Your IP: Unknown · Your Status: ProtectedUnprotectedUnknown

Skip to main content



Also known as: JS.Nemucod, TrojanDownloader:JS/Nemucod, Nemucod!, Trojan.JS.NEMUCOD, W32/Nemucod

Category: Malware

Type: Trojan, ransomware

Platform: Windows

Variants: NemucodAES, Nemucod-7z, NemucodHTA

Damage potential: Malware infection, file corruption and loss, unauthorized access, data theft


Nemucod is a trojan downloader and dropper for ransomware and other malware. It spreads via malicious JavaScript and PHP files or email attachments. Once on the system, Nemucod downloads and installs malicious software.

Possible symptoms

Since Nemucod is a downloader for other malware, it doesn’t present many infection symptoms by itself. The most obvious symptoms will result from the secondary infection and will depend on the type of malware Nemucod has installed.

Look out for:

  • Files with strange extensions (.crypted).

  • Unfamiliar processes in the Task Manager.

  • Increased outbound network because Nemucod connects to remote servers to download payloads.

  • Malicious email activity. Since Nemucod often spreads through malicious email attachments, an infected machine might also send out spam or malicious emails to contacts.

  • Ransomware infection symptoms: encrypted personal files you can’t access, ransom notes, disabled security software.

  • Blocked security websites. Some malware aims to prevent you from accessing remediation tools online or information on how to remove it.

  • Unwanted pop-ups. Nemucod’s payload may include adware.

Sources of infection

  • Email. Nemucod primarily spreads through malicious email attachments disguised as invoices, shipping notifications, or other documents. When you open the attachment — often a .js (JavaScript) file — it executes the malicious code.

  • Downloads. When you visit a malicious website, it may try to inject Nemucod into your system using unpatched vulnerabilities or social engineering techniques. If you download software from unofficial sources, it may contain all kinds of malware — including Nemucod.

  • Removable media. Sometimes, malware propagates through infected USB sticks or other removable media.

  • Compromised browser extensions. A less common source of infection lets Nemucod download malware via extension vulnerabilities.


  • Be wary of email attachments. Do not open email attachments if you do not know or trust the sender. And even if you do, if the emails seem suspicious, you should contact the sender via other means to make sure the email is legitimate.

  • Use NordVPN’s Threat Protection. This feature scans your downloads for malicious software and blocks them if there’s a hit. Plus, it automatically blocks your access to known malicious websites.

  • Keep your software up to date. This is one of the most fundamental cybersecurity practices. Updates usually patch newly found vulnerabilities — install them as soon as possible!

  • Browse with caution. Do not click on suspicious links or download content from untrusted sources. If prompted to install or execute a file while browsing, make sure it’s safe before accepting.

  • Only download apps from trusted sources. Go to official app stores and websites to download apps or programs. Official platforms will take measures to ensure the downloads are safe and malware free.

  • Use an Antivirus. Use a trusted antivirus software, keep it updated, and frequently scan your system for infections.

  • Back up. Back up your most sensitive data on an external drive or a secure cloud service.

Ultimate digital security