Nemucod (JS.Nemucod) - What it is, how it spreads, and how to remove it safely

Nemucod (JS.Nemucod)

What it is

Nemucod is a trojan downloader/dropper that arrives as JavaScript or PHP and then pulls in ransomware or other malware. It’s commonly spread by email attachments and malicious links. Technical details and IOCs are in our Nemucod overview for defenders.

How it spreads – quick tour

  • Phishing emails with .js, .zip, or fake invoice attachments

  • Links to pages that serve malicious JS/PHP

  • Compromised sites that auto-download the script

What you may notice

  • Windows prompts to run “script host” or open a .js file

  • Sudden browser redirects or silent downloads

  • A second-stage payload appears - often ransomware or a stealer

Remove it now

  1. Disconnect from the internet to stop the next-stage download.

  2. Run a full anti-malware scan, reboot, then scan again.

  3. Delete suspicious .js/.vbs/.ps1 files and unknown scheduled tasks.

  4. Reset browsers and remove unknown extensions and proxy settings.

  5. From a clean device, change passwords and enable MFA.

Prevent it

  • Do not open script attachments - verify invoices out of band.

  • Keep Windows, browsers, and Office updated; block macros by default.

  • Use email and web filtering plus DNS filtering for known-bad hosts.

  • Show file extensions in Explorer so scripts are not disguised.

  • Limit script engines - prefer signed PowerShell and disable WSH if not needed.

    Glossary (A–Z)

    All A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

      • Related Articles

      • Phishing

        What it is Phishing is a scam where someone pretends to be a trusted person or service to trick you into giving up passwords, card numbers, or other sensitive data. It shows up in email, texts, social DMs, and look-alike websites. For a quick ...

      • Data Execution Prevention

        What it is Data Execution Prevention (DEP) is a Windows safety net that stops code from running in places it shouldn’t—like the stack or heap. If malware tries to execute from those memory areas, Windows blocks it and shuts the app down instead of ...

      • Malware

        What it is Malware is any software made to harm your device or data. It can steal passwords, lock your files, spy on activity, or hijack your browser. For a quick primer and examples, see our malware explainer. How it spreads Phishing emails and fake ...

      • XMRig Malware

        What it is XMRig malware is a cryptominer that sneaks onto your PC and secretly mines the Monero (XMR) cryptocurrency using your CPU/GPU. You’ll notice slower performance, hot fans, and higher power bills while attackers collect the coins. It often ...

      • Fileless Malware

        What it is Fileless malware runs from memory instead of dropping obvious files on your disk. It often abuses built-in tools (like PowerShell or WMI) and trusted apps, making it harder for traditional antivirus to spot. How it works You visit a ...