Trojan horse inside the windows installer

[sisimbisim222]

[marek7400]

taggui v 1.32.2
Virus Total report

[sisimbisim222]

Yes I know, I did that too.

[mcDandy]

I think this should be adressed asap. I would preffer this over dataset tool from onetrainer but I am not running anything with virus (even if it woud be false positive).

[sisimbisim222]

This is NOT false positive, Intentional or not.

[jhc13]

This is NOT false positive, Intentional or not.

Why do you think that?

[sisimbisim222]

This Trojan is very bad. The alert level is marked as Severe, which is the highest threat level in most antivirus systems

Context from Web Information
Several recent reports on GitHub and other platforms have flagged Trojan:Win32/YOMAL!rfn in various software installers, raising concerns about whether these detections are legitimate threats or false positives. Here’s what I found:
False Positive Reports in Legitimate Software:
In January 2025, a user reported on GitHub that Windows Defender flagged the installer for Ente 4.3.1 (an open-source photo management app) as Trojan:Win32/YOMAL!rfn. The file was also flagged by VirusTotal, but the discussion suggests this might be a false positive, as Ente is a legitimate project.

Another report from January 2025 on the vim-win32-installer GitHub page noted that gvim_9.1.1039_x64.exe was flagged as Trojan:Win32/YOMAL!rfn. The user suspected a false positive, pointing out that only Microsoft Defender and a few obscure antivirus scanners flagged it, while others, like Intezer, identified the file as related to RustDesk (a legitimate remote desktop tool). The consensus in the thread leaned toward this being a false positive due to Microsoft Defender’s overzealous heuristic detection.

In February 2025, the KCC (Kindle Comic Converter) versions 7.2.1 and 7.2.2 were flagged by Windows Defender as containing Trojan:Win32/YOMAL!rfn. The user noted that earlier versions of KCC were not flagged, and the executable was downloaded directly from GitHub’s release page, suggesting a potential false positive.

A Reddit post from January 2025 on r/Steam reported that ngen.exe (a component of Wine inside Steam’s Proton library on Ubuntu) was flagged as Trojan:Win32/YOMAL!rfn. The user expressed confusion, as Proton is a widely used and trusted tool for running Windows games on Linux, indicating this might also be a false positive.

General Behavior of Similar Trojans:
While I couldn’t find a Microsoft Security Intelligence page specifically for YOMAL!rfn, a related Trojan, Trojan:Win32/Pomal!rfn, was described in a MalwareTips guide from November 2024. Pomal!rfn exhibits typical Trojan behavior, including downloading additional malware, recording keystrokes, stealing browsing history, enabling remote access, injecting ads, and even using the infected system for cryptocurrency mining. Given the similarity in naming (both ending in !rfn), it’s likely that YOMAL!rfn shares some of these characteristics, especially since your alert mentions it "executes commands from an attacker."

A Microsoft Security Intelligence page on Trojans explains that they often masquerade as legitimate software to trick users into installation. Once active, they can steal personal information, download more malware, or grant hackers remote access to the infected system.

Potential False Positives:
Many of the reports I found suggest that Trojan:Win32/YOMAL!rfn detections might be false positives, especially when associated with legitimate software downloaded from trusted sources like GitHub. Microsoft Defender’s heuristic detection (indicated by the "!rfn" suffix) sometimes flags files based on behavioral patterns rather than a confirmed malicious signature, which can lead to overzealous flagging of safe files.

For example, a Reddit post on r/computerviruses from December 2024 about a similar Trojan, Trojan:Win32/Pomal!rfn, in the Nucleus Co-op app (an open-source tool for split-screen gaming) speculated that the detection might be due to the app’s updater exhibiting behavior similar to a Trojan, such as downloading and executing files, which triggered Defender’s AI-based detection.

Is This Detection Legitimate or a False Positive in Your Case?
The file in your alert, taggui.exe (located at C:\Users\user\dev\taggui-v1.32.2-windows\taggui.exe), appears to be related to a development tool, possibly a GUI application, given the "dev" folder and version number in the path. There are a few possibilities:
Legitimate Threat: If you downloaded this file from an untrusted source (e.g., a third-party website, torrent, or cracked software repository), it could indeed be a malicious file disguised as a legitimate tool. Trojans often hide in software that appears useful, especially in development-related tools that might not be widely scrutinized.

False Positive: If you obtained taggui.exe from a trusted source (e.g., an official GitHub release page or the developer’s website), this could be a false positive, similar to the cases reported with Ente, KCC, Vim, and Steam’s Proton. The fact that multiple legitimate applications have been flagged with the same Trojan:Win32/YOMAL!rfn detection in early 2025 suggests that Microsoft Defender might be overly sensitive to certain behavioral patterns in these files.

[jhc13]

I don't see how we can determine that it is not a false positive from that, as you claimed.

[StableLlama]

I think this should be adressed asap. I would preffer this over dataset tool from onetrainer but I am not running anything with virus (even if it woud be false positive).

I fully understand that, nobody should do that.

But there are two points here:

1. It is well known that virus detection technology can fail. This is a bug for the provider of the virus detection technology and not from the application. So your bug report must be placed there and not here.
2. There is no need to use installation files. Just install Python (doing AI stuff you have most likely done that already) and get the source files from this repository and rund them directly. It is just a minimum less comfortable. And as soon as you want to update it's even more comfortable than using the installer.

[Seedmanc]

This is very problematic, once again updating only causes trouble. We should just stick to old versions.

[KatanaKily]

i just installed and using it, no trojan horse no nothing, i'm 90% positive it's a false positive.

[sisimbisim222]

" 90% positive " are you serious?

[chakalakasp]

Between the project owner going around deleting comments that point out that one should never "just trust me bra" when some random dude's executable on the internet is flagged as a RAT virus by quite a few reputable AVs out there and the number of people here willing to just yolo it and install it anyway, I'm losing a little faith in humanity lol

[sisimbisim222]

Stupid as fuck. Why not just create a new installer? what the hell? Russian backdoror 100%

[derekhsu]

Nobody addresses this problem for mouths. Is this project died?