Yakes

Category: trojan · Aliases: Trojan.Yakes, Downloader.Yakes, Win32/Yakes · Sample count (EMBER 2018): 751 · Enrichment: documented_reference_only · Updated: 2026-07-02T09:03:09Z

Overview

Executive Summary

Yakes (often detected as Trojan.Yakes or Win32/Yakes) is a generic classification used by some security vendors to identify a family of obfuscated Trojan downloaders. Its primary function is to serve as an initial foothold on a compromised system, operating stealthily to download and execute more complex and destructive secondary payloads, such as banking trojans, information stealers, or ransomware, based on instructions from its Command and Control (C2) server.

Infection Vector and Technical Capabilities

Yakes is primarily distributed via malicious email campaigns (malspam) containing obfuscated JavaScript or macro-enabled Office documents, or via drive-by downloads from compromised websites hosting exploit kits. Its technical design is optimized for evasion and delivery:

Threat Assessment

A Yakes detection is a critical indicator of compromise. It signifies that the initial perimeter defenses have failed and the machine is either actively downloading or has already downloaded a severe secondary payload. The true threat level depends entirely on what Yakes was instructed to deploy.

Incident Response and Remediation

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1105 T1059 T1027

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_YAKES {
    meta:
        description = "Detects Yakes (trojan)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "yakes" ascii wide nocase
        $s2 = "trojan.yakes" ascii wide nocase
        $s3 = "downloader.yakes" ascii wide nocase
        $s4 = "win32/yakes" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Yakes Activity
id: 21688e0069b09a7232554ccb47e04af3
status: experimental
description: Detects generic indicators of the yakes malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*yakes*"
            - "*trojan.yakes*"
            - "*downloader.yakes*"
            - "*win32/yakes*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

Where can I learn more about yakes?

Refer to the linked MITRE ATT&CK technique pages, which document the behaviors associated with this family.

Related Families (Category: trojan)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/yakes.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.