Once in a while, this day comes. The day where I have to remind you that making repacks and running this site costs me money.

Three years ago I rented a very powerful RDP (remote machine), which now allows me to repack a huge number of games – you can see it by the total count of posts each month.

War in Ukraine caused a world economic crisis, which is now taking a toll on my hobby expenses as well.

That’s why I remind you that if you have cryptocurrency of any amount, you can share some crypto-pennies with me to help maintain the site and allow me to continue the service that you rely on.

All these years, I have kept the site ad-free. I’m not gonna change my policy about ads. I’m not earning money off my hobby, but only try to cover expenses, and when some of you donate periodically – it’s all good.

So, if you can afford to say “Thanks” in a crypto monetary way – be my guest; I have a plethora of cryptocurrencies supported for donating.

If you can’t – no worries, you still can seed torrents which in turn also helps the crowd.

Support the cause, donate crypto to FitGirl

New to crypto?

It has apps available for desktop & smartphones, supports 240+ coins and have built-in ability for buying crypto with traditional money.

Get Exodus

Since May 2024 I have a new donation widget available, which allows to donate almost any possible crypto on the market despite me having that particular crypto wallet or no. It will convert your donation in SuperDuperCoin to the one I accept minus a tiny fee. So if you have stashed some obscure crypto which you don’t know what to do with – now you know what to do 🙂

PS: January 21, 2026 – Nothing new added, just a reminder for those who can help.

OK, with a help from my users I can finally confirm that the possible malware data pack I’ve posted yesterday is indeed a malware.

And it’s distributed by a user named Heroskeep, which uploads his works to two big torrent trackers: 1337x.to and TPB:

1. https://1337x.to/user/heroskeep/
2. https://thepiratebay.org/search.php?q=user:heroskeep

Update Jan 15, 2025: Both 1337x.to and TPB has cleaned the Heroskeep accounts, all torrents has been removed.

Below are solid proof that his repacks and other releases contains mining malware, with steps needed to reproduce.

To check the malware you need only two files from any of his latest repacks (actually this goes for about 10 months):

setup.exe (installer + malware dropper in one package) and Redist.bin (malware container, is always the same file of 298.1 MB)

So, you download selected files, let’s take his
“FIFA 22-VOICES38 [v1.0.77.45722] [ALL DLCs] [Multi21]” for example:
magnet:?xt=urn:btih:83691C96A2E8E156EAEBA9014749F26BCE5970BB

After you download said files, DO NOT run the setup.exe, better rename it to setup.exe_ to not run it by mistake.

Get the Inno Unpacker from here: https://innounp.sourceforge.net/ and unpack innounp050.rar to the same folder where setup.exe_ is located.

Create a new text file (say, in Notepad), paste this string into it:
innounp.exe -x -a -dUnpacked -m %1
and save as Unpacker.bat

Then drag and drop setup.exe_ on Unpacker.bat

The folder called “Unpacked” will be created with contents extracted from the said setup.exe

Inside that folder there is another folder called “embedded” and you need “CompiledCode.bin” file from it, which is a bytecode of all installation functions this setup.exe does.

“CompiledCode.bin” is not in human-readable format, so we need to convert it:

Download https://github.com/Wack0/IFPSTools.NET/releases
and unpack ifpstools-net_v2.0.4.zip to the folder where “CompiledCode.bin” resides.
Drag and drop “CompiledCode.bin” on “ifpsdasm.exe”, it will decode file to “CompiledCode.txt” which is an Assembler (machine) code.

While it’s much more human-friendly, it still contains encrypted strings to evade easy detection.

Primitive double base64 encoding is used to achieve that, so we just need to reverse that encoding.

I’ve made a simple Python script for that (you need Python, or get the full ZIP with proof from a link below):

https://paste.fitgirl.nsus.dev/?ec5cbdfe6c3bebf1#8sXGcAfjSjttezY8YvE3NJB5SWrjxNmFA3vDXTRa7xAK

After you run it something like “Python.exe _decode_base64_in_asm.py CompiledCode.txt CompiledCode.decoded.asm” you will get the same ASM-file but with comments on each string with encryption in it.

Commented lines will look like this:
assign Var6, UnicodeString_3(“VW1Wa2FYTjBMbUpwYmc9PQ==”) ;DECODED STRING: Redist.bin
where “VW1Wa2FYTjBMbUpwYmc9PQ==” is a hidden string with double base64-encoding and decoding string in the end, in comment

Later on this article I will use strings numbers based on that particular “CompiledCode.decoded.txt” file.

Part 1: Malware Dropper

1.1 Evading Detection

The setup.exe takes certain measures to avoid easy detection by a human or antiviruses.

It checks the age of the windows installation and if it’s less than 90 days, it doesn’t drop payload, line 16246. It does so, as many on-request virtual machines are setting the Windows folder to a fresh date, the day of creation:

.function(export) BOOLEAN ISWINDOWSFOLDEROLDERTHAN90DAYS()

Then it checks if the setup.exe is running in a virtual machine or tools for process/network monitoring are used, which are usually used for malware analysis:

function loc_33a at line 29536 and below:
assign Var42, UnicodeString_3(“ZG1KdmVIUnlZWGt1WlhobA==”) ;DECODED STRING: vboxtray.exe
assign Var42, UnicodeString_3(“ZG0xMGIyOXNjMlF1WlhobA==”) ;DECODED STRING: vmtoolsd.exe
assign Var42, UnicodeString_3(“VTJGdVpHSnZlR2xsUkdOdmJVeGhkVzVqYUM1bGVHVT0=”) ;DECODED STRING: SandboxieDcomLaunch.exe
assign Var42, UnicodeString_3(“VUhKdlkyMXZiaTVsZUdVPQ==”) ;DECODED STRING: Procmon.exe
etc.

If those are found, no payload is dropped as well.

Then, for some reason, it kills most popular torrent clients it finds, lines 30297 and below:

assign Var44, UnicodeString_3(“/f /im \”qbittorrent*\””)
pushtype UnicodeString_2
assign Var45, UnicodeString_3(“taskkill.exe”)

If script decides that it’s the safe environment to drop the malware, it proceeds.

1.2 Dropping the Malware

Script adds the exclusion to Windows Defender rules for the path where the malware will be dropped, line 30894:

assign Var39, UnicodeString_3(“/c \”powershell Add-MpPreference -ExclusionPath \””)

Target folder for the actual malware is C:\Users\Your Username\AppData\Roaming\Microsoft\, line 30929:

assign Var45, UnicodeString_3(“ZTNWelpYSmhjSEJrWVhSaGZWeE5hV055YjNOdlpuUmM=”) ;DECODED STRING: {userappdata}\Microsoft\

Yes, it hides itself in the “Microsoft” folder.

When folder is created and exclusion is added, the script selects the file to drop.

It uses two functions for that, in line 16147:

.function(export) void INITIALIZEPAYLOADSIZE()

and in line 16190

.function(export) void INITIALIZERANDOMOFFSETS()

Those are selected randomly out of 40 variants.

Those payload files are located in the Redist.bin file. And setup.exe make several checks that this file is present and it’s not modified. This bin has a fake FreeArc header and can’t be extracted by any FreeArc.

Checks are done on lines 25857 and 26001. First one checks the presence of the file, and the second one verifies the MD5 hash for that file (which is 03cf23c41bc7468021826f7b897f8a7f).

assign Var6, UnicodeString_3(“VW1Wa2FYTjBMbUpwYmc9PQ==”) ;DECODED STRING: Redist.bin
assign Var4, UnicodeString_3(“TUROalpqSXpZelF4WW1NM05EWTRNREl4T0RJMlpqZGlPRGszWmpoaE4yWT0=”) ;DECODED STRING: 03cf23c41bc7468021826f7b897f8a7f

If one the checks fails, setup closes.

If all checks pass, then the setup chooses the random name for the dropped malware, line 17061 and below:

The list is predefined and has 3652 possible variants, like these:

assign Global44[196], UnicodeString_3(“UVhSMGNtbGlkWFJs”) ;DECODED STRING: Attribute
assign Global44[197], UnicodeString_3(“UVhWa1lXTnBkSGs9”) ;DECODED STRING: Audacity
assign Global44[198], UnicodeString_3(“UVhWa2FXZG5iR1U9”) ;DECODED STRING: Audiggle
assign Global44[199], UnicodeString_3(“UVhWa2FXOD0=”) ;DECODED STRING: Audio
assign Global44[200], UnicodeString_3(“UVhWa2FXOVNaV3hoZVE9PQ==”) ;DECODED STRING: AudioRelay
assign Global44[201], UnicodeString_3(“UVhWa2FXOW5jbUZpWW1WeQ==”) ;DECODED STRING: Audiograbber
assign Global44[202], UnicodeString_3(“UVhWa2FXOTBiMjVwWXc9PQ==”) ;DECODED STRING: Audiotonic
assign Global44[203], UnicodeString_3(“UVhWeVlRPT0=”) ;DECODED STRING: Aura
assign Global44[204], UnicodeString_3(“UVhWeWIzSmg=”) ;DECODED STRING: Aurora
assign Global44[205], UnicodeString_3(“UVhWemJHOW5hV056”) ;DECODED STRING: Auslogics
assign Global44[206], UnicodeString_3(“UVhWMGIwTkJSQT09”) ;DECODED STRING: AutoCAD

In example, the Aurora.exe was already mentioned in this incident report:
https://reddit.com/r/PiratedGames/comments/1q9tji5/beware_of_user_heroskeep_on_1337x_his_uploads/

Yes, it was this exact malware, but in the different repack from the same Heroskeep uploader.

When all those steps done, the actual file is dropped into the C:\Users\Your Username\AppData\Roaming\Microsoft\ folder along with some side files like readme.txt

To ensure persistance of the malware in the system, setup then adds a scheduler task, line 16695:

.function(export) void INITIALIZERANDOMSCHTASK()

where the path is also selected randomly and will look like some native Windows funtions is called:

assign Var2, UnicodeString_3(“VFdsamNtOXpiMlowWEZkcGJtUnZkM05jVlhCa1lYUmxUM0pqYUdWemRISmhkRzl5WEE9PQ==”) ;DECODED STRING: Microsoft\Windows\UpdateOrchestrator\

Task runs every 30 minutes and relaunches the dropped malware if it was killed. The string is combined from several lines, like this in line 31587:

assign Var41, UnicodeString_3(“SWlBdmMyTWdiV2x1ZFhSbElDOXRieUF6TUE9PQ==”) ;DECODED STRING: ” /sc minute /mo 30

Part 2: Malware Itself

All of those randomly chosen EXEs are slightly modified copies of each other. All of them are packed with Themida (consider it a lightweight copy of Denuvo, which main purpose is to hide what’s done inside the exe).

Each of those EXE is ~7 MB in size and with proper tools they unpack to ~21 MB each. And of course those are miners. Specifially, those are Monero/XMR miners.

I’ve made a Python script for extracting those exes from the Redist.bin file, you can find it in the ZIP at the bottom of this post.

I’ve uploaded two of those samples to hybrid-analysis.com

pe_0000
https://hybrid-analysis.com/sample/1091791d3b3f42d135b0010cb24b8aa0afd48d07f1f91a7afc16213fbad74531/6964887b81e25d4b1204f6d7

pe_0039
https://hybrid-analysis.com/sample/54c35f926229e2c661de324728e65a6b8e7c3c892f2d8cade4a3651f00f44c57/69648c1f037eace2e90e940d

The reports for both of files are basically the same.

Lines of interest:

Found a reference to the Stratum Mining Protocol

“stratum+tcp://” (Indicator: “stratum+tcp://”)

Possibly checks for the presence of an adware detecting tool

“mbam.exe” (Indicator: “mbam.exe”)

mbam.exe is an executable name for Malwarebytes, a renowned anti-malware soft.

Able to identify sandbox environment running process

Found string “VBoxService.exe” (Indicator: “vboxservice.exe”; Source: “00000000-00007316.00000000.282950.40581000.00000002.mdmp”)
Found string “VBoxTray.exe” (Indicator: “vboxtray.exe”; Source: “00000000-00007316.00000000.282950.40581000.00000002.mdmp”)

Able to identify virtual environment by using API string

Found string “NtQuerySystemInformation” (Indicator: “NtQuerySystemInformation”; Source: “00000000-00007316.00000000.282950.40581000.00000002.mdmp”)

Found E-Mail address in binary/memory

Pattern match: “[email protected]”
Pattern match: “[email protected]”

Found registry location strings in memory

“SOFTWARE\Wireshark” in Source: 00000000-00007316.00000000.282950.40581000.00000002.mdmp
“SOFTWARE\GlassWire” in Source: 00000000-00007316.00000000.282950.40581000.00000002.mdmp
“SOFTWARE\Paessler” in Source: 00000000-00007316.00000000.282950.40581000.00000002.mdmp
“SOFTWARE\SolarWinds” in Source: 00000000-00007316.00000000.282950.40581000.00000002.mdmp
“SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps” in Source: 00000000-00007316.00000000.282950.40581000.00000002.mdmp
“HARDWARE\DESCRIPTION\System\CentralProcessor\%d” in Source: 00000000-00007316.00000000.282950.40581000.00000002.mdmp
“\REGISTRY\MACHINE\SOFTWARE\Classes” in Source: 00000000-00007316.00000000.282950.40A3B000.00000020.mdmp
“\Registry\Machine\Software\Classes\” in Source: 00000000-00007316.00000000.282950.40A3B000.00000020.mdmp

Shows ability to use execution guardrails

The analysis shows indicators which can be used as execution guardrails to ensure that payload only executes against intended targets/system. Matched sigs: Able to identify sandbox environment running process
Matched sigs: Contains ability to delay execution by waiting for signal/timeout (API string)
Matched sigs: Contains ability to retrieve the time elapsed since the system was started (API string)
Matched sigs: Able to identify virtual environment by using API string
Matched sigs: The input sample contains the RDTSCP instruction

Tries to access non-existent files (non-executable)

“pe_0000.bad.dll.exe” trying to access non-existent file “C:\INFO.TXT”
“pe_0000.bad.dll.exe” trying to access non-existent file “C:\Users\%USERNAME%\..JSON”
“pe_0000.bad.dll.exe” trying to access non-existent file “%APPDATA%\Microsoft\README.TXT” (which is dropped by original setup.exe)

Found potential IP address in binary/memory

Potential IP “1.3.101.110” found in string “X25519:1.3.101.110”
Potential IP “1.3.101.111” found in string “X448:1.3.101.111”
Potential IP “1.3.101.112” found in string “ED25519:1.3.101.112”
Potential IP “1.3.101.113” found in string “ED448:1.3.101.113”

Those IPs are located at some Chinese hosting provider. Probably used for C&C.

Found potential URL in binary/memory

Pattern match: “proxifyme50.com/launcher_077.exe”
Pattern match: “proxy00002.com/launcher_077.exe”
Heuristic match: “nicehash.com”
Heuristic match: “donate.ssl.xmrig.com”
Heuristic match: “donate.v2.xmrig.com”
Heuristic match: “vpnetworkc.com”
Heuristic match: “proxy00004.com”

Found potential URLs in memory dumps

Found URL “ftp://fhqfg8uu:[email protected]/launcher_077.exe

Contains ability to perform remote desktop activity (API string)

Found reference to API “WTSSendMessageW” (Indicator: “WTSSendMessage”; File: “pe_0000.bad.dll”)

You can find more info on those files made by vx-underground admin.
https://malwaresourcecode.com/home/my-projects/write-ups/r-piratedgames-drama.-is-it-malware-yes.-is-it-cool-malware-no

The link to this investigation was sent to 1337x.to moderation team, I hope they will ban that Heroskeep forever and remove all of his uploads.
Five years ago he was already distributing malware with a different method.
https://www.reddit.com/r/PiratedGames/comments/jp71l4/beware_of_miner_unpackerexe_decompressexe/

As for TPB – the site doesn’t have proper “report” function, they have a side forum for that. If you have time and will – you can report that user in there to so actions against him would be taken.

But be advised, that people like Heroskeep always return with a new name, and with more sophisticated malware. So be very cautious before downloading something from an unknown source, even if you trust the site itself.

Heroskeep_Malware_Files.zip

Contains all needed files for your own analysis.

1. https://fuckingfast.co/kuriy5xbt5hv#Heroskeep_Malware_Files.zip
2. https://vikingfile.com/f/FZeDrmnbnz#Heroskeep_Malware_Files.zip

Heya. I have an unusual request for those of you, who knows something-something about malware analysis.

There is a repacker, who, in my opinion, is distributing malware/miners in his repacks.

I’ve done initial analysis and I’m very sure of it, but since I won’t ever run this shit on my PCs, and that malware is pretty sneaky and doesn’t run on most VMs/Sandboxes, someone with experience is needed to find solid proof of malware distribution. The execution on a real OS or modified VM will be probably needed to bypass malware hiding techniques.

I’ve compiled a special ZIP, which contains the following data:

1. One of the FreeArc archives, coming with repacks, which contains malware payloads (40 different exes, packed with VMP/Themida).
2. Python script, which extracts those exes based on PE headers. Python 3.10+ needed
3. Decompiled “CompiledCode.bin”, which contains bytecode of Inno Setup installer, which also participate in putting the payload into the system.

I don’t want to share more details right now, though have enough of data digged myself. But I need a third party to confirm or deny my findings.

You can post your analysis in comments or send them to me directly: https://fitgirl.nsus.dev/contacts/

Don’t download and don’t run any of it, if you’re not sure what are you doing.
If you can’t do it yourself but know someone with expertise in this field – please forward this to them.

Possible_Malware_Dataset.zip, 280.57 MB

Hoorah, I guess 🙂

Traditional GTA5 NY repack is now splitted, as the Legacy and Enhanced Editions are updated by Rockstar separately… Well, now I need to update two builds every year, no biggie. The Legacy Edition was re-repacked from the scratch and now installs 2-3 times faster then the old one, for which I was keeping backwards compatibility since 2019.

Thanks to KE, I’ve been reminded that today is the 11st Anniversary of my repacking path. Another year bites the dust, ha. Cakes are welcome 🙂

PollMaker

Finally, it’s happened! With a little help from ChatGPT, I’ve managed to make all genres and tags in repacks clickable — so now you can filter games based on them. Want some Shoot ’em up action? Click the Shoot ’em up tag. Love survival games? The Survival genre is for you. And so on…

This feature isn’t fully complete yet — I still need to remove or merge duplicate genres and add more tools for refining tag-based searches. But for now, it should do the trick.

I don’t plan to add the same linking logic for companies due to the sheer number (thousands) of unique names, which would cause issues in WordPress. You can still find games by specific companies by simply typing their names into the search field.