APT / THREAT GROUP
Expiro
3
aliases
Last seen:Mar 17, 2026
Intelligence Profile
Expiro malware has been around for more than a decade, and the malware authors sill continue their work and update it with more features. Also the infection routine was changed in samples fround in 2017 (described by McAfee).
Expiro "infiltrates" executables on 32- and 64bit Windows OS versions.
It has capabilities to install browser extensions, change security behaviour/settings on the infected system, and steal information (e.g. account credentials).
There is a newly described EPO file infector source code called m0yv in 2022, which is wrongly identified as expiro by some AVs.
Threat Analysis
Expiro is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.
External References
Quick Facts
TypeAPT / Threat Group
Aliases3
Also Known As
XpiroExpirowin.expiro
External Intelligence
Malpedia: win.expiroResearch Links
Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.