Trojan.Cryxos.[variant], JS:Trojan.Cryxos.[variant], Trojan:JS/Kotka.A, Trojan:JS/Kotka.B


Cryxos trojans display an alarming notification message saying that the user's computer or web browser has been 'blocked' due to a virus infection, and that their personal details are 'being stolen'. The user is then directed to call a phone number for assistance in the 'removal process'. This is a version of a 'call support' scam.

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

For more Support


Find the latest advice in our Community.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Cryxos trojans are typically encountered when the user inadvertently opens a malicious or compromised webpage hosting a malicious JavaScript file. When the script runs, it will display a notification message that makes it appear as though the user's device is infected with a virus; the user is urged to call a given phone number for technical support in removing the infection.

The notification message displayed by Cryxos trojans varies by language. Some variants will also open a web page in the browser displaying what appears to be a legitimate vendor's website to further enhance the impression that the message is authentic. Other variants will display an image of a screenshot of a web page:

Cryxos trojan message in English.

Cryxos trojan message in French. The webpage behind the message is actually an image of a webpage

Some Cryxos variants will also play an audio recording repeating the information displayed in the notification message and giving the phone number that the user is supposed to contact for 'further assistance'.

In addition to displaying the message, some Cryxos variants will display the user's IP address, open multiple web browser pages, or perform other actions designed to cause alarm.

Support scams

These trojans are essentially part of a 'call support' or 'tech support' scam; they are designed to trick the user into believing their device is infected. If the user does contact the number displayed, they are then typically pressured into paying for the 'assistance'.

In some cases, the user may be asked to give the technician remote access to the machine, potentially leading to a device hijack and compromise of any information stored on the device.

For more information about such scams, see: