Skip to main content


Home Floxif

Floxif

Also known as: Trojan.Floxif, Win32/Floxif, Trojan.Floxif.AppFIsh

Category: Malware

Type: Trojan, spyware, backdoor, stealer, keylogger

Platform: Windows

Variants: Win32/Floxif.H virus, Win32.Floxif.A, Win32.Floxif.B, Win32.Floxif.C, Virus.Win32.FLOXIF.D, Win32/Floxif.E, Win32/Floxif.E!bit, Win32/Floxif.gen!A, Win32/Floxif!rfn, Win32/Floxif!MTB, Win32/Floxif!MSR, Win32/Floxif.AV!MTB, Floxif.AW!MTB, Win32/Floxif.psyA!MTB, Win32/Floxif.RPX!MTB, Win32/Floxif.RDA!MTB

Damage potential: Stolen credentials, keylogging, device takeover, stolen crypto wallet funds, camera hijacking, data theft, opening backdoors for other malware (like ransomware), disabling antivirus and firewall software, showing fraudulent ads

Overview

Floxif is a family of file-changing trojan viruses that infect Windows executable and DLL files. Once the Floxif infection takes root, the infected files can spy on the device and serve as a backdoor for other malware. Floxif was famously distributed with legitimate versions of the CCleaner utility in 2017, when hackers injected the malware into CCleaner's build environment.

Possible symptoms

While Floxif itself does not generate system warnings or overtly interfere with user activity, the malware it delivers may reveal a Floxif infection. In addition, as part of its payload, Floxif may create files such as “symsrv.dll,” “ffff.dll,” and “symsrv.dll” in the “C:\Program Files\Common Files\system” folder. According to Microsoft, the trojan may also add the “HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo” to your registry.

Other possible indicators of a Floxif infection include:

  • Your device frequently freezes or stutters.
  • Other malware appears on your device without a known cause.
  • Your device’s fan seems to be constantly on, even when the device is idle.
  • Your device periodically sends data to unknown remote servers (Floxif is uploading device information to its handlers).
  • Your antivirus protection or Windows Firewall have been disabled without your knowledge.

Sources of the infection

For a time, Floxif was distributed with version 5.33 of the CCleaner tool and version 1.07.3191 of CCleaner Cloud — installing these versions may still infect your device. Today, Floxif is mostly spread through infected software on untrustworthy download sites or infected email attachments (such as fake invoices or receipts).

Your device may also get infected with Floxif from:

  • Infected files shared through messaging platforms.
  • Infected files downloaded from cloud storage or online repositories.
  • Other viruses that drop Floxif as part of their operations.
  • Drive-by downloading (malicious scripts on compromised websites that force your device to automatically download malware when the page loads).
  • Peer-to-peer (P2P) sharing of infected files.
  • Infected external devices, such as hard drives or USB sticks.

Protection

Do not install version 5.33 of the CCleaner tool and version 1.07.3191 of CCleaner Cloud, as they are known to be compromised by Floxif. Other than that, protection against Floxif involves developing good cybersecurity habits. Learn to recognize phishing attempts, avoid clicking on suspicious attachments, and do not download freeware from suspicious websites.

Other protective measures include:

  • Use email scanning tools to identify and automatically block messages with suspicious attachments.
  • Use reliable antivirus software to detect, quarantine, and eliminate a Floxif infection.
  • Use multi-factor authentication to protect your accounts in the event that someone steals your password using Floxif.
  • Avoid potentially dangerous websites, like dark web pages or torrent repositories. In certain situations, these websites may attempt to download malware (including Floxif) to your device by exploiting vulnerabilities.
  • Use the malware blocker from NordVPN's Threat Protection Pro™, which scans programs and files for malware while they’re being downloaded and stops malicious ones from entering your device. Threat Protection Pro™ also includes a scam and fraud alert that checks the URL of any webpage you visit and instantly alerts you if the URL is identified as a fraudulent site.

Removal

Most reputable antivirus solutions can help you detect and remove a Floxif infection from your device. You should not try to remove Floxif manually because it deploys persistence mechanisms to reinstall itself after you reboot your device.