE-2021-44228 (Log4Shell) on unpatched VMware Horizon servers, vulnerable MS-SQL servers, and South Korean software distribution abuse. ASEC reported Lazarus distributing NukeSped in 2022 by exploiting Log4Shell on VMware Horizon, where PowerShell executed under ws_tomcatservice.exe to install the malware. ESET reported Lazarus supply-chain activity in South Korea in which multiple delivered tools were flagged as NukeSped. Reporting also tied a 2026 Axios npm compromise to a cross-platform RAT chain whose macOS component was detected as NukeSped/OSX/NukeSped-CB.

Targeting described in the content includes cryptocurrency companies, blockchain/Web3 and financial-sector victims, South Korean organizations, and broader espionage targets. Specific examples include a Brazilian cryptocurrency company, blockchain and cryptocurrency companies targeted with trojanized apps, and Korean targets compromised through VMware Horizon and software supply-chain abuse. The malware is repeatedly linked to Lazarus operations spanning espionage, financial theft, recon, data theft, and persistence.

Technical details from directly cited variants include C++ implementations with encrypted strings and encrypted C2 communications. One Lazarus-used variant used DES to decrypt internal strings and RC4 for C2 traffic; another described type used RC4 for strings, C2 lists, and communications. That campaign documented RC4 keys for string decryption (7B CA D5 7E 1B AE 26 D8 60 1B 61 DA 83 80 11 72 01 6C 54 D8 8A E8 DE 7B 1A 0A) and C2 communications (CD 80 5D D6 6C 1C 63 78 AF 13 7F 67 5B E9 B1 F4 87 27 EE 91 F3 5F 17 EE 9B 6A 28 61 8C F4). The same reporting described a C2 verification step mimicking SSL/HTTP traffic, including requests such as /index.php?member=sbi2009 and /member.php and expected HTTP 200 OK / SSL2.1-style responses, after which the malware sent the victim MAC address encrypted with RC4.

Indicators and infrastructure explicitly mentioned for NukeSped-related activity include the download URL hxxp://185.29.8[.]18/htroy.exe and C2 endpoints 185.29.8[.]18:8888, 84.38.133[.]145:443, 84.38.133[.]16:8443, and mail.usengineergroup[.]com:8443. In a macOS cryptocurrency lure campaign, NukeSped was reported beaconing to www.vinoymas.ch, sche-eg.org, and infodigitalnew.com. The malware has also been referenced by AV detections including Backdoor/OSX.Nukesped, OSX/TrojanDownloader.NukeSped.B, Trojan:MacOS/NukeSped.C!MTB, and OSX/NukeSped-CB.