PSA: Malware detected from member's upload

[Checkmate]

日本語の翻訳は以下に記載されています。
中文翻译如下。

We have received a credible report from Huorong, a Chinese cybersecurity firm, regarding a potential CryptoMiner circulating within one of the uploads on Nyaa Torrents and the Anime-Sharing Community.

You can review the full report (in Chinese) here: Huorong Report.
The uploader suspected of intentionally spreading this malware is @jekson5865, who has been banned. We have removed all threads associated with this user.

Unfortunately, there is a possibility that other uploaders or contributors may have re-uploaded infected files from this individual or from compromised sources like Tokyo Toshokan and Nyaa Torrents.

If you have downloaded any releases from this uploader or any other, we recommend you delete the files or check for any abnormal activity. Below is a reference list of the uploads made by this user.

We sincerely apologize for any oversight in this matter. Please be cautious and always verify what you download, especially from unknown members, here or elsewhere. The ASF Community and its staff are committed to protecting the community from malware. We also extend our sincere gratitude to the Chinese community for sharing this valuable report with us.

Nyaa TorrentsおよびAnime-Sharing Communityのアップロードファイルの中に、CryptoMinerが拡散している可能性について、信頼できる報告を中国のセキュリティ企業Huorongから受け取りました。

報告書（中国語）はこちらからご確認いただけます：Huorongレポート。

このマルウェアを意図的に拡散していると考えられるアップローダーは@jekson5865で、すでにこのユーザーはBANされ、すべてのスレッドは削除されました。

しかし、残念ながら、他のアップローダーや貢献者がこのユーザーや、Tokyo ToshokanやNyaa Torrentsなどの感染したソースからファイルを再アップロードする可能性があります。

もし、このアップローダーや他の場所からファイルをダウンロードした場合は、直ちに削除するか、異常な活動がないか確認してください。以下はこのアップローダーが投稿したファイルのリストですので、参考にしてください。

この件についての見落としについてお詫び申し上げます。特に不明なメンバーからダウンロードする際は、常に確認を怠らないようご注意ください。ASFコミュニティおよびスタッフは、常にコミュニティをマルウェアから守るために最善を尽くします。また、この報告を共有してくださった中国のコミュニティに心より感謝申し上げます。

我们收到了来自中国安全公司Huorong的可靠报告，报告指出在Nyaa Torrents以及Anime-Sharing Community的一个上传文件中，可能存在一个加密矿工病毒。

您可以查看报告（中文）链接：Huorong报告。

我们认为，故意传播这个恶意软件的上传者是@jekson5865。此用户已被封禁，我们也已删除了所有与其相关的帖子。

然而，很遗憾，可能还有其他上传者或贡献者会重新上传来自该用户或其他受感染源（如Tokyo Toshokan和Nyaa Torrents）的文件。

如果您下载了该上传者的任何文件，或者从其他地方下载了类似文件，请立即删除这些文件，或者检查是否有任何异常活动。以下是该上传者发布的文件列表供您参考：

对于此事的疏忽，我们深感抱歉。请务必小心，特别是从未知成员那里下载文件时，务必核对清楚。ASF社区及其工作人员将始终竭尽全力保护社区免受恶意软件侵害。同时，我们也要衷心感谢中国社区向我们分享这一报告。

堕ちた女神リリスとサキュバス軍団 - RJ01536243 [2025/12/29]
売春バニーの快楽堕ちRPG 徐々に淫欲に堕ちるバニー - RJ01526539 [2025/12/30]
巨乳の女の子たちにひたすら種付けするだけのゲーム - RJ01537640 [2025/12/30]
僕の瑠璃子のバニー体験記 - RJ01534032 [2025/12/29]
性教育の実技教師 ～貞操逆転世界で初潮を迎えた女の子に種付けするお仕事～ - RJ01523403 [2025/12/27]
ONAGONO QUEST EVE - RJ01496131 [2025/12/28]
人妻剣士サツキの寝取られ売春記 - RJ01507389 [2025/12/28]
息子のあとしまつ～母さんとのエッチはすべてアニメ！簡単すぎる母子RPG！エッチイベント270個(搾乳差分多めです！)～ - RJ01475186 [2025/12/26]
マスターマインド Ver1.00 - RJ01476568 [2025/12/26]
インランカンパ～淫魔VS天使VSショタ～ - RJ01512978 [2025/12/27]
探偵騎士ダイアナ - RJ01521518 [2025/12/27]
格闘娘はお金が無い！Ver1.048 & 追加パッチ Ver1.04 - RJ01524667 [2025/12/27]
SweetLife 〜幸せな毎日が、寝取られに染まるまで〜 - RJ01416500 [2025/12/22]
ヨウセイ！ - RJ01533009 [2025/12/24]
おっぱい剣士がクエストしてたら魔王討伐してました[Episode 01] - RJ281539 [2025/12/23]
NTR物語2〜ダークウォーカーマストダイ〜 - RJ01450546 [2025/09/15]
Brainwashing with Tentacles R - RJ01519121 [2025/12/05]
箱入り娘と小旅行 - RJ01525428 [2025/12/23]
竿役おじさん、サキュバスハンターになる～サキュバスをセックスで倒していくバトルファックRPG～ - RJ01507660 [2025/11/28]
くノ一忍法帖 お千代 - RJ01511106 [2025/11/29]
さくらエグゼック特別救急警備部性処理課 - RJ01484777 [2025/12/21]
ミミズ井戸。 - RJ01526843 [2025/12/20]
NTRギャル -オタクに優しいギャルは寝取られる- - RJ01524136 [2025/12/20]
アンホーリーメイデン - Unholy maiden - RJ01412576 [2025/12/19]
魔法少女アスターリクス・監獄回廊からの脱出 - RJ01443794 [2025/12/19]
浣腸変身エネマリア - RJ01477834 [2025/12/19]
カーテンのむこう NTR - RJ01509772 [2025/12/19]
FGORPG ～ecstasy～ - RJ01501066 [2025/11/15]
魔王城再防衛戦記 - RJ01507212 [2025/12/01]
推しのVtuber箱に10憶投げ銭したら俺だけの中出しハーレムを手に入れた件 - RJ01473444 [2025/12/03]
幻境の蜜籠 - RJ01517680 [2025/12/06]
催○戦記〜異世界転生編〜 - RJ01522090 [2025/12/11]
Peeping MySchool 盗撮が救う未来もある！？ - RJ01509293 [2025/12/15]
足りない勇者とツイてる仲間たち - RJ01526574 [2025/12/15]
アルカワット聖訪記 製品版 - RJ01509975 [2025/12/10]
ボンバーRPG ～galaxy world～ - RJ01518767 [2025/12/13]
ダンジョン肉 - RJ01524502 [2025/12/13]
ボニー&トレイシー - RJ01511771 [2025/12/13]
獣退魔師 - RJ01208336 [2025/12/13]
エルフの戦士 アンジェラ - RJ01511100 [2025/12/13]

Edit 260108:
[ラッキースケベ日記たかしくん@CFNM] 背徳射精 ドキドキ潜入調査〜あなたは一線を越えられるのか〜 - RJ01525446
Kaiju Princess 2 Unknown Version
アリス・イントルードMZ～敵地に潜入した女エージェントチームがどちゃくそエロい目に遭うゲーム～ [RJ01449864]

Edit 260126: from f95 forum

RJ01535315 - [28/12/2025]
RJ01533597 - [27/12/2025]
RJ01519862 - [27/12/2025]
RJ01533503 - [27/12/2025]
RJ01318417 - [26/12/2025]
RJ01534775 - [26/12/2025]
RJ01530723 - [25/12/2025]
RJ01339308 - [25/12/2025]
RJ01503646 - [24/12/2025]
RJ01525900 - [24/12/2025]
RJ01525197 - [19/12/2025]
RJ01524093 - [Not sure but a user confirmed it's infected]

 

[selinee]

Shouldn't this topic be pinned or have a banner at the top?

Luckily nothing there is the genre I play at all. We at anime-sharing at least got a notice, but there are a bazillion sites out there that re-upload those H games from who-knows-where and there are many people downloading them. Really shows how you gotta be on your toes with piracy.

 

[Checkmate]

Shouldn't this topic be pinned or have a banner at the top?

It was late evening that we received the report, and it's the year's end party day as well, pretty rough timing. Anyhow, I've made the notice.

 

[Veshurik]

Is that possible to find out in Task Manager if I have that miner, just in case? Or where to locate it?

 

[Bryanis]

I'm shocked.
Not by the fact someone did this.
But the afct that after checking this new, I double check my computer to found myself infected. And I enver downloaded from this person. Only from a couple of uploader I trusted because I've been downloading from them for years without problem.

So, it turn out they uploaded someone else work (well, it's frequent), without checking the work for malware....

Gotta delete some more works in my wiating list just to be safe and run some more AV and anti malware run now :-(

 

[dmodwc]

If you downloaded [dHR研] さくらエグゼック特別救急警備部性処理課 - RJ01484777 , you're most likely infected because no one else uploaded it. (Confirmed that the copy I downloaded generated the virus file.)

I usually only download from trusted uploaders but was super bored the day it came out.

Edit: Going through all my recent games to see if anything else is infected that isn't on the above list and adding them to the list below.

[ラッキースケベ日記たかしくん@CFNM] 背徳射精 ドキドキ潜入調査〜あなたは一線を越えられるのか〜 - RJ01525446

 

[Checkmate]

Only from a couple of uploader I trusted because I've been downloading from them for years without problem.

Most uploaders and contributor check for malware when they upload. Unfortunately, this is a new variant, only a couple of AV reporting it as suspicious, non conclusive.

The Chinese community submitted a request to Huorong AV for conclusive report. The timing was also sensitive (around Christmas / New Year, people had already left for holidays)

We took action as fast as possible to prevent further damages, while being transparent about it.

 

[Bryanis]

Most uploaders and contributor check for malware when they upload. Unfortunately, this is a new variant, only a couple of AV reporting it as suspicious, non conclusive.

The Chinese community submitted a request to Huorong AV for conclusive report. The timing was also sensitive (around Christmas / New Year, people had already left for holidays)

We took action as fast as possible to prevent further damages, while being transparent about it.

It is true that my own AV didn't detect anything at the time.

It's just the human mind.
Even if it's "bad luck", in a way, you put the fault on the uploader and the trust is damaged for a while.
Even as you (I in this case) know it, the damage is still existant.

At least, it wasn't the worst type of malware / virus that got into my computer (still gonna check it out in cas of more trouble lurcking in wait).

 

[Checkmate]

Even if it's "bad luck", in a way, you put the fault on the uploader and the trust is damaged for a while.
Even as you (I in this case) know it, the damage is still existant.

I understand your frustration, and it's completely reasonable to feel that way after an experience like this. It's important to note, however, that neither ASF nor its staff can guarantee that all shared content is 100% safe. That said, we do take security very seriously and actively work to prevent bad actors from distributing malware within the community.

In this particular case, the malware was not detectable at the time by common antivirus software. It was only identified later after members of the Chinese community submitted it to Huorong AV for deeper analysis and confirmation. Unfortunately, situations like this can happen despite best efforts.

If your goal is to minimize risk as much as possible (though still never 100%), obtaining content directly from official sources such as DLsite is the safest option. You can also improve your personal security practices, for example, by running non official source on an isolated or older computer. This is something I personally do as an added precaution.

Ultimately, I want to make sure everyone clearly understands the risks involved. We're all adults here, and each person can decide for themselves how they want to proceed based on their own comfort level.

Again, we will do everything we can within our means to protect the community, and to stop the spread of malware, but even our best won't be enough.

Stay safe.

 

[xvis]

暂时不知道是否中招.
但我在使用PC时是一直开着procexp64从来没关闭 ,或许能一定程度免疫?
看了huorong的报告,他的图传播是个中文游戏.也许支持中文的游戏概率高点..?

 

[Marrychan]

What heavy news right at the start of the new year! Luckily, it's not a genre I usually consume, so I didn't download anything from the list. And here I was thinking this kind of thing didn't happen anymore.

 

[UFO]

暂时不知道是否中招.
但我在使用PC时是一直开着procexp64从来没关闭 ,或许能一定程度免疫?
看了huorong的报告,他的图传播是个中文游戏.也许支持中文的游戏概率高点..?

南+那邊提供的列表

基本上也有包含日文遊戲在內

 

[l9538168]

so if we use torrent will infect?

 

[xvis]

南+那邊提供的列表

基本上也有包含日文遊戲在內

我不去那个网站(其实不知道怎么去),

而且最近2个月以来好像只玩了个同人无人岛.其他都是商业制.幸运自己还不活跃?

时间线上可能是12月中旬开始被发现揭发的吧. 就目前而言是 亡羊补牢 为时未完. 年底乱七八糟的事真心烦.

 

[Shuponice]

I'm shocked.
Not by the fact someone did this.
But the afct that after checking this new, I double check my computer to found myself infected. And I enver downloaded from this person. Only from a couple of uploader I trusted because I've been downloading from them for years without problem.

So, it turn out they uploaded someone else work (well, it's frequent), without checking the work for malware....

Gotta delete some more works in my wiating list just to be safe and run some more AV and anti malware run now :-(

what did ya use to check? only played unholy maiden from f95 but haven't noticed any changes

 

[LazyCat]

We recommend monitoring the "syscacheapp" folder for a while to check if any suspicious files have been created.

I deleted the syscacheapp folder itself, is that fine?

(Don't think I download any of the game on the list but I have the folder, so there's probably been earlier infected stuffs somewhere)

 

[1394130143]

我自己也会做种分享资源，我以为互联网分享精神是一件很酷的事，没想到居然还会有人利用这件事来作恶，真是太令人恶心了。

I also share resources myself, and I thought the spirit of sharing on the internet was a cool thing. I never expected that someone would use this to do evil. It's disgusting.

 

[Fujitaru]

Goddamnit, I don't remember all of the games I downloaded by name. Especially their Japanese name. It would be extremely helpful if someone could post the matching cover/thumbnail for each of them.

Had to format my PC a few years ago because of a cryptominer that kept coming back after I deleted it. And since someone here said the miner terminates if it detects Task Manager running, I'd have never seen it because I always have Task Manager running. Fortunately for me, a regedit search for cacheapp64 yields no results.

 

[TheFihr]

Adding here one game to check it's called "(同人ゲーム)[ぱいギル] 破壊神、童貞すてます-RJ01524093"
After checking my 20 most recent downloaded games. this was only one with infection and it was downloaded from Nyaa

 

[akirayo]

Mango Party\大食い怪獣姫 惑星のグルメ旅

ネロンソフト\FGORPG ～ecstasy～
ハーフトーンドット\処女巫女の霊力供給えっち ─恋人の妹にぶっかけ中出し─

白の魔\アルカワット聖訪記

まぐちゃん\SweetLife 〜幸せな毎日が、寝取られに染まるまで〜 libogg_64.dll 42kb
リベリオンれい\インランカンパ～淫魔VS天使VSショタ～

 

[ever17]

Guys, what and how you check files?
What you use to be safe?
Bcs I'm not sure if I dl from him, but I still not run any of dl games on this system

 

[pizzamargherita]

maybe creating the folder syscacheapp and removing all permissions can block the miner to copy itself inside? Or placing a renamed notepad.exe changing the name, then change the permissions to read only; if the miner fail to install but put itself in the registry, then notepad will open randomly.

Also , i didn't understand how the manier is integrated; is a wrapper of the executable?
edit: i did see same dll s from previous post; other files are involved?

I downloaded at least two games from the list but i don't know from what source they came from, trying virustotal but probably it's too early and not in their database.
At least 1 hit on virustotal from Huorong with libEGL.dll size 537600 on RJ01507389 , other files all green.

Same games seem build around unity , in that case what is the infected file? I mean, if we replace libegl.dll with the legit version from another game we may save the game, but unity games doesn't have this file.
I don't have other games posted by jakson and infected archive links are gone so i don't know how to find and check for it; every unity game has around 150 exes and dlls.

for now:
libegl.dll
mono-2.0.bdwgc.dll
version.dll

and i found an infected game in my folders; it did not create syscacheapp, however that machine has no gateway and i rarely connect this machine to internet; the browser just use a manual proxy configured vie extension.
I assume that after failing to download the miner just did nothing.

 

[xvis]

我再看了一下,首先可以确定开机会不会启动 可以检查一下注册表 run regedit path

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

上图是我自己电脑的情况

这个是报告里中招的情况.

另外推荐大家使用这软件
Process Explorer
https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer
它最基础的功能就是监视自己电脑的资源情况. 他原版可是english的, 不存在语言障碍吧?
他好像还是阻碍恶意程序运行的因素之一.

 

[shinguhus]

Does anyone know what jekson5865's profile picture looked like?
I'm wondering because seeing the profile picture might help me remember if I downloaded from that person.

 

[Checkmate]

Does anyone know what jekson5865's profile picture looked like?

Member jekson5865 does not use any profile picture. And because a large number of Uploader also reupload infected release from the jekson5865, it doesn't help even if you didn't download from jekson5865 but you got the same release from some other.

And before you starting to ask why nobody check for it. Everyone check for virus total atleast, but there was no red flag until someone else notice their PC being really hot, and really slow, and that alert a Chinese group of user to investigate. They finally ask Huorong to take a look and Huorong confirm it just couple of days ago.

Even if you check right at this moment, only Huorong AV will flag it.

Tip: On ASF, we have a special note "Own Bought Game" from Uploaders and Contributors. We require Uploaders and Contribitors to submit proof of purchase frequently, so the Own Bought from Uploader and Contributor are more reliable (but it is still NOT absolute 100% safe)