How To Remove BlackMoon Virus

Cyber Crime Virus - Trojan Horse
Reading time: 4 Minutes

Is this a new term for you? If yes, you’re probably wondering, “what is the BlackMoon virus?”

Well, it is a Trojan that was first discovered in 2014 and named “BlackMoon” after a debug string present in its code. Since then, the virus code gets updated regularly by the perpetrators. This banking Trojan is designed to steal individuals’ banking credentials by redirecting the victim to phishing websites. BlackMoon also delivers SkyStars ransomware in the second phase of the infection.

What does BlackMoon virus do, and how does it infect computers?

Once installed, this virus executes malicious activities enabling criminals to access the victim’s information. Upon second payback, BlackMoon downloads SkyStars. SkyStars ransomware encrypts personal files, and it’s also known for appending. As opposed to other ransomware viruses, SkyStars doesn’t generate a ransom note, nor does it provide any information on how to pay a ransom.

Usually, BlackMoon infects the laptop after taking advantage of any vulnerable protection software. It could also be downloaded as a file or program disguised as a fake software update. It is recommended that you avoid downloading software from unknown sources as it could contain malicious files that end up damaging your computer.

The virus infection starts with a small 10KB and requests additional bytecode about 8KB in size. Upon infecting the victim’s PC, the Trojan:

  • Introduces itself as DLL and drops various infectious files. DLL files can be launched through the rundll32.exe
  • Shows a message in Chinese, Japanese, or Korean asking the user to complete a security certification process
  • Reroutes the victim to a fraudulent website when he/she tries to access online banking
  • Modifies all the major web browsers on Windows, Google Chrome, Microsoft Edge, and Mozilla Firefox
  • Collects information that can be used by crooks for illegal purposes. Some information that can get stolen includes passwords, keystrokes, phone number, credit card details, and social security number.

The Prevalence

BlackMoon’s victims are mainly found in East Asia, especially in Japan, China, and South Korea.

Considering that BlackMoon’s code is constantly updated, it is quite difficult to accurately reveal the extent to which the virus has been spread and the damage caused. The virus infection was extremely active from 2014 to 2016, after which it slowed down in 2018. Shortly after, new strains were spotted, and up to today, the codes keep on changing.

Worldwide, statistics show that global BlackMoon virus infections are more than 110,000. Out of this, more than 99% (roughly 109,000) of the reported cases are from South Korea.

BlackMoon virus removal guide

If you feel like the BlackMoon virus has compromised your PC, do not waste any time and prepare to remove it immediately. This is because BlackMoon is a well-programmed piece of software, which makes it a huge threat to your PC.

BlackMoon hides its files under legit filenames, making them almost undiscoverable. The removal of this virus should be done using a robust anti-malware software. Repeat the scan several times to make sure that the threat has been removed completely. After that, you should consider changing your passwords to protect the money in your bank account.

There are two methods that you may use to remove the virus, depending on your preferences. Follow the steps below to remove BlackMoon from your PC:

METHOD I: Removing BlackMoon using Safe Mode with networking

Step 1: Restart your PC using Safe Mode with networking.

Here’s how you should restart your machine into Safe Mode with Networking if you’re using:

Windows 7/Vista/XP

  1. Click Start, then choose Shutdown then Restart.
  2. When the PC comes back on press F8 repeatedly.
  3. An “Advanced Boot Options” window pops up.
  4. Select “Safe Mode with Networking.”

Windows 10/11/8

  1. Press the Power button at the login screen.
  2. Long-press on “Shift” on the keyboard.
  3. Click “Restart.”
  4. Select Troubleshoot followed by Advanced Options, then Startup Settings.
  5. Choose Restart.
  6. Select “Startup Settings,” then activate the Safe Mode.

Step 2: Remove the BlackMoon virus

Launch your choice of browser on the affected PC and download a reputable protection program. After installation, run the program to scan and remove the virus.

METHOD II: Removing BlackMoon using System Restore

Try this method if the first option fails.

Step 1: Restart your PC using System Restore

Here’s how you should restart your PC into Safe Mode with Command Prompt if you’re using:

Windows 7/Vista/XP

  1. Click on Start then Shutdown then Restart.
  2. Press F8 repeatedly until the “Advanced Boot Options” window pops up.
  3. Select “Command Prompt.”

Windows 10/11/8

  1. Press the Power button on the lower corner of the login screen.
  2. Long-press on “Shift.”
  3. Click Restart.
  4. Select “Troubleshoot.”
  5. Choose “Advanced Options.”
  6. Now, select “Startup settings..”
  7. Hit the Restart button.
  8. In the “Startup Settings” tab, activate Command Prompt.

Step 2: Restore your system files

After the Command Prompt window has popped up, type “cd restore” and hit Enter on your keyboard.

Type “rstrui.exe” and press Enter again. A window will pop up. Choose “next” and click “Yes” to system restore.


BlackMoon is a serious problem that has been affecting users from different parts of the world. This virus features a unique coding style and requires a slightly complex debugging process. To avoid all this trouble, always make sure that your anti-malware programs are up-to-date.

Download Outbyte AntivirusOutbyteIf you’re running into errors and your system is suspiciously slow, your computer needs some maintenance work. Download Outbyte PC Repair for Windows or Outbyte Antivirus for Windows to resolve common computer performance issues.Fix computer troubles by downloading the compatible tool for your device.See more information about Outbyte and uninstall instructions. Please review EULA and Privacy Policy.
Give us some love and rate our post!
[Total: 0 Average: 0]
Spread the love
Notify of
1 Comment
Newest Most Voted
Inline Feedbacks
View all comments