Find out if your Windows PC is infected with Hacking Team malware

Martin Brinkmann
Jul 23, 2015

A leak pushed hundreds of Gigabyte of data from Italian based company Hacking Team into the open.

While analysis of the data is still ongoing, it resulted already in the patching of several critical vulnerabilities.

Rook Security, one of the companies that is analyzing the data, discovered 53 git projects during an initial pass of the data which resulted in the identification of 93 binary files of which 40 were identified to have the highest probability for malicious use.

The binary files were filed into four different groups based on the analysis. All files verified as malicious by Virustotal went into group a for instance, while files used in Hacking Team projects went into group c.


The company has updated its tools that Windows users can use to find out whether their systems are compromised with Hacking Team Malware.

If you download Milano, one of the available tools, you get more than just a program to run on your system. Rook Security ships a pdf document with the tool that lists file names, hashes and other valuable information.

This means that you may use the information to run manual scans on the system as well, or to add these files to blacklists to prevent their execution on the system.

hacking team malware

The tool itself is easy to use:

  1. Extract the contents of the zip file to the local computer system after download.
  2. Open the folder RookMilano and double-click on milano.exe to start the program.
  3. A command line interface opens that prompts you to select quick scan or deep scan. That's the only selection you need to make.

Milano scans the system afterwards based on the selection. This may take a while depending on it; it took 201 seconds to quick scan a system with a fast Solid State Drive for instance.

Results are displayed in the end but also saved to a text file that is placed in the program folder automatically so that you can open it at any point in time after the scan.

No problematic files are displayed if the system has not been infected by Hacking Team malware or files, but if something is found, it is listed both in the command line interface and text log.

Interested users can check out the source code of the application on Github.

The company plans to improve the detection tool further in the future, and will release updated detection files for other operating systems, Linux and OSX specifically, in the near future as well.

Find out if your Windows PC is infected with Hacking Team malware
Article Name
Find out if your Windows PC is infected with Hacking Team malware
Run Rook Security's milano application to find out if your PC is infected with Hacking Team malware.

Previous Post: «
Next Post: «


  1. Sylvio Haas said on July 23, 2015 at 9:19 pm

    Hello, Martin. Isn’t Malwarebytes Anti Malware enough to protect us from this threat?

    1. Martin Brinkmann said on July 23, 2015 at 9:27 pm

      I don’t know if Anti-Malware protects against all different files already considering that they have become public knowledge only recently. I suggest to run a scan to make sure nothing slipped by.

      1. Sylvio Haas said on July 23, 2015 at 10:28 pm

        Thank you.

  2. 1 said on July 23, 2015 at 9:59 pm

    How accurate is this tool?
    It showed:
    Files requiring review as they match Hacking Team MD5 signatures
    Category (A=Detected via VirusTotal B=Detected via manual analysis
    C=From malicious project D=Undetermined)
    CD: /Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll
    CD: /Program Files\Microsoft Office\root\client\concrt140.dll
    CD: /Program Files\Microsoft Office\root\Office16\concrt140.dll
    CD: /Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\concrt140.dll

    But virus total says these files are safe.

    1. Martin Brinkmann said on July 23, 2015 at 10:06 pm

      Could be a false positive. Maybe contact Rook Security directly for further information?

      1. 1 said on July 24, 2015 at 12:14 am

        Good idea.

    2. an said on July 24, 2015 at 1:28 pm

      could be because you’re running the preview version of office 2016.

  3. Oxa said on July 24, 2015 at 12:22 am

    Avast said the pdf file had a trojan.

  4. David Bradley said on July 24, 2015 at 10:32 am

    Virustotal reported 3 infections of the Milano files downloaded from Rook’s site…

  5. Pete said on July 24, 2015 at 11:55 am

    Is this safe to run?

    Avast complains about the PDF inside the zip.

    1. Martin Brinkmann said on July 24, 2015 at 12:51 pm

      The PDF has nothing to do with the actual application. A check on Virustotal reveals that Avast and Qihoo360 are the only two services that have flagged the file.

  6. Hy said on July 24, 2015 at 3:40 pm


    I don’t know if perhaps the program was updated since the article was published, but the only selection one needs to make is no longer just quick scan or deep scan. After selecting quick scan, for example, one is asked: “Would you like to use the default path for Windows of ‘ / ‘ ? [Y/n]”

    What do you recommend here? Thanks!

    1. Martin Brinkmann said on July 24, 2015 at 3:54 pm

      If you have not modified the path of Windows during installation, select y.

      1. Hy said on July 24, 2015 at 4:02 pm


  7. smaragdus said on July 24, 2015 at 4:06 pm

    Qihu 360 Total Security version didn’t detect any malware, I have just scanned the archive manually.

  8. A different Martin said on July 24, 2015 at 11:48 pm

    Thanks very much for posting about this, Martin.

    By the way, the most recent version of Milano at the time I’m typing this seems to be v. 1.1. It’s pretty easy to accidentally download an earlier version (1 or 1.01) from the Rook Security site, so it’s worth digging around to make sure you have the most recent one. Ultimately, its detections will hopefully find their way to mainstream anti-malware packages like Malwarebytes and Avast, but in the meantime, I intend to check Rook Security’s site for updates to Milano from time to time.

    I use Avast and it did indeed complain about the PDF. I let Avast move the PDF to the Virus Chest and then I went into the Virus Chest and selected the “Restore and Add to Exclusion List” option for it. (If there’s a less clumsy way of doing that in Avast, it’s not showing up or working in my Avast interface. Even the “report as false positive” link isn’t working properly.)

    The quick scan took a few minutes and yielded a single file: the old installer for 32-bit Java 8 Update 25, which is now three updates old and no longer installed on my system.

    The full scan took 4 hours 37 minutes (reported as seconds!) to completed … and reported the same lone file. I usually keep old installers on hand “just in case” (and it occasionally does come in handy) but in this case, I’m just going to delete it.

    1. EuroScept1C said on July 25, 2015 at 8:35 pm

      Are you the Ricky Martin?

      1. A different Martin said on July 25, 2015 at 8:44 pm

        No. Tragically, my vida is far from loca.

  9. Torro said on July 25, 2015 at 1:30 am

    I cannot even download the tool, i always get a “Secure Connection Failed” when i try

    Is there another place i can get the tool that is safe?

  10. Richard Allen said on July 25, 2015 at 9:41 am

    Thanks for this very useful info!

  11. Hy said on July 30, 2015 at 11:11 am

    Apparently Emsisoft and only small handful of other AVs were already able to either detect or block Hacking Team’s Galileo trojan:

    @”A different Martin”: Thanks for making me laugh out loud this morning! :)

  12. Jacob Lageveen said on December 15, 2015 at 5:58 am

    Good tool. Fast and easy.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.