An info-stealer sat on my PC for months, and Antigravity finally rooted it out

For the better part of two months, I kept getting the kind of security alerts that make you pause whatever you're doing: odd authentication prompts, login attempts from countries and cities I'd never been to, and "was this you?" messages on accounts that matter most to me. I handled it responsibly, or at least the way most of us do when the alarms start blinking. I changed passwords, rejected the attempts, leaned harder on 2FA, and moved more accounts to passkeys where I could. Sensible damage control, definitely, but none of it actually solved the mystery.

Around the same time, I was dealing with a nagging issue on my PC. My Windows system tray kept loading blank every time I booted, which was annoying enough to send me looking for a fix. Out of equal parts frustration and curiosity, I fired up Antigravity, mostly because I had been hearing that it could poke around a system and handle tasks for you. I expected it to help me chase down a broken tray icon issue. Instead, it uncovered something far more urgent sitting on my PC.

The Windows bug that refused to stay fixed

Icons, but make them invisible

The symptom was irritating in the specific way Windows problems often are. After startup, the system tray area would be visually empty, but not actually dead. The icons were still there somewhere. I could hover around, occasionally hit the right spot, and get a tooltip. It was as if Windows had remembered the tray existed but forgotten to paint it.

Naturally, I started with the boring fixes. I checked taskbar settings, searched forums for how to fix Windows not showing app icons in the taskbar, poked around the obvious Windows customization suspects, and looked for broken tray behavior, weird startup apps, and anything that might explain why the notification area kept disappearing. Microsoft describes the notification area as part of the taskbar, historically known as the system tray, so this appeared to be a shell rendering issue rather than an app-specific failure.

Restarting Windows Explorer from Task Manager fixed it every time, which made the whole saga feel even more like a normal Windows hiccup. Explorer is deeply tied to the desktop shell experience, and restarting it often reloads the taskbar and related UI elements. In my case, that restart brought the icons back immediately. Then I would reboot, and the blank tray would return.

Antigravity found the thing I wasn't looking for

Not just Windows being Windows

At that point, I decided to point Antigravity at the problem. To be clear, it was not functioning as an antivirus scanner, and I would not recommend treating it as one. Antigravity is an agentic development tool, not a dedicated malware-removal suite.

Instead of sending me down another rabbit hole of taskbar tweaks and Windows settings, it started digging through installed applications, startup entries, and active processes, looking for anything that might be inserting itself into Explorer during boot. That investigation uncovered a couple of executables that had no plausible reason to exist on my machine. These were eld1.exe and eld0.exe, which Antigravity identified as components of a known info-stealer, a specific type of information-stealing malware. The filenames alone were not enough to prove anything. Malware authors can name their payloads almost whatever they want, and a cryptic executable only becomes meaningful once the surrounding behavior begins to tell a story.

Once I began investigating further, I came across an ANY.RUN sandbox report detailing the behavior associated with eld1.exe; the findings were deeply unsettling. The sample was linked to activity consistent with credential theft and the collection of personal data from browsers. It was also flagged for targeting cryptocurrency wallets, email accounts, messaging platforms, password managers, and browser-stored information. In other words, this was not some noisy piece of adware or an annoying browser hijacker; it appeared designed to harvest anything valuable it could get its hands on.

What made the discovery even more concerning was that the malware had not simply been sitting dormant on my machine. It had established persistence in the Windows Registry by creating an entry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, so it would launch automatically whenever I signed in.

That's because Run keys are one of the classic Windows persistence mechanisms. Legitimate applications use them to start automatically with the operating system, but malware authors have been abusing this feature for years because it provides malicious code with a straightforward way to survive reboots. In fact, Windows Task Manager's startup app list lies — there is a real place to look if you want to uncover these deeply embedded registry entries.

A tiny installer was the loudest clue

The download I should’ve doubted

Antigravity cleared the executables and addressed the immediate persistence mechanism, but that only addressed the most urgent part of the problem. The better question was how the malware got onto my machine in the first place. So I had it work backwards. It went through file creation timestamps, download history, and the surrounding system activity, then stitched together a timeline that made me wince.

Weeks earlier, while trying to download Studio Pro, a digital audio workstation, I had grabbed an installer that looked enough like the real thing to pass a distracted glance. The giveaway was sitting right there in the file size: 2.09MB. For context, a proper DAW installer is not usually a tiny download. These apps often run into hundreds of megabytes, and they can easily push past a gigabyte once you factor in sound libraries, plugins, and bundled extras. A 2MB file pretending to be that kind of software should have been suspicious before I even double-clicked it, but I somehow missed it.

The timeline suggested that running that file created a temporary folder and dropped a couple of executables within seconds. While yes, you can get malware just by visiting a website, in my case, the infection required me to manually run the fake installer. Later that same night, I downloaded and installed the legitimate version of the software I actually wanted, which probably explains why nothing felt obviously broken at the time. The real app installed, opened, and behaved normally, while the smaller impostor had already finished its work in the background.

To be clear, this was not a problem with the legitimate DAW. The issue was the fake installer I downloaded before getting the real one.

That is the nasty little trick with fake installers. They do not always need to break anything in front of you. Popular paid software is a common lure for loaders and info-stealers, especially on download pages that target people who ignore the reasons not to use pirated software and instead search for free, cracked, or unofficial copies.

Knowing how to avoid fake ads disguised as fake download links is crucial because some of those pages are engineered to look convincing in search results, and when you are in a hurry, the wrong download button can look far too plausible.

The account alerts also made much more sense after that. Info-stealers are built to siphon the browser and account data that many people assume is safe once 2FA is enabled: saved credentials, session cookies, autofill entries, backup codes, and any other scraps that can help an attacker sidestep normal login checks. I cannot say every alert I received came from this one infection, but it does explain why changing passwords alone never felt like it fully closed the loop.

The bug did one good thing

The funny part is that the original Windows problem still has not completely gone away. Even after removing the malware, the taskbar bug occasionally returns, and Antigravity has not yet provided me with a permanent fix. At this point, it seems more likely to be a corrupted icon cache, some deeper Windows shell weirdness, or one of those problems that eventually ends with the nuclear option of reinstalling Windows.

But the security side of the story did change. Since Antigravity helped root out the info-stealer-style malware, the suspicious login attempts and authentication prompts that had been nagging at my accounts have stopped. I cannot prove every alert came from that one infection, but the timing is hard to ignore.

So, to whoever spent months trying to squeeze their way into my accounts: gotcha. I hope you find this article someday and enjoy the part where a broken-looking Windows taskbar gave you away.