Joao is a virus on Microsoft Windows originating from Brazil. It spreads through fake MMORPGs using Aeria Games' identity.

To spread their malware, the attackers behind Joao have misused massively-multiplayer online role-playing games (MMORPGs) originally published by Aeria Games. At the time of writing this article, the João downloader was being distributed via the anime-themed MMORPG Grand Fantasia offered on gf.ignitgames[.]to.

Research has shown that several other Aeria games have been misused in the same way in the past, however, their corresponding unofficial websites have either gone inactive or had the malicious downloads removed in the meantime.

The virus has already infected a large number of gamers worldwide, mostly in Latin America and South East Asia.


The affected games have been modified to run Joao’s main component is a malicious library mskdbe.dll, detected by ESET’s systems as Win32/Joao.A. When users run the game launcher, Joao is launched along with it.

Upon launching, the Joao downloader first sends basic information about the infected computer – device name, operating system version and information on user privileges – to the attacker’s server because the malware keeps its operations “silent” and since the game works as expected, there’s nothing suspicious about the whole infection process from the user’s point of view.


Countries affected by Joao.

Compared to downloading and launching a legitimate Aeria game, the only visible difference is an extra .dll file in the game’s installation folder.

After the communication with the server has been established, server-side logic decides whether and which components will be sent to the victim’s computer. The Joao components discovered during research had a backdoor, spying, and DDoS capabilities.


For a quick check of Joao’s presence on the user's computer, they can try running a search for “mskdbe.dll” – if the search returns a result, the computer has most likely been infected with the Joao malware. If no such file is found, it doesn’t automatically mean the user hasn’t crossed paths with the malware - the file can be renamed at any moment.

Community content is available under CC-BY-SA unless otherwise noted.