Qakbot as malware really hasn't been reported on since 2023 in any meaningful way, in-fact, in May of 2025, the russian guy behind it got charged by the US government, probably not in custody. The file supposedly named "2025-06-06_b368582164db2129901fff0a9b58212d_helldown_qakbot" matches all hashes with hotscreen.exe, but it seems rather dubious and could easily be someone's attempt at a little bit of trolling since there doesn't seem to be any information relating to qakbot from June of 2025. Helldown could be a bit more plausible, but even that has vague "threat in 2024 and into 2025" articles, nothing indicates that helldown is the same, successor of or even related to qakbot.
Seems more like an attempt to name something that sounds like a virus by combining a date stamp, the file's MD5 hash and two real ransomwares, then passing it off as malware; the only thing I can think of potentially making it sound as plausible and why it got accepted as a file by... and I don't even know how reputable tria.ge is, could be that they list "Suspicious use of SetWindowsHookEx" which... yeah, it hooks into the window creation process to create a transparent overlay, lol. Could be a common way that ransomware also grabs your screen and thus it seems "suspicious" to them.
As far as I know, this is just a Godot project, unless it's somehow got stuff injected and embedded during compilation by PerfectFox265 that I haven't been able to detect. I've combed through the code months ago when attempting to see if I can improve upon the detection myself through the use of (an older version by now) https://github.com/samhaswon/skin_segmentation model and YOLO11n. I can tell you right now that most of Hotscreen is just GDScripts and C# to glue together some DirectML and other libraries for loading and using the detection models. The most suspicious part is hooking into user32.dll, but again, it needs to create a transparent overlay which does require messing around with lower level Win32 APIs. It'd be a hell of lot of effort to create this program as a vehicle for ransomware, when it's kinda niche and has a specific audience, and if it is ransomware, well shit, guess I've been infected for about a year with nothing happening anywhere.
tl;dr - Unless I am tragically wrong, Hotscreen is fine to use.
