Skeeyah

Category: trojan · Aliases: Trojan:Win32/Skeeyah, Malware.Skeeyah, Trojan.Generic.Skeeyah · Sample count (EMBER 2018): 440 · Enrichment: documented_reference_only · Updated: 2026-07-02T09:04:51Z

Overview

Executive Summary

Skeeyah (often detected as Trojan.Skeeyah or Win32/Skeeyah) is a highly generic heuristic detection name utilized primarily by Windows Defender (Microsoft) to classify executable files exhibiting severe, Trojan-like behavioral characteristics. The "Skeeyah" designation does not point to a single malware family, but rather serves as a catch-all for heavily obfuscated, potentially severe threats that are acting as downloaders, backdoors, or credential stealers.

Infection Vector and Technical Capabilities

Due to its generic nature, a Skeeyah detection can originate from virtually any infection vector, including malspam attachments, drive-by downloads from exploit kits, or execution of trojanized "cracked" software from P2P networks. When Windows Defender flags a file as Skeeyah, it has detected multiple red-flag behaviors indicative of advanced malware:

Threat Assessment

A Trojan:Win32/Skeeyah detection must be treated as a high-severity incident. Because it is a heuristic flag for highly obfuscated malware, the actual payload is unknown until dynamically analyzed, but it frequently precedes the deployment of catastrophic enterprise ransomware or sophisticated remote access trojans (RATs).

Incident Response and Remediation

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1055 T1027 T1105

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_SKEEYAH {
    meta:
        description = "Detects Skeeyah (trojan)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "skeeyah" ascii wide nocase
        $s2 = "trojan:win32/skeeyah" ascii wide nocase
        $s3 = "malware.skeeyah" ascii wide nocase
        $s4 = "trojan.generic.skeeyah" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Skeeyah Activity
id: 39467185ce54457f1b58b6a3e388390e
status: experimental
description: Detects generic indicators of the skeeyah malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*skeeyah*"
            - "*trojan:win32/skeeyah*"
            - "*malware.skeeyah*"
            - "*trojan.generic.skeeyah*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

Where can I learn more about skeeyah?

Refer to the linked MITRE ATT&CK technique pages, which document the behaviors associated with this family.

Related Families (Category: trojan)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/skeeyah.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.