Mullvad Browser Trojan:Script/Wacatac.B!ml

Mullvad Browser in its version


from Github is dumping a file LangDLL.dll in the path


which is recognized as Trojan:Script/Wacatac.B!ml by Windows Defender when opening the executable.

The installer is signed with the Tor Browser trusted key.

Anyone else in this situation? False positive?

GitHub prohibits an account created by alias from creating an issue

Can you submit that through Virus Total?

Probably false positive, I don’t see anything.

you didn’t scan the one they mentioned, this newer one does have a detection: VirusTotal


This is the file in question: VirusTotal

29/71 detections

see also Free Automated Malware Analysis Service - powered by Falcon Sandbox

contained in:

  • tor-browser-windows-x86_64-portable-13.5a6.exe
  • mullvad-browser-windows-x86_64-install-13.5a6.exe
  • ricochet-refresh-3.0.21-windows-x86_64-installer.exe
  • ricochet-refresh-3.0.22-windows-x86_64-installer.exe



On my phone, otherwise I’d check whether it shows up on Tor Browser Alpha upstream too :eyes:


tor-browser-windows-x86_64-portable-13.5a6.exe appears to contain it as well:

1 Like

It does seem like possibly a recurring problem for the Tor Project:

Thanks @anonymous172 for bringing this up and @SkewedZeppelin for pinging me.I have forwarded the information to the devs.

It would not be the first time we receive false positive reports, but we’ll check in any case.

I have on a previous occasion contacted some antivirus editor (I think it was Symantec), but was ignored. If any of you have suggestion on how to better handle this, I’m all ear. :slight_smile:


The installer was always 1 detection.

It is the file it drops that has 29 detections, and still does: VirusTotal

Again, this looks different than past false positives.

1 Like

I made a submission to VirusTotal before SkewedZeppelin and the link is the same.

Only the installer version causes this.

@SkewedZeppelin Thanks for analyzing the files, publishing the links and reporting the problem on github.

I avoided sending the DLL file for analysis to avoid putting myself at risk.

I’ve tested it a few times and the warning is triggered as soon as the executable is opened.

I hope it’s a false positive. Otherwise, if it dumps other files on the system, I remain at risk.

The thing about VirusTotal is that the infected DLL doesn’t appear in its analysis. This motivated me to open mullvad-browser-windows-x86_64-install-13.5a6 again to confirm the suspicion that it is the source, rather than another program.

The DLL seems to be obfuscated and recognizes the VirusTotal analysis, or something else. I’m a layman, so forgive me for not being able to help more.

Thank you all for your attention to the event. You guys are amazing!

I ask moderation to close this thread as soon as a solution is found. I don’t know if anonymous mode can do that after a long time.

1 Like

It could be that the filter lists inside uBO contain the malware/phishing links/domains and triggers anti-virus?

uBO sometimes receives question about the anti-virus inside users’ computers marking uBO as not safe.

not possible in this case.

It is, generally when you see a virus total result with 1 result with an obscure scanner and the reason being “heuristics” or “ML” it’s often a false positive.

It can happen for a variety of reasons, for example if the dev uses UPX to compress binary becuse it was common for malware to also do that.

The file in question is now up to 31 detections, from 29 yesterday. Including now being flagged by Google and Microsoft.

edit: now up to 32


Surely windows defender stopped it from executing and quarantined it? Even if it was malware, i don’t think you’re hugely at risk

Hi, richard from the Tor Project and Blueprint for Freespeech here (Tor Applications Team lead and maintainer of Ricochet-Refresh)!

Ricochet-Refresh, Mullvad Browser, and Tor Browser all make use of the NSIS installer cross-compiled with mingw clang on Linux, which probably explains why they’re all appearing in the same anti-virus bucket here. Each of our release are signed with our respective build signing keys, so be sure to check that if you’re unsure of the origin of your binaries!


I assume you’re well aware of your threat model, but for any user who could be put at risk reading this, I would recommend them to stick to stable version of software in general.

1 Like

@richard @ruihildt : Could you pls sign all executable and script files (exe, DLL, JS, …) of Tor Browser (and Mullvad Browser) on Windows, not just the installer?

It’s good security practice to sign all files and lowers false positive rates of AV solutions and Microsoft’s ISG. It’s a pain to deal with unsigned files for users who use WDAC, because you need to temporarily disable wdac enforcement during updating the browser and update the WDAC policy afterwards, which brings additional maintenance effort and weakens security, or have a separate device for updating and signing it yourself, which is usually only done in enterprise environments. WDAC is one of the main security mechanism for people with higher security requirements on Windows.

Additionally it would be beneficial to put everything inside a MSIX package. It will keep the filesystem clean and makes sure everything is signed. See Firefox on MS Store as an example.


There’s an existing issue for this: Sign Tor Browser Windows binaries (not just the setup executable) (#40564) · Issues · The Tor Project / Applications / tor-browser-build · GitLab

For the MSIX, we’ll have to discuss it. I vaguely remember this being brought up at some point in the past.