Expiro (also known as Xpiro) is a file infector that has been active for over a decade and continues to be updated by its authors. It infects executable files on both 32-bit and 64-bit Windows systems by inserting its own code into them. Beyond classic file infection, Expiro has information-stealing capabilities: it can install browser extensions, alter the security settings and behaviour of an infected system, and steal data such as account credentials. Its infection routine was notably revised in samples observed around 2017. Expiro is documented by Fraunhofer FKIE's Malpedia and has been analysed by vendors including McAfee.
Threat reports may refer to this family under multiple names:
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_EXPIRO {
meta:
description = "Detects Expiro (file_infector)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "expiro" ascii wide nocase
$s2 = "xpiro" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Expiro Activity
id: 1ffe01c89da9e1b722222b1e92936db4
status: experimental
description: Detects generic indicators of the expiro malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*expiro*"
- "*xpiro*"
condition: selection
level: mediumExpiro, also known as Xpiro, is a file infector virus that has been active for more than a decade. It infects executable files on 32-bit and 64-bit Windows systems and also includes information-stealing functionality.
As a file infector, Expiro inserts its code into legitimate Windows executable files so that the malicious code runs when an infected program is launched. It is capable of infecting both 32-bit and 64-bit executables, and its infection routine was revised in samples seen around 2017.
Beyond spreading through executables, Expiro can install browser extensions, change the security settings and behaviour of an infected system, and steal information such as account credentials.
Expiro is profiled in Fraunhofer FKIE's Malpedia and has been analysed in named-vendor research, including work by McAfee. These sources describe it as a long-running, frequently updated file infector with credential-theft capabilities.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/expiro.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.