Malware

R77 rootkit

r77 rootkit is a Windows rootkit observed as a final-stage payload in multiple criminal intrusion chains. The provided content links it to ClickFix-style social-engineering campaigns in which victims are tricked by fake CAPTCHA or verification pages into executing obfuscated commands, often via the Microsoft-signed SyncAppvPublishingServer.vbs App-V script and in-memory PowerShell stages. In these campaigns, the final shellcode loader can deploy malware including Amatera Stealer, Lumma Stealer, Xworm, AsyncRAT, and the r77 rootkit. One cited campaign delivered the r77 rootkit via Discord-themed ClickFix lures under the name OBSCURE#BAT. The content also notes r77 rootkit bundled with the XMRig cryptominer, including a sample protected by the PackXOR private packer together with SilentCryptoMiner (SHA-256: b86612a6d62a1789031248bdb732b8bff51acaeaa687c3559f0980560a8abf2f). Another mention references an 'r77 Rootkit Bot' in a JDownloader supply-chain attack that killed antivirus products, but no further high-confidence technical details are provided in the supplied material. Based on the content, r77 rootkit is associated with financially motivated malware delivery activity, Windows-focused execution chains, and use alongside stealers, RATs, and cryptomining payloads.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1195.002Compromise Software Supply ChainEvidence1

On May 6, 2026, attackers compromised the official JDownloader website and swapped download links to serve trojanized installers.

Persistence

2 techniques

T1112Modify RegistryEvidence1

The dropper writes the bot's initial configuration to HKCU\SOFTWARE\Python... Registry persistence — stores the stager assembly as a binary blob in HKLM\SOFTWARE\$77stager and reloads it at every boot via .NET reflection.

T1543.003Windows ServiceEvidence1

Service creation — installs a Windows service ( $77svc ) to ensure the rootkit survives reboots independently of the registry mechanism.

Privilege Escalation

2 techniques

T1055.001Dynamic-link Library InjectionEvidence1

Reflective DLL injection — injects the r77 hooking DLLs (32-bit and 64-bit variants) into winlogon.exe.

T1543.003Windows ServiceEvidence1

Service creation — installs a Windows service ( $77svc ) to ensure the rootkit survives reboots independently of the registry mechanism.

Stealth

3 techniques

T1014RootkitEvidence2

The rootkit stager is a 176 KB native x86 PE based on the open-source r77 rootkit... These DLLs hook Windows API functions to hide any process, file, or registry key whose name starts with the $77 prefix.

T1027Obfuscated Files or InformationEvidence2

Inside, it wraps the legitimate JDownloader installer alongside an XOR-encrypted second-stage PE... Stage 2's strings are all XOR-obfuscated with the same fywo key used for its resources.

T1055.001Dynamic-link Library InjectionEvidence1

Reflective DLL injection — injects the r77 hooking DLLs (32-bit and 64-bit variants) into winlogon.exe.

Defense Impairment

1 technique

T1112Modify RegistryEvidence1

INDICATORS OF COMPROMISE

IOCs tracked for this family

12 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

9 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

3 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app8 days ago

domain●●●●●●●●●●●●View more in app1 month ago

hash.sha256●●●●●●●●●●●●View more in app1 month ago

ip.v4●●●●●●●●●●●●View more in app1 month ago

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

rescana blogNews

Jan 28, 2026

ClickFix Malware Attacks Targeting Microsoft Windows: Fake CAPTCHAs, Signed Scripts, and Trusted Web Service Exploitation

Rootkit payload delivered in ClickFix campaigns (including Discord-themed lures) to provide stealth/persistence on compromised hosts.

harfanglab insidethelabNews

Mar 4, 2025

Unpacking the unpleasant FIN7 gift: PackXOR - HarfangLab

Rootkit component observed bundled with XMRig in samples protected by PackXOR (and additionally obfuscated with SilentCryptoMiner in described cases).

gendigitalNews

Oct 10, 2024

Gen Blogs | Part-Time Job Scams: A Growing Threat

Referenced as a rootkit bot involved in a JDownloader supply-chain attack and described as disabling antivirus software.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching12

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.