PSA: Malware detected from member's upload

[Checkmate]

Hello I just want to ask does it safe now to dowload those game that has been upload here since other uploade site probably still has the infected version or is the best to wait? Since I still see post of the game still being able to dowload from other uploader.

Unless it has the mark "Own Bought" from a reputable uploader (either carrying Uploader or Contributor status here), I'd not bother but it doesn't hurt to try to download it, scan it with Huorong and then run it on a decomissioned laptop and see what gives.

As an added precaution, unless you're some mastery homelab enthusiast and properly split subnets/vlan your local network, don't connect that laptop to your LAN, isolated it (or enable WIFI guest network, block it from connecting to other LAN devices)

I use simple word, so atleast you understand I'm talking about.

 

[grj1234]

I prepared the hash lists for the contents of some works that was listed as infected works. (Hash algorithm: MD5, SHA-1, SHA-256, and SHA-512)
The list is created using own-bought files, so no worries about cryptominer.
I don't know whether the hash list is useful for cryptominer detection or not, but I post just in case.

[RJ01443794] 魔法少女アスターリクス・監獄回廊からの脱出 (v1.02) : MD5, SHA-1, SHA-256, SHA-512
[RJ01477834] 浣腸変身エネマリア : MD5, SHA-1, SHA-256, SHA-512
[RJ01523403] 性教育の実技教師 ～貞操逆転世界で初潮を迎えた女の子に種付けするお仕事～ : MD5, SHA-1, SHA-256, SHA-512

I'll prepare the links of own-bought file itself within a day.

 

[wyseman]

Is it safe to download a title game listed on a malware-infected list uploaded by someone else?
人妻剣士サツキの寝取られ売春記 - RJ01507389
I want this.

 

[Checkmate]

Is it safe to download a title game listed on a malware-infected list uploaded by someone else?

NO, I don't think so but you can download and scan carefully.

Unless it carries the "Own Bought" tag from Uploader and Contributor user rank here.

 

[grj1234]

Unless it carries the "Own Bought" tag from Uploader and Contributor user rank here.

I have a question about the "Own Bought" tag.
Should I always use "Own Bought" tag when it's own bought?
In fact, I rarely have used "Own Bought" tag before, even if it's own bought...

 

[Checkmate]

Should I always use "Own Bought" tag when it's own bought?

Usually not but after this incident, probably better to include it. I may make a new own bought prefix to make it even more significant. It means the files are more or less straight from source, low chance of malware since the staff often ask for proof of purchase from Uploaders and Contributors.

It's getting harder to get the coveted Contributor rank.

 

[MosMoss]

Unless it has the mark "Own Bought" from a reputable uploader (either carrying Uploader or Contributor status here), I'd not bother but it doesn't hurt to try to download it, scan it with Huorong and then run it on a decomissioned laptop and see what gives.

As an added precaution, unless you're some mastery homelab enthusiast and properly split subnets/vlan your local network, don't connect that laptop to your LAN, isolated it (or enable WIFI guest network, block it from connecting to other LAN devices)

I use simple word, so atleast you understand I'm talking about.

I see, thank you guess the best way rightnow is to wait for a new upload on those game.

 

[Shine]

Is it safe to download a title game listed on a malware-infected list uploaded by someone else?
人妻剣士サツキの寝取られ売春記 - RJ01507389
I want this.

Some contributors re-upload it from "trusted source", you can consider to download it here.

 

[grj1234]

I'll prepare the links of own-bought file itself within a day.

Upload done. I checked there's no spywares (e.g. cryptominer) in the archive, but I recommend to scan carefully on your end.

[RJ01443794] 魔法少女アスターリクス・監獄回廊からの脱出 (v1.02) : https://www.anime-sharing.com/threads/1850753/
[RJ01477834] 浣腸変身エネマリア : https://www.anime-sharing.com/threads/1850754/
[RJ01523403] 性教育の実技教師 ～貞操逆転世界で初潮を迎えた女の子に種付けするお仕事～ : https://www.anime-sharing.com/threads/1850757/

 

[Checkmate]

We are receiving a large DDOS attack. Someone is hating us :/

 

[forestimp]

What a way to start the year for one of my favorite sites.
First an uploader with malware, now a DDOS attack. Timing is very sus, could also be coincidental, who knows.

Stay strong, admins. I notice we've got Cloudflare verification now (was it there before...) so hopefully it does its job.

 

[Checkmate]

it's like 1 million request per seconds or so from all over the world. Real botnet.

I expect them to come back.

 

[Arisara]

We are receiving a large DDOS attack. Someone is hating us :/

At first Malware detected and next Ddos. I wonder its same ppl? hmm coincidence

 

[xvis]

到时候希望公布一下DDOS的攻击源 来自哪个地区 但愿不要有臭名远扬的那几个地方 :/

 

[MrBoombastik]

I have a question regarding the steps for checking if the machine is infected or not.

Am I safe 'If' I did not see any of the folder/regkey are created on my machine?
syscacheapp and shell from regkey

 

[MrBoombastik]

I have a question regarding the steps for checking if the machine is infected or not.

Am I safe 'If' I did not see any of the folder/regkey are created on my machine?
syscacheapp and shell from regkey

 

[Shadow Word: Porn]

I have a question regarding the steps for checking if the machine is infected or not.

Am I safe 'If' I did not see any of the folder/regkey are created on my machine?
syscacheapp and shell from regkey

Very probably yes. No one can say with 100% certainty, but based on the behavior of the malware we've seen so far, it seems to always create that folder/regkey.

 

[kiev]

This is shocking news at the end of the year.

If you have downloaded any of the games on the list, check "C:\Users\(username)\AppData\Local" and if the "syscacheapp" folder exists, you are infected. Empty the contents of the "syscacheapp" folder. (If the folder is already empty, no minors have been copied and no special measures are required. To be on the safe side, we recommend deleting the games listed.)

You can identify infected games by monitoring the "syscacheapp" folder and checking if cacheapp64.exe is generated immediately after launching the game.

Additionally, the paths to "cacheapp64.exe" and "explorer.exe" will be added to the registry at "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell", so delete the string "explorer.exe, C:\Users\(username)\AppData\Local\cacheapp64.exe". If \Shell is empty, you can delete /Shell itself.

In my case, I was infected by "カーテンのむこう NTR", "NTRギャル -オタクに優しいギャルは寝取られる-" and "人妻剣士サツキの寝取られ売春記".

We recommend monitoring the "syscacheapp" folder for a while to check if any suspicious files have been created.

Please note that these recommendations are merely personal recommendations and are not binding. Please read the Huorong report and use at your own discretion.

Hi, I went by your method and there is the syscacheapp folder with the exe there with a whooping size of 1gb, dated 23/12/2025 which i have deleted, but I tried to go into regedit but the shell folder was not present in

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

what does this mean? Is there any other possible place that the miner will create a registry at?

 

[kiev]

The registry only handles the automatic execution of exe files, so deleting an exe file does not require any registry changes. Modifying the registry will simply undo the changes made by the miner. If you are still unsure, try searching the registry for "cacheapp64.exe." If "cacheapp64.exe" exists, it is possible that the miner has made changes to the registry.

thank you for your swift reply, I've run a search on the registry and seems like its not there, however its weird that the exe itself present in the cacheapp64 folder, but does not exist in the registry. Sorry Im not too good with these stuff so I'm confused, anyhow the registry so far is healthy and the exe itself is also not present after I've ran another search, problem is I need to identify which is the game which carries the miner as I do not want to run them one by one and check, I'll probably delete all the stuff I've downloaded for the past 2 weeks later at night..

Also one more question, I've seen people posting that the .dll is the issue? So one way we can check is if the dll is of different size then it's suspicious? for example , I'm guessing the first one is sus since its downloaded after 10/12 and size is different too, but I have not ran that game exe before..

 

[kiev]

The size of libEGL.dll seems to vary depending on the game, so if you want to compare it, you need to compare it with the official game.
In the F95 thread, I saw someone comparing the size of the dll included in the trial version.

noted, will try that too, have all the infected games been taken down in AS? Including the one that some uploaders reupload from jekson. You mentioned that only self bought game and girlcelly are safe for now? Meaning those games out there in AS are still infected?

 

[bymka]

Also one more question, I've seen people posting that the .dll is the issue? So one way we can check is if the dll is of different size then it's suspicious? for example , I'm guessing the first one is sus since its downloaded after 10/12 and size is different too, but I have not ran that game exe before..

The first file, 525 KB, is 100% junk that creates a folder with a miner. I had exactly the same one. The rest probably aren't, but you can also upload them to VirusTotal to check. There, you can immediately see when a miner is created in AppData\Local when the game starts.

 

[Checkmate]

I didn't try (because I didn't download these games) but if you "remove" the infected libEGL with a clean one, does the game still work? If we have any brave heroes

 

[Checkmate]

到时候希望公布一下DDOS的攻击源 来自哪个地区 但愿不要有臭名远扬的那几个地方 :/

All I will share:
Normal Day:

Happy Day:

The attack size is about 12M botnets. This was a very large DDOS wave. Did I stole someone's bride or something?

 

[xvis]

All I will share:
Normal Day:

Happy Day:


The attack size is about 12M botnets. This was a very large DDOS wave. Did I stole someone's bride or something?

在中国有句话 '断人财路,如杀人父母' ,这件事揭露后. 肯定各个地方被转.财路给断了 肯定气炸.

而且某国还没过春节,一些由政府资助隐秘组织年底不刷一波业绩.写一部分年终报告.怎么好讨年终奖金和过节费. 现在早已世风日下,道德败坏.

 

[Cag]

Whoa, I also have one game from the list above, but I downloaded it from a Ryuugames.
I don't remember whether I extracted it or not, but I am certain that I have never opened the .exe file.
I also searched for the 'syscacheapp' folder, but I couldn't find it either in AppData or in the Registry.
Even so, am I still safe if I only extracted the files?