Ticno is an advanced malware downloader (Trojan.Ticno.1537) first discovered in November 2016 by analysts at Dr. Web. The trojan comes with anti-detection features that have the ability to scan potential victims’ systems for virtual machines used by researchers to analyze malware. It scans processes and registry keys and, if found, stops execution and starts the Windows Explorer process as a decoy. If the host machine passes the checks, a “Save As” dialog box will be displayed, asking the user to save a file 1.zip. There is a link for “Additional settings” at the bottom left corner of the dialog box. Clicking this link reveals the trojan’s bundled installers. However, if the user still clicks to “Save,” the dialog box turns into an installer box. Adware packaged as Windows software or Chrome extensions and legitimate apps such as the Amigo browser are then downloaded.


  • December 2016: Malware disguises installer as Windows “Save As” dialog box. (Bleeping Computer)

Technical Details

  • Dr. Web provides technical details and remediation recommendations for the Ticno trojan, available here.

One example of the Ticno trojan. Image Source: Dr. Web

Trojan VariantsNJCCICTicno