"We dubbed this malware family “Argamal”."
What happened in April 2026
Kaspersky researchers reported that in April 2026 they discovered a new malware campaign that implants a previously unknown malicious agent on machines of people who download certain “hentai” games. The initial infection vector is trojanized game archives distributed from dedicated adult-game websites, torrent trackers (including AniRena), and file-hosting redirects to PixelDrain. Kaspersky’s telemetry indicates hundreds of infected individuals, with the largest concentrations in Russia, Brazil, Germany and Vietnam.
Delivery chain and the staged infection
The attackers distributed fully functional game files together with a patched FFmpeg DLL (SHA1: 42add9475e67a1ccc6a6af94b5475d3defc01b85). The patched ffmpeg.dll imports DllGetClassObject from a companion file named natives2_blob.bin (SHA1: edce72f59e4c1d136cd1946af70d334c19df858d). When the game starts, the altered FFmpeg DLL loads and the natives2_blob.bin DLL executes a Base64‑encoded PowerShell script (Stage1).
Stage1 performs sandbox/analysis checks (for example, looking for Sandboxie folders or Procmon64), sets environment variables (MI_V and in newer versions MI_V2) containing a second Base64 PowerShell script (Stage2), writes randomized DLL file names under %USER%\AppData\Local into COM registry keys, and schedules a task to run once three days later. If checks pass, Stage2 downloads an encrypted payload (zaesdl.dat) from GitHub using bitsadmin.exe, saves it as settings.dat in the random directory, decrypts it with AES‑CBC (key: zbcd1j9234r670eh; IV = key), writes the decrypted payload to the previously named DLL file, and registers it as an InprocServer32 COM object used by the \Microsoft\Windows\WindowsColorSystem\Calibration Loader scheduled task — allowing execution at every user logon. Before exiting, Stage2 cleans up the temporary registry environment and scheduled task entries created earlier.
Persistence through COM hijacking and alternate delivery
The campaign uses COM hijacking to persist: the attackers replace the InprocServer32 entry for a Windows Color System Calibration Loader DLL so the implanted DLL executes whenever the scheduled task runs at user logon. Kaspersky also observed alternate delivery methods: in some samples the main payload was included directly in the game's lib\py3-windows-x86_64 directory as files such as libpython64.dat and loaded via patched game libraries; in another case, the threat actor posted a malicious DLL on a gaming forum disguised as a cheat.
Capabilities of the Argamal RAT and command/control
Kaspersky’s analysis shows the early payloads used a rolling XOR decryption, while more recent agents use simple substitution string encryption with attacker-defined keys. The RAT contains extensive reconnaissance, file‑management and remote control functions. Default C2 domains seen include asper1[.]freeddns[.]org and Winst0[.]kozow[.]com; both domains pointed to 186[.]158.223.35 during the investigation. Kaspersky observed that earlier versions used asper1[.]freeddns[.]org (181[.]116.218.56) and that the malware can select alternate C2s (for example, country1[.]ignorelist[.]com), with logic that can change C2 based on locale (notably, zh-CN locale previously yielded 127.0.0.1 as the C2).
The RAT sends UDP heartbeats to port 57441 and, when directed, can switch to an extended mode over TCP port 3747 using a simple substitution cipher for traffic obfuscation. The C2 protocol and command set allow the operator to run DLLs, execute commands, download and update payloads, take screenshots, compress and exfiltrate files, manipulate the mouse and keyboard, and reboot or shut down the host. Example command bytes and functions observed include:
- 0x31 — run DLL on the system
- 0x50 — collect system/process information
- 0x59 — fetch a new payload over UDP port 63559 and update the COM path
- Extended mode commands permit upload and download of files, ZIP/TAR operations, screen capture, and remote input control
Infrastructure, indicators and attribution
Kaspersky published file hashes for RAT payloads and downloaders, domains and IPs used by the campaign, and the GitHub repositories observed hosting the encrypted payloads. Notable IOCs include the patched FFmpeg DLL SHA1 and natives2_blob.bin SHA1 cited above, C2 domains asper1[.]freeddns[.]org, Winst0[.]kozow[.]com, country1[.]ignorelist[.]com, IP 186[.]158.223.35, and GitHub repositories hxxps://github[.]com/gmz159/u, hxxps://github[.]com/DnyP/files, and hxxps://github[.]com/mgzv/p. Kaspersky also lists many payload SHA1 hashes in its indicators section.
On attribution, Kaspersky assesses with medium confidence that the developer of the downloader chain speaks Spanish, citing Spanish variable names and comments in decoded PowerShell and the JavaScript on distribution websites. Kaspersky further notes that the payloads previously chose 127.0.0.1 as a C2 for zh-CN locale, which may reflect use of payloads developed by a Chinese‑speaking actor — but Kaspersky judges it unlikely that the downloader developer is Chinese‑speaking.
What this means for technologists, enterprises, and users
- Technologists and security teams: expect a multi-stage infection that abuses legitimate libraries (FFmpeg) and scheduled-task COM persistence; hunt for InprocServer32 entries under HKCU\SOFTWARE\Classes\CLSID with unusual DLL paths in user AppData\Local directories and check scheduled tasks referencing WindowsColorSystem calibration loader.
- Affected enterprises and procurement teams: the campaign demonstrates supply-chain‑like risk from trojanized entertainment software and patched libraries bundled with otherwise legitimate applications; controls that verify binary integrity and block uncommon use of bitsadmin.exe for outbound fetches may be relevant.
- End users and the general public: downloading games from untrusted sites, torrents, or unvetted forums can deliver fully functional programs that also carry hidden downloaders. Kaspersky reports its solutions detect these threats under names including Trojan.Win32.Termixia.*, Trojan.Win32.Agent.*, HEUR:Trojan.Win32.Argamal.gen and HEUR:Trojan-Downloader.Win32.Argamal.gen.
Conclusion — Kaspersky’s telemetry shows a persistent, evolving RAT delivered through adult-game distribution channels, using DLL patching and COM hijacking to gain long‑term access. The actor continues updating payloads and infrastructure, and the RAT provides broad remote control capabilities that go far beyond credential theft alone. Kaspersky reports that its solutions blocked the malicious activity at early stages; their published IOCs and behavioral descriptions offer concrete signals defenders can use to search for infections.
https://securelist.com/argamal-rat-distributed-with-hentai-games/119999/




