Virus and Spyware Removal Guides, uninstall instructions

What kind of malware is Gqlmcwnhh?

Gqlmcwnhh is ransomware (a ransomware variant from the Snatch family). It encrypts data, appends ".gqlmcwnhh" extension to filenames, and drops the "HOW TO RESTORE YOUR FILES.TXT" file (a ransom note). Our malware researchers discovered Gqlmcwnhh while examining samples submitted to VirusTotal.

An example of how Gqlmcwnhh modifies filenames: it renames "1.jpg" to "1.jpg.gqlmcwnhh", "2.png" to "2.png.gqlmcwnhh", and so forth.

What kind of malware is Titan?

While investigating malware samples submitted to VirusTotal, our team discovered an information stealer called Titan. Malware of this type gathers sensitive data from the infected system and sends it to the attacker. Typically, cybercriminals behind information stealers are financially motivated.

What is Tab Session?

While checking out deceptive websites, our researchers discovered the Tab Session browser extension. It is presented as a productivity improvement tool that promises easy access and navigation on browsers. However, Tab Session operates as adware. This browser extension runs intrusive ad campaigns and spies on users' browsing activity.

What is XStealer?

XStealer is a piece of malicious software designed to steal data. This stealer malware can exfiltrate browsing and user information. Therefore, XStealer infections endanger victims' privacy and safety.

What is Cipher ransomware?

While reviewing new submissions to VirusTotal, our research team found the Cipher ransomware. This malicious program is part of the MedusaLocker ransomware family.

After a sample of Cipher was executed on our testing system, it began encrypting files and appended their names with a ".cipher" extension. For example, a file originally titled "1.jpg" appeared as "1.jpg.cipher", "2.png" as "2.png.cipher", and so on for all of the affected files. Other variants of Cipher ransomware append the same extension that also contains a digit (e.g., ".cipher4", (".cipher7", ".cipher9", etc.).

Once the encryption process was completed, an HTML file named "!-Recovery_Instructions-!.html" was dropped onto the desktop. It contained the ransom note, which makes it evident that this ransomware targets companies rather than home users.

What kind of page is reportyouridentity[.]site?

While investigating reportyouridentity[.]site, we found that it is a deceptive page designed to trick visitors into believing that their computers are infected. Also, reportyouridentity[.]site asks for permission to show notifications. Our team discovered reportyouridentity[.]site while inspecting websites that use rogue advertising networks.

What kind of email is "DHL Shipping Document/Invoice Receipt"?

Our analysis of the "DHL Shipping Document/Invoice Receipt" email revealed that it is fake. This spam letter is presented as a notification from DHL - a legitimate logistics, courier, delivery, and express mail company. This mail attempts to trick recipients into disclosing their email account log-in credentials through a bogus invoice document.

What is TONEINS?

TONEINS is the name of a backdoor malware. This software is designed to open a "backdoor" for additional malicious components or programs into compromised systems.

TONEINS, alongside TONESHELL and PUBLOAD, have been observed being distributed in cyberespionage campaigns particularly active in Asia, namely Myanmar, Philippines, Japan, Taiwan, and other countries.

These operations target a wide variety of spheres; most heavily affected are governmental and legal entities, but large-scale campaigns were also leveraged against education, academics, research, and various organizations associated or working with the Myanmar government.

The noted spam emails and the infectious documents proliferated through them - held content associated with the targeted sphere, global topics, geopolitics, controversies, or even pornography. Specifically TONEINS was heavily distributed in virulent archives files delivered via malspam.

This malicious activity is linked to the Earth Preta (aka Bronze President, Mustang Panda) group. In addition to the aforementioned malware, this group is known to employ Cobalt Strike and PlugX.

What kind of malware is Uyit?

Uyit is ransomware that encrypts files, appends the ".uyit" extension to filenames, and drops a ransom note (the "_readme.txt") file. Uyit is one of the Djvu ransomware variants. We discovered it while checking the VirusTotal page for recently submitted malware samples. It is common for Djvu ransomware to be distributed with information stealers like Vidar and RedLine.

An example of how Uyit renames files: it changes "1.jpg" to "1.jpg.uyit", "2.png" to "2.png.uyit", and so forth.

What kind of page is timespace[.]top?

Timespace[.]top is a rogue page that our researchers found while inspecting dubious websites. This webpage promotes spam browser notifications and can redirect visitors to other (likely deceptive/malicious) sites.

Most users access pages like timespace[.]top via redirects caused by sites using rogue advertising networks, spam notifications, intrusive ads, or installed adware.