New RAT Campaign Targeting Hentai Game Players
Kaspersky has released details on a recently discovered malware campaign dubbed Argamal, specifically targeting gamers of hentai titles. This malware installs a hidden implant on the user’s system, leading to severe system compromise and allowing attackers extensive remote control capabilities.
Argamal employs COM hijacking to persistently reside on infected machines, replacing a key entry for the Windows Color System Calibration Loader DLL. This technique ensures that the malware activates every time the user logs in, effectively maintaining its foothold. Kaspersky has classified this threat under various identifiers, including Trojan.Win32.Termixia and HEUR:Trojan-Downloader.Win32.Argamal.gen, among others.
The malware spreads primarily through infected game files distributed from various dedicated websites and torrent trackers, notably AniRena and PixelDrain. The attack method involves delivering an archive containing the legitimate game files along with a compromised FFmpeg DLL. This DLL, when executed, invokes a PowerShell script that establishes persistence and subsequently downloads additional malicious payloads.
The architecture of Argamal includes intricately designed payload stages, where an initial PowerShell script executes checks to bypass security measures, followed by the staging of a downloader for the main payload. Once activated, the malware communicates with a command-and-control server and can perform various functions, including file manipulation, system surveillance, and alteration of system settings.
Defensive Context
This campaign poses significant risks mainly to users of adult games and particularly those who download software from lesser-known or unreliable sources. Organizations and home users engaging with such content should remain vigilant, especially if they frequently access potentially compromised platforms.
Why This Matters
The targeting of specific gaming communities represents a shift in tactics by threat actors focusing on niche markets. Victims unaware of the risks associated with downloading from unofficial sources are particularly vulnerable, especially in regions like Russia, Brazil, Germany, and Vietnam, where most infections have been reported.
Defender Considerations
Detection strategies should focus on monitoring for registry changes indicative of COM hijacking, particularly entries related to known malicious DLLs associated with Argamal. Specific attention should be paid to any installations from dubious or untrusted sources, especially those related to the adult gaming sector.
Indicators of Compromise (IOCs)
Domains:
- asper1.freeddns.org
- Winst0.kozow.com
- country1.ignorelist.com
IP Address:
- 186.158.223.35
File Hashes:
- SHA1: 42add9475e67a1ccc6a6af94b5475d3defc01b85
- SHA1: edce72f59e4c1d136cd1946af70d334c19df858d
Monitoring these IOCs in network traffic and endpoint behavior could provide critical insights into potential infections.
