Trojan:Bingo/MLAA is a generic detection name used by Microsoft Defender and several other antivirus engines to flag suspicious executable files that exhibit behavior consistent with trojan-downloader activity. Unlike ransomware or dedicated spyware families with well-documented capabilities, this detection typically represents one or more malware samples that Microsoft's machine-learning classifiers have identified as potentially hostile but not yet assigned to a specific named family. When you see this threat name, it means your antivirus has caught something acting like a trojan — attempting to download additional payloads, establish persistence, or perform reconnaissance — but the exact nature of the threat can vary significantly from one sample to the next.
Most variants flagged under this detection arrive bundled with pirated software, deceptive "codec" installers from torrent sites, or malicious email attachments disguised as invoices or shipping notices. Once executed, the trojan typically reaches out to a command-and-control server to retrieve further instructions or additional malware modules, which can range from credential-stealers and banking trojans to cryptocurrency miners and ransomware. Because the Bingo/MLAA detection is a behavioral umbrella rather than a single threat, removal and cleanup procedures must address both the initial dropper and any secondary infections it may have installed.
Threat Profile
| Attribute | Details |
|---|---|
| Family | Generic trojan-downloader / first-stage dropper |
| Aliases | Trojan:Bingo/MLAA (Microsoft Defender), Trojan.Generic (Malwarebytes), Trojan-Downloader.Win32.Agent (Kaspersky), variants may appear under ML-based heuristic names |
| Platform | Windows 7, 8, 8.1, 10, 11 (both 32-bit and 64-bit) |
| Discovered | Detection introduced in Microsoft's cloud-based ML signatures; individual samples observed continuously since mid-2010s |
| Distribution | Bundled software installers, torrent cracks, phishing email attachments, malvertising redirects, exploit-kit drive-by downloads |
| Persistence | Registry Run keys, Startup folder shortcuts, scheduled tasks (often randomized GUID names), sometimes WMI event subscriptions |
| Capabilities | Download and execute secondary payloads, collect system fingerprint (OS version, installed AV, username), disable Windows Defender real-time protection via registry, beacon to C2 server, inject code into legitimate processes |
| IoCs/Artifacts | Executables in %LOCALAPPDATA%\<random GUID>\, %APPDATA%\<random name>\, %TEMP% with obfuscated names; network connections to dynamic DNS domains or bulletproof hosting IPs |
| Network Behavior | HTTPS POST requests to C2 infrastructure (often behind CloudFlare or legitimate CDNs to evade IP-based blocking), downloads additional binaries or scripts, may attempt to join infected machine to botnet |
| Data Theft Risk | Moderate to high — secondary payloads often include info-stealers targeting browser saved passwords, cryptocurrency wallets, FTP credentials stored in FileZilla/WinSCP, email client data |
| Removal Difficulty | Moderate — initial dropper is straightforward to remove, but secondary infections may employ rootkit techniques, require multiple passes, or regenerate from cached installers |
| Reinfection Risk | High if original infection vector (pirated software, unsafe browsing habits) is not addressed |
How It Spreads
Trojan:Bingo/MLAA samples reach victim machines through a variety of social-engineering and technical attack vectors, but the common thread is user interaction — clicking on something deceptive or running an installer from an untrusted source. The threat actors behind these campaigns rely on a mix of spam, blackhat SEO, and poisoned search results to deliver their payloads. Unlike worms or network exploits that spread automatically, this trojan requires you to take an action, which is why awareness of distribution methods is critical for prevention.
The single most common entry point is bundled software from unofficial download sites. Users searching for "free PDF converter," "YouTube downloader," or cracked copies of expensive software encounter convincing-looking download portals (often ranking high in search results due to aggressive SEO). The downloaded installer appears legitimate but includes additional "offers" — some presented in fine print, others silently installed regardless of checkbox state. These bundlers drop the Bingo/MLAA dropper alongside the advertised program. By the time you notice unfamiliar processes in Task Manager, the trojan has already phoned home and begun downloading its second-stage payload.
- Torrent and warez sites: Cracked software for Adobe Creative Suite, Microsoft Office, or popular games frequently includes trojan droppers disguised as "keygens" or "patchers." The executable may even perform the promised crack while simultaneously installing malware in the background.
- Phishing email attachments: Emails impersonating shipping notices (FedEx, UPS), tax documents (IRS, state revenue departments), or payment invoices arrive with ZIP files containing executables renamed to look like PDFs (e.g.,
Invoice_March_2024.pdf.exe) with double extensions hidden by Windows default settings. - Malvertising and compromised websites: Legitimate websites running third-party ad networks can serve malicious ads that redirect users through multiple hops to fake Flash Player or browser update pages. The downloaded "update" is the trojan dropper.
- Social media scams: Facebook, Instagram, and YouTube comments promote "exclusive footage" or "free giveaway tools" with shortened links leading to file-sharing services hosting the malware. Victims believe they're downloading a claimed video or game mod.
- Exploit kits (less common): Older vulnerabilities in Adobe Flash, Java, or Internet Explorer can be exploited by drive-by download attacks to silently execute the trojan without user interaction, though modern browsers have significantly reduced this attack surface.
What It Does On Your Machine
Upon execution, Trojan:Bingo/MLAA typically performs an environment check to determine whether it's running in a sandbox or virtual machine used by security researchers. If it detects analysis tools (debuggers, Wireshark, Procmon), some variants will terminate silently or exhibit benign behavior to evade detection. On a real user system, the trojan copies itself to a hidden or innocuous-looking folder, often under a randomized GUID or mimicking the name of a legitimate Windows component (though placed in a user-writable directory rather than System32).
The trojan then establishes persistence so it survives reboots. Common techniques include adding a registry Run key pointing to the copied executable, creating a scheduled task set to trigger at logon or every few hours, or dropping a shortcut in the Startup folder. Some variants go further, creating Windows services with randomized names or leveraging WMI event subscriptions that are harder for casual users to discover. At this point, even if you delete the original downloaded file, the infection remains active and will re-launch when you restart your computer.
Once persistence is achieved, the trojan contacts its command-and-control server — often a domain registered through a bulletproof hosting provider or hidden behind a content delivery network. It transmits a "beacon" containing system information: your Windows version, antivirus product (if detectable), username, country code based on IP geolocation, and sometimes a list of installed software. The C2 server responds with instructions, which may include:
- Downloading and executing a second-stage payload (credential stealer, banking trojan, ransomware, or cryptocurrency miner)
- Updating the trojan binary itself to evade newly released antivirus signatures
- Injecting malicious code into running processes like explorer.exe or svchost.exe to hide network activity
- Disabling Windows Defender or attempting to terminate competing malware (yes, malware fights over infected systems)
- Joining the machine to a botnet for distributed denial-of-service attacks or spam campaigns
Because the Bingo/MLAA detection is a generic family, the specific second-stage payload varies. In cases we've seen at the Roswell shop, common follow-on infections include Azorult (info-stealer), Redline Stealer, various ransomware-as-a-service offerings, and hidden cryptocurrency miners that consume CPU resources and drive up electricity bills while remaining invisible in the taskbar.
Manual Removal — Step by Step
Disconnect From the Network Immediately
Unplug your Ethernet cable or disable WiFi through the system tray (click the network icon, select your connection, choose Disconnect). This prevents the trojan from downloading additional payloads, receiving new C2 instructions, or exfiltrating stolen data while you work on removal. Do not skip this step even if you think your antivirus has quarantined the threat — secondary infections may still be active.
Boot Into Safe Mode With Networking
Restart your computer and press F8 repeatedly during boot (Windows 7) or hold Shift while clicking Restart from the login screen, then navigate to Troubleshoot → Advanced Options → Startup Settings → Restart → press 5 for Safe Mode with Networking (Windows 8/10/11). Safe Mode loads only essential drivers and services, preventing most malware from auto-starting and making it easier to identify and terminate malicious processes.
Open Task Manager and Kill Suspicious Processes
Press Ctrl+Shift+Esc to open Task Manager. Switch to the Details tab and look for processes with random names (e.g., a7b3c.exe, svchost.exe running from your user folder rather than System32), high CPU usage from unfamiliar processes, or executables located in AppData Local or Roaming. Right-click suspicious processes, select "End Task," then right-click again and choose "Open File Location" to note the path — you'll need to delete these folders in step 5.
Remove Persistence Mechanisms
Press Win+R, type msconfig, and press Enter. Go to the Startup tab (on Windows 8/10/11, this will open Task Manager's Startup tab). Disable any entries with random names, paths pointing to AppData, or unfamiliar publishers. Next, press Win+R, type taskschd.msc, and review Task Scheduler Library for tasks with suspicious names or actions pointing to user-folder executables. Right-click and delete those tasks. Finally, press Win+R, type regedit, navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, and delete any entries pointing to the trojan paths you identified earlier.
Delete Malware Files and Folders
Using File Explorer, navigate to the folders you noted in Step 3 (typically C:\Users\[YourName]\AppData\Local\[random GUID] or AppData\Roaming\[random name]). Delete the entire folder. If Windows says the file is in use, you didn't successfully terminate the process in Step 3 — return to Task Manager, ensure the process is ended, and try again. Also check your Downloads folder and Desktop for any installers you recently ran that may have been the original infection vector, and delete those as well.
Run a Full Scan With Malwarebytes
While still in Safe Mode with Networking, download and install Malwarebytes Free from malwarebytes.com (use a different, clean device if your network is still disconnected, transfer via USB). Launch Malwarebytes, update its definitions, and run a full Threat Scan (not Quick Scan). This will catch secondary infections, rootkits, and remnants you may have missed. Quarantine and remove everything it finds. If Malwarebytes detects items but cannot remove them, note the file paths and attempt manual deletion after reboot.
Reset Browser Settings (If Applicable)
If you notice new browser extensions, changed homepage/search engine, or redirect behavior, the trojan may have installed a browser hijacker component. In Chrome, go to Settings → Reset Settings → Restore settings to their original defaults. In Firefox, type about:support in the address bar and click "Refresh Firefox." In Edge, go to Settings → Reset Settings → Restore settings to their default values. This removes malicious extensions and reverts hijacked settings without deleting your bookmarks or saved passwords.
Change Passwords From a Clean Device
Because many Bingo/MLAA infections deploy credential-stealing second-stage payloads, assume your saved passwords have been compromised. Using a separate, uninfected computer or smartphone, change passwords for your email, banking, social media, and any other sensitive accounts. Enable two-factor authentication wherever available. Do not log into these accounts from the infected machine until you've completed all removal steps and verified the system is clean.
Reboot Normally and Run a Second Verification Scan
Restart your computer normally (not in Safe Mode). Reconnect to the network. Open Windows Security (or your installed antivirus) and run a full scan. Also run Malwarebytes again. If both scans come back clean, open Task Manager and check for unusual processes or high CPU usage. Monitor your system for 24-48 hours — if unfamiliar processes reappear or performance degrades, you may have a rootkit or the malware regenerated from a hidden installer.
Consider a Clean Windows Reinstall for High-Value Systems
For machines containing sensitive business data, financial records, or if you're unsure whether all components were removed, the safest option is a full Windows reinstall. Back up your personal files (documents, photos — not executables or installers) to an external drive, perform a clean install from Microsoft's Media Creation Tool, and restore only your data files. This guarantees no malware remnants survive, though it requires more time and effort than the cleanup process above.
Prevention
- Download software only from official sources. Get programs directly from the developer's website or the Microsoft Store, not from third-party "download portals" that rank high in search results but bundle malware with every installer. If you need free alternatives to expensive software, research reputable open-source options rather than searching for cracks.
- Enable "Show file extensions" in Windows Explorer. Open File Explorer, click View → Options → View tab, and uncheck "Hide extensions for known file types." This prevents attackers from disguising executables as PDFs or documents using double extensions like
invoice.pdf.exe, which appears asinvoice.pdfwhen extensions are hidden. - Keep Windows and all software up to date. Enable automatic updates for Windows, your browser, Adobe Reader, Java (or uninstall Java if you don't actively use it), and other commonly exploited software. Most drive-by download attacks target outdated plugins and unpatched vulnerabilities that were fixed months or years ago.
- Use a standard user account for daily tasks. Create a separate administrator account for installing software and system changes, and use a standard (non-admin) account for web browsing and email. Malware running under a standard account has limited ability to install system-wide persistence or modify critical Windows components.
- Think twice before opening email attachments. If you receive an unexpected invoice, shipping notice, or tax document, contact the supposed sender through a known phone number or website (not by replying to the email) to verify legitimacy before opening any attachments. Legitimate companies rarely send executables or ZIP files via email.
- Install and maintain reputable antivirus software. While Windows Defender (now Microsoft Defender) has improved significantly and catches many threats including Bingo/MLAA variants, pairing it with periodic Malwarebytes scans provides a second opinion. Avoid "free antivirus" products that are themselves potentially unwanted programs.
- Use an ad blocker to reduce malvertising exposure. Browser extensions like uBlock Origin block most malicious ads and prevent redirects to fake download pages. This won't protect against all infection vectors, but it significantly reduces drive-by download risk.
- Be skeptical of tech support pop-ups and urgent warnings. Legitimate antivirus alerts appear in the system tray or Windows Security app, not as browser pop-ups with phone numbers and countdown timers. If a webpage claims you're infected and urges you to call a number or download a "security tool," close the browser tab and run a scan with your actual antivirus instead.
Bring It In
Manual malware removal works well for straightforward infections, but Trojan:Bingo/MLAA cases often involve multiple layers — a dropper, a second-stage payload, rootkit components that hide from scans, and sometimes three or four different malware families fighting for control of your system. If you've followed the steps above and still see suspicious behavior, high CPU usage from unknown processes, or frequent crashes, the infection may be deeper than a simple file-and-registry cleanup can address. That's where professional service makes the difference.
At Computer Repair Roswell, we've cleaned hundreds of trojan infections from home and business computers. We use enterprise-grade scanning tools not available to consumers, bootable rescue environments that bypass rootkit protections, and forensic techniques to identify persistence mechanisms hidden in WMI, scheduled tasks, or service configurations. We'll also check for data theft indicators — if the infection included a credential stealer, we'll advise you on which accounts to secure immediately. Call us at (770) 695-6833 or stop by our shop at 1022 Alpharetta St, Roswell, GA 30075. Same-day appointments are often available, and most malware removals are completed within 24 hours. We're open Monday through Friday to get your system clean and keep it that way.