Nemucod is a downloader Trojan that targets users through malware spam campaigns. It downloads additional malware onto a victim’s computer, then executes it without the user’s consent. It usually spreads through malicious spam emails with .zip extensions.

Most recently, however, it was seen spreading through Facebook messages as an SVG image.  These images are typically used for vectors, but criminals were able to embed malicious code into the photo. Upon clicking the photo, the victim would be redirected to another website and prompted to download a browser extension. This would allow the malware to access the victim's Facebook account to message their friends with the same SVG image, propagating the malware further. There were also reports of infection leading to the download of Locky ransomware onto the victim’s computer.

ThreatSTOP customers are protected from Nemucod if they have TSCrit targets enabled in their policies.