PSA: Malware detected from member's upload

[figma1356]

By the way, this might sound pretty crazy to some, but one of the games on the list, namely — RJ01524136, was initially infected with a cryptominer (libegl.dll, cacheapp, etc.) and sold with it on DLsite.
How could this have happened? Who knows, most likely the developer was infected too, and the infected files "migrated" to their game. But that's just my theory. On one of the content sharing forums, a user posted a screenshot of this game purchased from them, and it was the game they bought that infected them.

View attachment 85785

In that case, I find it strange if all ddl hentai game sites are not infected.
I downloaded the same thing from ryuugames and scanned libEGL.dll with virustotal, but Huorong did not detect it as
TrojanDropper/CoinMiner.d.
I cannot say for sure as I have not performed dynamic analysis, but since there is antivm, I cannot scan it without a sub-PC.

 

[4yvak]

Add [RJ01524403] to this list, it was also most likely distributed by the well-known jekson5865/hentaigamer**
But I can't vouch for the game uploaded here. It was originally posted on a popular anime tracker similar to nyaa, and this torrent is also indexed by TokyoToshokan. (A hint to the site, because I'm not sure if it's allowed to mention/write names websites)

If you read the article published by Huorong and uploaded the infected files (if you had any, for example), you'd realize that currently only two antivirus programs detect them: Huorong and Rising, and nothing else. I got infected myself, and the first thing I did was, as an experiment, scan my computer for viruses using AV scanners (KVRT, Cureit, Minersearch), and they found nothing. The most CureIT could find was a modified line in REGEDIT, and that was it. As for the miner itself, it wasn't found.

My, Kaspersky Premium perfectly find, 3 days ago, when i try run game. Database Update, several times every day, for all Antivirus. Your, Old database, cant find, okay, that normal. Second need Activate, All check, not a light check, in side config, your Antivirus. And, i don`t remember, i write it help imideatly 100%, if you find, when i write it, give me. Or, you think, i need search load and check my self, virus <-> against antivirus.
-
when i check again (Reg) right now, i find only link to C:Users\''YourUsedName''\AppData\Local\Scacheapp
nothing more, no file no other changes, Kaspersky delete body virus, and folder, but automatic (Reg(Windows) create link, in Last used folder, anyway.
-
Windows Reg creat big ammount of garbage, need Clean, and Clean. Every month.

 

[jike1233]

My computer has a "syscacheapp" folder, but the folder is empty and there is no SHELL in the registry, which makes me very confused as to whether I have been infected or not.

 

[jike1233]

If the folder is empty, it's fine. By the way, when was the folder created?

Yesterday I deleted it- -I didn't remember it

 

[shamashii]

Late to know during holidays, seems it just a miner but not crypto your important files, but cannot guarantee next time...I'm away from .exe for a long time(main download doujin voice works).In general security aspect, if malware created too new to detect(like virustotal website), some ways may help for daily:
1,process auditing :lea rn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
2,other handy tools: w ww.nirsoft.net/utils/executed_programs_list.html

 

[bjose2345]

Hey everyone, just a quick note regarding the recent CryptoMiner report affecting some uploads on Nyaa / Anime-Sharing. That's seriously worrying, and I'm really sorry this happened to people.

This is exactly why we started the DLsite Archive Project: we verify files by comparing hashes + file size against the official DLsite API. When a release matches the official reference, we can be far more confident it hasn't been tampered with.

Please stay cautious, and we'll keep doing our part to help the community verify what's safe.

 

[Checkmate]

This is exactly why we started the DLsite Archive Project: we verify files by comparing hashes + file size against the official DLsite API. When a release matches the official reference, we can be far more confident it hasn't been tampered with.

There's some problem with that, Uploaders and Contributors usually mix the original files a bit to prevent getting a watermark tracker against their account. Unless every main files are hashed, the archive hash may not tell anything.

 

[Kleinod]

I only really play hentai games on Steam, I wonder if my downloaded RPG Maker games are infected. Gaben, please give me strength.

 

[bjose2345]

There's some problem with that, Uploaders and Contributors usually mix the original files a bit to prevent getting a watermark tracker against their account. Unless every main files are hashed, the archive hash may not tell anything.

True, if uploaders modify files to avoid watermark tracking, a hash won't work. No system is 100% perfect. But that's also the point: a verified hash DB gives a baseline. Match = strong integrity signal, no match = user knows it's altered and can decide what to do. We're building this as a reference/source of truth as coverage grows, even if the DLsite API is messy.

 

[bidlocat0]

My, Kaspersky Premium perfectly find, 3 days ago, when i try run game.

Well, if Kaspersky is detecting this miner now, then that's good, because when I discovered the syscacheapp folder itself and started scanning the computer using KVRT and Cureit, as I always do, they didn't find anything suspicious in this folder and the files inside.

 

[qwertyuiop111asd]

Luckily for me I only got one on the list, being:
性教育の実技教師 ～貞操逆転世界で初潮を迎えた女の子に種付けするお仕事～ - RJ01523403,
that I DLed from ryuu.

Seems clean so far but not sure if I trust if it's safe though.

 

[VegaMonika]

Thankfully, every day I download resources exclusively from the author Shine.

 

[mancohuck]

My, Kaspersky Premium perfectly find, 3 days ago, when i try run game. Database Update, several times every day, for all Antivirus. Your, Old database, cant find, okay, that normal. Second need Activate, All check, not a light check, in side config, your Antivirus. And, i don`t remember, i write it help imideatly 100%, if you find, when i write it, give me. Or, you think, i need search load and check my self, virus <-> against antivirus.
-
when i check again (Reg) right now, i find only link to C:Users\''YourUsedName''\AppData\Local\Scacheapp
nothing more, no file no other changes, Kaspersky delete body virus, and folder, but automatic (Reg(Windows) create link, in Last used folder, anyway.
-
Windows Reg creat big ammount of garbage, need Clean, and Clean. Every month.

as he said, kaspersky is detecting the miner, but is the behavior engine. so that means only detect it when the game is running and the miner engage. in my case the antivirus did the job and delete the game and the cryptominer and restore de registry.
for those who have windows pro and a good machine you can play the game using windows sandbox. but for unity and unreal games, is very slow because virtual machine.

 

[lolbob]

Man, i got a game from shine and it was on the list, seems like shine reuploaded from the user, i've now deleted the contents from the syscacheap and /shell in registery, will keep coming back to check if any new payload gets discovered.

Would it be possible to add something like update: on the banner if any new info gets revealed? Don't wanna have to read the thread everyday.

Would also appreciate getting a tag if any new stuff needs deleting/checking.

Also doing a fullscan with huorong antivirus, will post results when it finishes.

edit: full scan with huorong showed no threat detected, seems like you're fine after deleting syscacheapp and registery.

 

[Checkmate]

Thankfully, every day I download resources exclusively from the author Shine.

Not quite, Shine also reupload content from the particular member. If you had download the infected release from anyone at this point. Check for malware. Only safe if you only download from girlcelly.

I feel like I didn't stress this enough, CHECK IF YOU HAD DOWNLOADED DLSITE GAME RELEASE.

 

[SBelmont]

The miner monitors the Task Manager process, so it will terminate if the Task Manager is running.

As someone who always has Task Manager open but got infected, it's very likely then that it never ran on my system? (am still clearing out everything related to it).

Edit: Checked my task manager and found a "Windows Command Processor" task eating up 3gb of ram. Assuming this was it and also ended task asap.

 

[Mandrake158]

Seems like the only one I downloaded was the FGORPG ectasy RJ01501066
I'm guessing I downloaded it from either Shine/ramori/Otokonoko/zhonyk as those are the only ones I usually download from

I think the malware had VM detection or something as I always run games on sandboxie and I don't have that folder created inside the sandboxed environment

 

[butoa]

View attachment 85899
Thankfully, every day I download resources exclusively from the author Shine.

hi guy, may I know which software is this ?

 

[MosMoss]

Hello I just want to ask does it safe now to dowload those game that has been upload here since other uploade site probably still has the infected version or is the best to wait? Since I still see post of the game still being able to dowload from other uploader.

 

[Zrys]

推しのVtuber箱に10憶投げ銭したら俺だけの中出しハーレムを手に入れた件 - RJ01473444 [2025/12/03]
FGORPG ～ecstasy～ - RJ01501066 [2025/11/15]

I downloaded both both of there and ran them for about less than an hour.

Today I checked that I had the [syscacheapp] folder the same time I played the latter (both downloaded from ryuugames, around Dec. 17). I deleted all of my games downloaded around Dec. 28 to make space, not yet knowing about this issue. I don't see any [Shell] or [cacheapp64.exe] in both locations. Should I still check both of these locations at a later date to see if I'm infected, or is it safe to assume that it's clear of any malware?

 

[hrdevil]

I dodged several bullets because i've become picky with my storage and all of these either look like AI slop, low effort games and are not in english. I was glazing at rj281539 and decided not to download and wait because its not in english.

What can we do to protect ourself? This has happened several times in the last 4 months with multiple known sites re-uploading the game from the same source unknowingly.

 

[wyseman]

I got infected, so I deleted the registry entries and folders, but they weren't regenerated.
I'm not sure if this solved the problem, but I'll refrain from downloading things going forward.

 

[Dadash13]

Thats why i RECOMMEND you, to install Sandbox ( or any Virtual Space on your PC), and use it for any type of exe, bat , command lines programms/commands to avoid something like this. People laught and make fun of this, but this is effective method to exclude everything from your system and REG. Right now because Ai significally advances, it is easy to create exploit pogramms that can harm your pc. Be safe and always use Virtual space to decrease chance of being hacked. Thanks for info Checkmate.

 

[YourLi]

应该保留他的个人信息，可能大家只记住了他的头像、帖子格式等图片信息！

 

[kukal]

lol还好我不喜欢这些名单上的游戏，现在这些AI产物和低质量画风游戏究竟受众是谁