[Malware Reporting] Cryptominer disguised as libEGL.dll spreading via RPGMaker/TyranoScript games (Low Detection)

2025-12-30T08:37:37Z

Hello,

I am writing to report a malicious sample currently circulating in pirated game distribution channels. It masquerades as the legitimate libEGL.dll file but contains a cryptocurrency miner.

Currently, it has a very low detection rate on VirusTotal (detected only by Huorong and Rising), and it bypasses most major AV engines.

Technical Details:

Malicious File: libEGL.dll
File Size: Approximately 525 KB (Note: Legitimate versions are typically around 377 KB).
SHA256: 8bacb2082eb37fd7aed5bb6a7fc766d9937d9f3ed926ae82420d37af754a216c

Behavioral Analysis:

File Dropping:
- Creates a directory at: C:\Users\%USERNAME%\AppData\Local\syscacheapp.
- Drops a large executable named cacheapp64.exe (approx. 750 MB).
- Characteristics of dropped file: Compiled with GCC/MinGW, extremely high entropy (packed/obfuscated), accompanied by numerous fake DLLs.
Persistence:
- Achieves auto-start by modifying the Registry:
- Key: HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Distribution & Context:

Vector: Confirmed presence in unauthorized/pirated releases of games (specifically those using RPGMaker or TyranoScript engines).
Sources: Widely distributed via major sharing communities such as anime-sharing, hentai-share, and ggbases.
Origin: The widespread nature suggests a potential "supply chain" poisoning within the upper-level crack/distribution groups.

Sample Download:

Link: [ https://files.catbox.moe/jmn65o.7z ]
Password: 123
Archive Structure: 1.7z contains libEGL.7z (The malware sample) and Attachment.7z (Screenshots and structural analysis).