Class: Trojan-FakeAV
A class of malicious programs that simulate the activity of antivirus software or parts of the operating system security modules. These programs are designed to extort money from users in return for the purported detection and removal of threats, which are in fact non-existent. General speaking, this malware shows many repeating pop-ups in an effort to make the user worry about the security of their system and pay for fake AV software. Additionally, Trojan-FakeAV programs prevent the computer from working properly, but do not fully inhibit the operating system in order to make the user believe that the threat is credible.Read more
Platform: Win32
Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.Family: Trojan-FakeAV.Win32.AntiVirusPro.ju
No family descriptionExamples
2DFE5AF21021EF72BB255622927C5C4EA34828C9A89777627877A8ACCD451453
951A67C6BA6B3DD391AC73C444AB66D3
B4E5DBC83384E3B89A98D07B35FED819
3B78930FB799BD1CE3595325F3B5003F
Tactics and Techniques: Mitre*
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the “run keys” in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account’s associated permissions level.
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the “run keys” in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account’s associated permissions level.
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the “run keys” in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account’s associated permissions level.
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the “run keys” in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account’s associated permissions level.
Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
* © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.