[KB5935] Does ESET protect me from Nemucod emails?


  • Malicious email traffic containing the threat JS/TrojanDownloader.Nemucod is being tracked worldwide by ESET researchers
  • Your ESET product detects a TeslaCrypt or Locky infection after opening an email from an unfamiliar source or ZIP files from such an email


A worldwide malicious email campaign comprised of counterfeit invoices, legal communications and other official documents is being tracked by ESET researchers. Many of these emails are well-written compared to the typically low-quality copy used in many scam emails.

When recipients of these emails open the attachments they contain, Javascript is used to install malware, for example TeslaCrypt or Locky, which encrypt data on the victim‘s computer and demand ransom. While these are the most commonly seen infections, unprotected computers are vulnerable to a variety of threats from these emails.


ESET products can detect and block malware contained in Nemucod emails. We strongly recommend that you follow the suggestions below to ensure the highest level of security on your computer:

  • Make sure that ESET Live Grid is enabled in your ESET product.
  • Make sure that your ESET software is upgraded to the latest version and has the latest product modules.
  • Do not open attachments sent to you in emails from unknown senders.
  • Warn colleagues who frequently receive emails from external sources – for instance financial departments or Human Resources. 
  • Regularly back up your data. In the event of infection, this will help you recover all data. Do not leave external storage used for backups connected to your computer to eliminate the risk of infecting your backups. 
  • Make sure you are using the latest operating system updates. Users of older operating systems, for example Windows XP, are encouraged to upgrade for increased security.