APT / THREAT GROUP

Expiro

3
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Expiro malware has been around for more than a decade, and the malware authors sill continue their work and update it with more features. Also the infection routine was changed in samples fround in 2017 (described by McAfee).

Expiro "infiltrates" executables on 32- and 64bit Windows OS versions.

It has capabilities to install browser extensions, change security behaviour/settings on the infected system, and steal information (e.g. account credentials).

There is a newly described EPO file infector source code called m0yv in 2022, which is wrongly identified as expiro by some AVs.

Threat Analysis

Expiro is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases3

Also Known As

XpiroExpirowin.expiro

External Intelligence

Malpedia: win.expiro

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.