Qtox readme.mds

Home Forums Support Forum Qtox readme.mds

This topic contains 4 replies, has 2 voices, and was last updated by  Anti-Malware Admin 1 week, 4 days ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • May 1, 2026 at 9:07 pm #172202

    Patrick O’Brien
    Member

    Please contact us through the qtox tool

    Hi,

    I am currently working on cleaning up a hacked site of a mate (some hacklinkmarket SEO injection). He received ransomware emails and every single folder on the server has a README.me with the following text:

    Download qtox [URL Redacted for security reasons]
    If you can’t contact us, please contact some data recovery company(suggest taobao.com), may they can contact to us.
    Add our TOX ID and send an encrypted file and ‘Sorry-ID’ for testing decryption.
    Our TOX ID: [ID removed]

    Wanted to point it out and also ask if it can be included in the definitions. GOTMLS didn’t pick it up.

    Thanks 🙂

    • This topic was modified 3 weeks, 1 day ago by  Anti-Malware Admin. Reason: URL Redacted for security reasons
    May 2, 2026 at 8:15 am #172212

    Anti-Malware Admin
    Moderator

    If I understand you correctly, you want me to add the text contents of these readme files to my malware definition list so that they can be easily cleaned up with my plugin, is that right?

    These look like calling cards or ransom notes, not malicious code. Is it not easier to use the “find –delete” command on these files once the treat has been removed.

    More importantly, is the threat itself found and automatically fixed by my plugin?

    May 2, 2026 at 8:22 am #172215

    Anti-Malware Admin
    Moderator

    I removed the link in that text for security reasons. Please send me any malicious files (complete and unedited) directly via email so I can see the full original threat in those files as well as any potentially benign content that might have been added to disguise the threat or may have been there before the malicious content was injected.

    May 3, 2026 at 9:32 pm #172234

    Patrick O’Brien
    Member

    In the end it was that cPanel zero day that affected many people.
    But yes, the idea behind telling you about those readme.mds was that you include them for easier cleanup. I did it via command line, but why not include it.

    Thanks for your support 🙂

    May 13, 2026 at 7:36 am #172751

    Anti-Malware Admin
    Moderator

    I am reluctant to classify those readme files as malware because there is not actually and malicious code in them. They are in fact just text files with, as you say, a ransom note and contact details from the hacker. As these details may vary in content and could also provide forensic evidence or leads for the victims and/or law enforcement to follow up on, I feel it would not be my place to arbitrarily and automatically delete this potentially useful info. These files are also very similar to the log/trace evidence that is characteristically left behind by many AI Agents after live actions have been taken on behalf of a user that is delegating tasks to Agents, and it would seem important to not accidentally remove such records from a user’s site in case they needed to audit they agents actions. In fact, I would not doubt that an AI agent might have been used in some part of the hack that you suffered. Also, if you are not wanting to make use of any of this evidence and simply need to clean up all these scattered README.md files, it would be far simpler and faster to use the find command with the –delete option to get rid of all those files. 😉

  • Author
    Posts
Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

Comments are closed.