Trojan.Encoder.35534
Trojan.Encoder.35534 is an encoder trojan/ransomware family tracked by Dr.Web. In Dr.Web’s Q4 2025 and Q1 2026 threat reporting, it was identified as the most common ransomware family seen in user decryption requests. Dr.Web reported that users affected by encoder trojans most often encountered Trojan.Encoder.35534 alongside Trojan.Encoder.41868 and Trojan.Encoder.29750. In Q4 2025, Trojan.Encoder.35534 accounted for 24.90% of user decryption requests; in Q1 2026, it remained the leading family at 15.59%. The provided content does not specify its infection vector, technical behavior beyond file encryption, targeted industries or platforms, associated threat actor, or concrete indicators of compromise.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
File-encrypting trojan (encoder) affecting users in Q1 2026; one of the most common ransomware detections in Dr.Web telemetry.
Ransomware that encrypts files and demands payment for decryption.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.