Tiggre!rfn (also named TROJ_DIGMINEIN.A (Trend Micro), Trojan.GenericKD.12694003 (BitDefender), W32/Autoit.CGO!tr (Fortinet)) is a Trojan on Microsoft Windows that mines cryptocurrency off of the user's computer.


The program is sent out to be a video file,and is found in spam emails (malicious attachments), fake Adobe Flash Player updaters, malicious websites, chain infections, and even Facebook messages.

However, when run, it actually is a script. Once the user runs the program and their computer is infected, the Trojan modifies registry entries.

It drops an executable called 'cherry.exe' to run in the background. It can be found under:

%Application Data%\{User name}\cherry.exe.

The Trojan disables security software (such as antiviruses) on the user's computer.

The entire crypto-mining process essentially based on solving various "mathematical equations". Mining tools employ system resources to perform calculations. Each time an "equation" is solved, a single unit of currency (e.g., 1 Bitcoin) is mined. Since an identical "equation" is solved by a number of computers simultaneously, the reward is split between each device depending on the power of the device and how much work is performed. All revenue is received by cyber criminals (crypto wallet), whilst users receive nothing in return. In fact, all this is done without their consent, and since mining takes up to 100% of computer resources, systems often become unstable and virtually unusable. Furthermore, within certain circumstances (high room temperatures, poor cooling systems, etc.) hardware can be damaged (components might overheat). Trojan Win32/Tiggre!rfn also gathers various data, including saved logins/passwords, keystrokes, banking information, and so on. Collected data is often misused to generate revenue. Therefore, the presence of malware such as Trojan Win32/Tiggre!rfn might lead to serious financial and privacy issues (e.g., cyber criminals can transfer funds to their accounts, purchase illegal items under the user's name, and so on).


Once the program starts to mine cryptocurrency, the CPU usage and GPU preformance on the user's computer will behave sluggishly and using simple programs may slow down computer responses to a halt.

Eventually, if the program mines for a long period of time, the CPU could overheat and become damaged beyond repair.

In some cases, Trojan Win32/Tiggre!rfn infiltrates systems along with a number of adware-type applications. These programs are not as harmful as Trojan Win32/Tiggre!rfn, but can be frustrating and problematic. Potentially unwanted adware-type programs (PUPs) typically deliver intrusive advertisements and gather sensitive data. Intrusive ads conceal underlying website content (thereby significantly diminishing the browsing experience), and also redirect to malicious sites and even run scripts that stealthily download and install malware. Clicking these ads can lead to malicious sites. Furthermore, adware gathers IP addresses, URLs visited, search queries, pages viewed, and other data relating to browsing activity. Collected information is shared with third parties (potentially, cyber criminals). Therefore, adware poses a threat to the user's privacy and Internet browsing safety. For these reasons, all adware-type PUPs must be eliminated immediately.

Trojan Win32/Tiggre!rfn is very similar to Pony, TrickBot, and FormBook. In fact, there are dozens of viruses that also gather information, mine cryptocurrencies, and perform other malicious tasks. Adware-type apps share many similarities. By offering 'useful features', PUPs attempt to give the impression of legitimacy, however, rather than enabling the functions promised, adware poses a direct threat to the user's privacy and Internet browsing safety. The only purpose of this software is to help developers generate passive revenue.

Community content is available under CC-BY-SA unless otherwise noted.