MALWARE FAMILY

Expiro

Internal ID: win.expiro
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Expiro malware has been around for more than a decade, and the malware authors sill continue their work and update it with more features. Also the infection routine was changed in samples fround in 2017 (described by McAfee).

Expiro "infiltrates" executables on 32- and 64bit Windows OS versions.

It has capabilities to install browser extensions, change security behaviour/settings on the infected system, and steal information (e.g. account credentials).

There is a newly described EPO file infector source code called m0yv in 2022, which is wrongly identified as expiro by some AVs.

Threat Analysis

Expiro is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.

External References

Quick Facts

TypeMalware Family
Aliases1

Also Known As

win.expiro

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
Expiro — Malware Family | Threat Intelligence | CTIWATCH.COM