Click on screenshot to zoom
Danger level 7
Type: Trojans
Common infection symptoms:
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel


KopiLuwak, also known as Trojan.JS.Agent to our research team, is a clandestine infection that acts as a Javascript backdoor/malware payload. This dangerous infection appears to have been created by a very well-known group of cyber criminals, which goes by different names, including KRYPTON, Snake, Turla, Uroburos, and Venomous Bear. It is believed that this new backdoor is a new addition to the ICEDCOFFEE payload, and that means that the group of attackers continues to grow and perfect their malware instruments. This, without a doubt, is bad news for all of us. Although the malicious threat is unlikely to affect regular users, it appears to be targeted at government agencies, and when governments are affected, we are all affected. In this report, we discuss how the malicious infection spreads, what it does, and, of course, how to delete it. Of course, if you are trying to remove KopiLuwak, there are greater problems to think about as well.

According to our malware research team, the malicious KopiLuwak is distributed using spear-phishing attacks, and, as it was mentioned already, they are usually targeted at government institutions. That means that the email messages should be created accordingly as well. For example, the attackers could introduce themselves as someone from one institution to attack a different one. To convince the target, they might create misleading email addresses and use convincing language and messages. They also could hijack authentic government accounts to distribute misleading emails. Ultimately, the attackers want the victims to open the attached .DOC files. If they are tricked into doing that, they are asked to enable macro (if it is not enabled automatically), and this action, eventually, leads to the invasion of the devious KopiLuwak. A .NET shell dropped onto the computer is likely to contact a C&C server and install the infection so that it could create scheduled tasks, drop JavaScript files, and then download malware. You see, while the backdoor is a threat to your security, it cannot do much by itself, and its primary goal is to download more powerful infections.

Once installed, KopiLuwak operates as “mailform.js” from these locations: %LOCALAPPDATA%\Temp\, %LOCALAPPDATA%\Microsoft\Windows\, and %USERPROFILE%\Application Data\Microsoft\Windows\. You need to delete the file from these folders immediately, before new threats are downloaded. Of course, you are unlikely to realize that a backdoor has been enabled on your system because this infection is silent. While removing the .JS file should not be problematic, clearing the system from other active threats might be tough. You also need to figure out what might have been let in via the backdoor, and we recommend installing a reliable malware scanner to figure that out. First, you might need to delete KopiLuwak to ensure that no other threats can be downloaded without your notice. Once the backdoor is closed, so to speak, you will be able to tackle the remaining threats. Ultimately, it can be a lengthy and complicated process, but it does not need to be. You could use an automated anti-malware program to have all threats removed at once.

If you have found out that you need to remove KopiLuwak from your operating system, you need to keep in mind that other threats are likely to exist inside your operating system. These additional threats could be used to steal private information and perform cyber espionage attacks. This is a serious issue, considering that highly classified government information could be leaked. Ultimately, every piece of malicious software must be deleted from the infected operating system as soon as possible. While KopiLuwak can be erased using the guide provided below, erasing all threats can be too difficult and time-consuming. We strongly advise employing reliable anti-malware software to have the entire operating system cleaned thoroughly. Another benefit to using this software is the reliable full-time protection it can offer. Once your system is clean, it is a good idea to disable macros. Then, if someone asks to enable it, it might be easier to recognize and prevent an attack. If you have more questions about this malware or its removal, please feel free to leave all of them in the comments area. Our malware experts will get back to you as soon as possible.

KopiLuwak Removal

  1. Tap Win+E keys to launch Explorer.
  2. Enter %LOCALAPPDATA%\Microsoft\Windows\ into the field at the top.
  3. Right-click and Delete the file named mailform.js.
  4. Enter %LOCALAPPDATA%\Temp\ into the field at the top and repeat step 3.
  5. Enter %USERPROFILE%\Application Data\Microsoft\Windows\ into the field at the top and repeat step 3.
  6. Delete all recently downloaded .DOC files.
  7. Empty Recycle Bin.
  8. Perform a through system scan using a reliable malware scanner to check if you need to delete other threats.
Download Spyware Removal Tool to Remove* KopiLuwak
  • Quick & tested solution for KopiLuwak removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.