Virus and Spyware Removal Guides, uninstall instructions

What kind of application is MacropusRufus?

During our analysis of a suspicious installer downloaded from an untrustworthy website, we encountered the MacropusRufus browser extension. Our investigation uncovered concerning characteristics associated with this software, including its ability to activate the "Managed by your organization" feature in the Chrome browser, gather user data, and supervise various browser components.

What kind of malware is Ttwq?

While analyzing malware samples submitted to the VirusTotal platform, we encountered a ransomware variant named Ttwq. Ttwq encrypts files and modifies their filenames by adding the ".ttwq" extension. Furthermore, Ttwq is designed to create a text file called "_readme.txt", which contains a message outlining the ransom demands.

It is important to mention that Ttwq belongs to the Djvu ransomware family. Notably, Djvu ransomware is often distributed alongside information stealers such as RedLine or Vidar by malicious actors. As an illustration of Ttwq's filename changes, it transforms "1.jpg" into "1.jpg.ttwq", "2.png" into "2.png.ttwq" and so on.

What kind of application is PerfectSave?

Our researchers discovered PerfectSave during a routine investigation of new file submissions to the VirusTotal platform. After examining this piece of software, we determined that it is adware belonging to the AdLoad malware family. PerfectSave operates by feeding users undesirable and deceptive advertisements.

What kind of application is OverallHelpDesk?

Our research team discovered the OverallHelpDesk application while reviewing new submissions to the VirusTotal website. This app is advertising-supported software (adware) that is part of the AdLoad malware family. OverallHelpDesk delivers intrusive advertisement campaigns and may have other harmful abilities.

What kind of malware is Lapsus$ Group?

Our researchers discovered the Lapsus$ Group ransomware while investigating new malicious file submissions to the VirusTotal website. It operates by encrypting files to demand ransoms for their decryption.

After launching an executable of this malware on our testing system, we learned that the names of encrypted files are appended with a ".locked" extension. For example, an original filename like "1.jpg" appeared as "1.jpg.locked", "2.png" as "2.png.locked", and so on.

Once the encryption process was completed, a ransom-demanding message was displayed in a pop-up window. The note was in French, and it made claims regarding data theft (double-extortion tactics).

It is worth noting that this ransomware has nothing to do with the Lapsus$ cybercriminal group. It is likely to the developers of this ransomware use their name for bigger exposure or in attempt to create an impression of a high-level attack.

What kind of application is PositiveConnectivity?

While inspecting new submissions to the VirusTotal platform, our research team discovered the PositiveConnectivity adware-type app. It is part of the AdLoad malware family. This application is designed to generate revenue for its developers by feeding users with unwanted and deceptive adverts. It may also have other harmful capabilities.

What kind of malware is SULINFORMATICA?

SULINFORMATICA is a ransomware-type program discovered by our researchers during a routine investigation of new submissions to the VirusTotal website. This malicious program is designed to encrypt data and demand payment for its decryption.

After we executed a sample of SULINFORMATICA on our test machine, it encrypted files and appended their filenames with a ".aes" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.aes", "2.png" as "2.png.aes", and so forth.

Once the encryption process was finished, a ransom-demanding message named "Instruction.txt" was created. Based on the text therein, it is evident that this ransomware targets companies rather than home users. SULINFORMATICA also uses double extortion tactics.

What kind of malware is SysUpdate?

SysUpdate is the name of a malware that is classified as a backdoor. Programs within this class are designed to infiltrate systems stealthily and may open a "backdoor" for further infection.

While SysUpdate has been around since at least 2020, it has continued to undergo improvements. Historically, the program has been Windows-based, but in 2023 – a Linux version emerged (which we had reported on at the time).

An entirely new variant was discovered in August of 2023 when it was implemented in two attacks. The campaigns targeted a telecommunications organization based in the Middle East and a governmental body in Asia.

SysUpdate is a custom malware currently used exclusively by the APT27 – a Chinese Advanced Persistent Threat (APT) group (also known by the following names: Bronze Union, Budworm, Emissary Panda, Iron Tiger, LuckyMouse, and TG-3390). APT27 has been noted targeting various entities in the Middle East, Southeast Asia, and the USA.

What kind of malware is BunnyLoader?

BunnyLoader is the name of malware available for purchase (for $250) by cybercriminals across multiple online forums. It is presented as a Malware-as-a-Service (MaaS) and provides a range of features, such as downloading and executing a second-stage payload and harvesting browser credentials and system information.

What kind of application is ProgressivePhase?

Our researchers found the ProgressivePhase app during a routine inspection of new submissions to the VirusTotal website. After examining this piece of software, we learned that it is adware belonging to the AdLoad malware family. ProgressivePhase is designed to feed users with unwanted and deceptive advertisements.