Install the app
How to install the app on iOS

Follow along with the video below to see how to install our site as a web app on your home screen.

Note: This feature may not be available in some browsers.

PSA: Malware detected from member's upload

My pc is overheating and i've downloaded a bunch of files here over the years. I'm gonna run an anti-virus. Maybe i've been cryptomining this whole time, hence slow performance, that would be really annoying.
 
Heads up! The following game/update have libEGL.dll infected, again.

https://www.virustotal.com/gui/file/8bacb2082eb37fd7aed5bb6a7fc766d9937d9f3ed926ae82420d37af754a216c

Downloaded the files from the first post below, but guess this guy copied this from elsewhere. So I would suggest isolating the following posts before virus scans or further investigation are done.

https://www.anime-sharing.com/threads/🔥new⚡-251227-リベリオンれい-インランカンパ~淫魔vs天使vsショタ~-ver1-11-rj01512978.1871752/

https://www.anime-sharing.com/threads/✨shine✨-251227-リベリオンれい-インランカンパ~淫魔vs天使vsショタ~-ver26-01-14-rj01512978.1845329/

https://www.anime-sharing.com/threads/☄️release☄️-251227-rj01512978-リベリオンれい-インランカンパ~淫魔vs天使vsショタ~-v26-01-14-v1-11.1871593/
 
from otokonoko = libEGL.dll 537600
from shine = libEGL.dll 386560
from ryzen111 = libEGL.dll 386560

it seems the file from otokonoko was the old version because the modified date was also different.
 

Attachments

  • ryzen111.png
    ryzen111.png
    204.8 KB · Views: 353
  • otokonoko.png
    otokonoko.png
    148.7 KB · Views: 390
  • shine.png
    shine.png
    183.3 KB · Views: 385
  • Like
Reactions: kihon
Momukyu said:
from otokonoko = libEGL.dll 537600
from shine = libEGL.dll 386560
from ryzen111 = libEGL.dll 386560

it seems the file from otokonoko was the old version because the modified date was also different.
Click to expand...
Thanks for the investigation! @Checkmate

So, otokonoko is faking up on the post for the new update, but in fact it's still old game files/version, and with virus on it.
 
I think Otokonoko didn't lie intentionally. Perhaps the source website faked up on the old files as the new update.
 
  • Like
Reactions: kihon
Ouch my bad i mistake forgot to paste the new links while copying the post format from the old post. they was the same old links upload from 2025.12 not the new version (2026.01.14).

I'm very sorry again, hoping nobody got it
 
Last edited:
  • Like
Reactions: Hvirio, NoAds and Shadow Word: Porn
new things i notice from Reeffress (https://www.tokyotosho.info/search.php?username=Reeffress) new files releases starting (2026-02-04 16:14)
The files now have much larger size differences.
RJ01546134 = HameDocu.exe (5909920 bytes) size is much larger than trial (666624 bytes)
=using DIE (Detect It Easy) to check .exe there is additional "Overlay: Binary"
=it is not only .exe, it was also on some other files like .resS with different overlay data.

RJ01533449 = atrx088.exe (120318176) size is much larger than normal (bought it to check since there was nothing to compare) (104589312)
RJ01558451 = Game.exe (7382928) size is much larger than normal RPG maker mz Game.exe (2139648)
RJ01556989 = icudtl.dat (15414128) size is much larger than normal RPG maker mv icudtl.dat (10171248)
RJ01555596 = icudtl.dat (25899888) size is much larger than normal RPG maker mv icudtl.dat (10171248)
RJ01550686 = vk_swiftshader.dll (10577600) size is much larger than normal tyrano w/ vulkan (5334528)

in case any of the RJ code is posted here, double check it. no idea if the extra size do anything (because now is much larger difference) or just like before do nothing.
 
Last edited:
  • Like
Reactions: kihon and pokiller
Momukyu said:
new things i notice from Reeffress (https://www.tokyotosho.info/search.php?username=Reeffress) new files releases starting (2026-02-04 16:14)
The files now have much larger size differences.
RJ01546134 = HameDocu.exe (5909920 bytes) size is much larger than trial (666624 bytes)
RJ01533449 = atrx088.exe (120318176) size is much larger than normal (bought it to check since there was nothing to compare) (104589312)
RJ01558451 = Game.exe (7382928) size is much larger than normal RPG maker mz Game.exe (2139648)
RJ01556989 = icudtl.dat (15414128) size is much larger than normal RPG maker mv icudtl.dat (10171248)
RJ01555596 = icudtl.dat (25899888) size is much larger than normal RPG maker mv icudtl.dat (10171248)
RJ01550686 = vk_swiftshader.dll (10577600) size is much larger than normal tyrano w/ vulkan (5334528)

in case any of the RJ code is posted here, double check it. no idea if the extra size do anything (because now is much larger difference) or just like before do nothing.
Click to expand...
Can you virus-scan them? Or see what Virustotal says.
Honestly, any MZ/MV games downloaded from here or other sites should have their nw.js runtime swapped with the official one before playing, as you can no longer trust the source.
 
  • Like
Reactions: Snesruler
pokiller said:
Can you virus-scan them? Or see what Virustotal says.
Honestly, any MZ/MV games downloaded from here or other sites should have their nw.js runtime swapped with the official one before playing, as you can no longer trust the source.
Click to expand...

nothing really found on virustotal.
RJ01550686 vk_swiftshader.dll = https://www.virustotal.com/gui/file/833a8df5e70d4d0b2bf94fb782065268073ba59a1daf3d2e940d1d45de1e6739
RJ01558451 Game.exe = https://www.virustotal.com/gui/file/d03d0102996cb15c846334b379dc8e77f35080c4b642157809e0af816554fd51
RJ01546134 HameDocu.exe = https://www.virustotal.com/gui/file/b5e1ae494c31d03442cd0cf2503ca2ce0a6e525c5b7020c074e365b1a12ef871
RJ01533449 atrx088.exe = https://www.virustotal.com/gui/file/bde7af4e90c24ca77a633f03e067c6f33df5f64358aa8cb43452c46bd11c78f5
 
  • Like
Reactions: oaklash and pokiller
I want to download from users who buy their own content, but is there a way to objectively prove that they are buying it themselves?
For example, UFO and ramori.
 
com said:
I want to download from users who buy their own content, but is there a way to objectively prove that they are buying it themselves?
Click to expand...

Most active Uploader and Contributor (identified under their rank) here will have to submit proof of purchase for their game, which is marked by "Own Bought"
 
  • Like
Reactions: oaklash and Shadow Word: Porn
Heads up: recently in f95 we are getting some infected RPGM uploads from fake new users which aside from the typical infected game.exe or .dll, are starting to use .js scripts to inject disguised .exe files, for example, we got a fake audio.js file which is actually an .exe:
1775449750357.png


1775449767097.png


main.js script:
1775449805943.png


rpg_windows.js
1775449819118.png


Now yesterday we got a user uploading RPGM games containing random fake .ogg files with an .exe malware (which i couldn't find the .js executing this file):
1775449971273.png


More details here in my recent post, and the previous post, i hope this information could be helpful.

TLDR: Beware of malicious .exe files disguised as other types of file (.ogg or .js as an example) or malicious .js scripts executing malicious tasks.
 
Last edited:
  • Like
  • Wow
Reactions: freezeeria, Scale, kihon and 2 others
MrGuiW said:
Heads up: recently in f95 we are getting some infected RPGM uploads from fake new users which aside from the typical infected game.exe or .dll, are starting to use .js scripts to inject disguised .exe files, for example, we got a fake audio.js file which is actually an .exe:
View attachment 94939

View attachment 94940

main.js script:
View attachment 94941

rpg_windows.js
View attachment 94942

Now yesterday we got a user uploading RPGM games containing random fake .ogg files with an .exe malware (which i couldn't find the .js executing this file):
View attachment 94943

More details here in my recent post, and the previous post i hope this information could be helpful.

TLDR: Beware of malicious .exe files disguised as other types of file (.ogg or .js as an example) or malicious .js scripts executing malicious tasks.
Click to expand...
Can you give us some details about what this virus does? What IP is it trying to reach, what files/registry it creates/downloads/modifies? Also, can you tell what we need to remove/block this virus?
 
Checkmate said:
You must be logged-in to do that.
It seems F95 will now require log in for reading? Any chance you can paste those here for publicity?
Click to expand...
Ok, i will copy-paste my recent post:

(Me quoting another user):
"
I think its the same guy from before :v
1775452070387.png


his uploads:
1775452096053.png

Yotogi ver102 game.exe virustotal scan:
https://www.virustotal.com/gui/file...1593157ef41f6dbe0e258bbbe8992d19de7/detection

Now its hidden in fake .ogg files (game was 押しかけ少女と異世界転移):
1775452127961.png


This one is from RJ01552465-アキナ・キャラバン 製品版1.00 (file was removed some minutes after i downloaded it) (i could not find the file that runs this .exe):
1775452157259.png

We need some verification for new users uploading files to prevent this from happening, if you take a look in this thread, atleast 1-2 or more users downloaded this game.
The new method from this user is using new or hacked accounts so he can upload infected RPGM games, he uses some malicious .js script or fake files containing .exe (fake .ogg in this example, could spread to more types of files).
"
 
  • Like
  • Love
Reactions: oaklash and Livi.
Now my previous post talking about infected .js files:

(Me quoting another user):
"
1775452286723.png



Yeah, its most probably malware, as i saw in one of your posts about the scripts, i downloaded the MTL upload of RJ01417214 of the first user you mentioned and searching for the mention of audio.js, i saw this in the rpg_scenes.js file:

1775452334473.png


The audio.js file looks like an .exe file (there's also a bakaudio file which looks like an .exe):
1775452353885.png



The one from RJ01406729 shizuna main.js (NOTE: i've checked the japanese game files (no audio.js inside them) and this MTL script version is modified, the jap doesnt have this audio.js being loaded!!):


1775452380493.png


JAP/"MTL" main.js file diff comparison:

1775452400207.png

...
"
 
  • Love
Reactions: oaklash
Part 2 of my previous post (too many attachments):
(Part 2):
"...
more .js infected:
1775452557471.png



AI gave me this about the rpg_scenes/rpg_core script lines:

1775452588576.png

TLDR: Your post confirms that these two users are uploading most probably infected MTL malware files (audio.js .exe /bakaudio), which are being executed by these hidden lines in rpgmain scripts, admins should act quick before they spread even more.
"
 
  • Love
Reactions: oaklash
Whoever did this probably automated the entire workflow and developed relevant skills.md necessary to do all of this, we are at next generation of malware.

And engine like RPG Maker is an easy vector to do it
 
  • Like
Reactions: kihon and MrGuiW
pokiller said:
Can you give us some details about what this virus does? What IP is it trying to reach, what files/registry it creates/downloads/modifies? Also, can you tell what we need to remove/block this virus?
Click to expand...
Unfortunately i don't have more details aside from virustotal scans, i do still have the infected files preserved for future scans/analysis (only the fake .oggs, the game.exe was deleted by windows defender).
(I also don't have much knowledge for virus behavior analysis, i just searched for the infected files).

VIRUSTOTAL scans:
Kunoichi Seigi Kessen Katsugeki – Kan'ei Yotogi Kassen/RJ01499133 (game.exe):
https://www.virustotal.com/gui/file...1593157ef41f6dbe0e258bbbe8992d19de7/detection

The Girl Who Barged In and the Isekai Transfer [RJ01536189] 押しかけ少女と異世界転移 (Scene02.ogg):
https://www.virustotal.com/gui/file...015e4e8ad1934fbadaa286fa6340bdef98b/detection

性処理用勇者 -ver1.7 Hero for Sexual Relief + DLC01[RJ01387722] (name05.ogg):
https://www.virustotal.com/gui/file...f76a590b4308d399e7a75d6e589347b600e/detection

RJ01552465-アキナ・キャラバン 製品版1.00 (Ship4.ogg):
https://www.virustotal.com/gui/file...015e4e8ad1934fbadaa286fa6340bdef98b/detection

It looks like the AVs didn't detect anything (aside from the first game.exe), but i still don't trust any of these files, these .exe codes are obfuscated, it looks like it loads some .dll, or something, if you want to take a look at the analysis.

I don't trust a random .exe file hidden in an .ogg, if the virustotal results dont look clear and someone has deeper knowledge of malware analysis, i can send the files for a closer look.

1775453612391.png
 
  • Like
  • Love
Reactions: oaklash and pokiller
You must log in or register to reply here.
Top Bottom
Back