Argamal: Malware hidden in hentai games

Comments for Securelist

Telegram phishing bots and channels: how it works An unknown actor distributes malicious VBS scripts via WhatsApp MiniPlasma: detecting exploitation Containers on fire: from container escapes to supply chain attacks What’s in the container? Analyzing vulnerabilities, risks and protection with Kaspersky Container Security and Free Internet Kimsuky targets organizations with PebbleDash-based tools State of ransomware in 2026 Copy Fail: root on virtually any Linux Popular DAEMON Tools software compromised Congratulations, you’ve won! The reality behind online lotteries Operation ShadowHammer: a high-profile supply chain attack ‘Nigerian’ Letters - Now With a Syrian Twist PhantomRPC: A new privilege escalation technique in Windows RPC Operation Triangulation: The last (hardware) mystery Scammers’ delivery service: exclusively dangerous Operation Triangulation: iOS devices targeted with previously unknown malware Anatomy of a Cyber World Global Report 2026 Operation Triangulation: iOS devices targeted with previously unknown malware TGIF(P) - Thank god it’s fried phish TGIF(P) - Thank god it’s fried phish The Flame: Questions and Answers Story of the year: the impact of AI on cybersecurity Story of the year: the impact of AI on cybersecurity The game is over: when “free” comes at too high a price. What we know about RenEngine The game is over: when “free” comes at too high a price. What we know about RenEngine The game is over: when “free” comes at too high a price. What we know about RenEngine Arkanix Stealer: a C++ & Python infostealer Tusk: unraveling a complex infostealer campaign

Argamal: Malware hidden in hentai games

Mikhail Reznichenko · 2026-06-03 · via Comments for Securelist

In April 2026, we discovered a new malware campaign targeting players of “hentai” games. Once launched, the infected games install a previously unknown malicious implant on the user’s machine. After a few days, the implant downloads and executes a Trojan, resulting in full system compromise and broad remote control capabilities for the attackers. We dubbed this malware family “Argamal”.

The malware uses COM hijacking to persist on the victim’s machine, replacing the InprocServer32 entry for Windows Color System Calibration Loader DLL. This task is triggered when the user logs in, effectively allowing the malware to run at startup.

Kaspersky solutions detect this threat as Trojan.Win32.Termixia.*, Trojan.Win32.Agent.*, HEUR:Trojan.Win32.Argamal.gen and HEUR:Trojan-Downloader.Win32.Argamal.gen.

Technical details

Background

In April, as part of our ongoing monitoring of telemetry data, we found some suspicious DLLs. Further analysis revealed that various versions of these DLLs have existed since at least 2024.

The DLLs were spawned by different games written using various game engines and programming languages, including RenPy (Python) and RPG Maker MV (JavaScript), among others. However, they all had one thing in common: they were all hentai games. We searched for the distribution sources and found a number of websites hosting game screenshots and download links. These links redirected users to PixelDrain, a free file transfer service.

Adult games catalogue

In addition to these websites, the trojanized games have also been distributed via different torrent trackers, including AniRena.

Malicious game torrent in AniRena

Delivery

Both the dedicated websites and torrents delivered an archive containing the infected game.

Contents of the game archive

This archive contained fully functional, legitimate game files, as well as a modified FFmpeg DLL (SHA1: 42add9475e67a1ccc6a6af94b5475d3defc01b85), that imported the DllGetClassObject function from a file called natives2_blob.bin. Since the game needs ffmpeg.dll to run properly, the library loads as soon as the user starts the game.

Script executor

The natives2_blob.bin (SHA1: edce72f59e4c1d136cd1946af70d334c19df858d) file is a DLL that executes a Base64-encoded PowerShell script when loaded.

The natives2_blob.bin file code

This PowerShell script, which we’ll call Stage1, performs basic checks for controlled environments. For example, it checks for the Sandboxie folder in Program Files and Procmon64 in the process list. If all the checks indicate that the process is not running in a controlled environment, it proceeds to establish persistence.

Stage1 sets the MI_V environment variable (and also MI_V2 in the new versions of malware) for the current user to another Base64-encoded PowerShell script, which we’ll call Stage2. After that, it sets the InprocServer32 registry key at HKCU\SOFTWARE\Classes\CLSID\{722D0F89-B69C-4700-AE8C-4A44350E4876} to a random DLL file name in a random subdirectory of %USER%\AppData\Local, as well as the ShellFolder subkey to another random DLL file name in the same location. Stage1 also creates a scheduled task that will execute three days later. This task executes Stage2 and runs once.

Stage2 is a payload downloader script. It takes previously generated DLL filenames from the registry and downloads an encrypted payload called zaesdl.dat from GitHub using bitsadmin.exe. The downloaded payload is saved in the settings.dat file in the randomly chosen subdirectory of %USER%\AppData\Local. Stage2 decrypts it using AES-CBC with the key zbcd1j9234r670eh and an IV equal to the key. The decrypted payload is then saved in the DLL file specified in the ShellFolder registry subkey.

The decrypted payload is set as InprocServer32 at HKCU\SOFTWARE\Classes\CLSID\{B210D694-C8DF-490D-9576-9E20CDBC20BD}, which is a COM object used by the \Microsoft\Windows\WindowsColorSystem\Calibration Loader scheduled task. This task runs every time a user logs in, allowing the malware to run during every user session.

Before quitting, Stage2 also removes the changes made under the HKCU\SOFTWARE\Classes\CLSID\{722D0F89-B69C-4700-AE8C-4A44350E4876} registry key, unsets the MI_V environment variable (and MI_V2 in newer versions), and removes the scheduled task that launched Stage2.

Malicious agent

Early payload versions decrypted themselves using the 0xB0C1D4E9 rolling XOR key, where the decryption key for the i + 1 block is the encrypted content of the i block (each encrypted block being four bytes long). The most recent agent versions don’t do that.

The samples we found had string encryption; they use a simple substitution with a key that corresponds position-by-position to the following alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789@#$./:<>*&~. The decryption process involves finding the position of each symbol of the encrypted strings in the key, and replacing it with the symbol that occupies the same position in the alphabet.
During our investigation, we found the following keys were used:

17htUno/I3L&fK2H#yapE@b5NqZ$Q4xmeF.s96uB>jkdWCPvAgD*XwO:iR~TMrV0YGl8z<JSc
71htUno/I3L&fK2H#aypE@b5NqZ$Q4xmeF.s96uB>jdkWCPvAgD*XwO:iR~TMrV0YGl8z<JSc
E1hUtno/IL3&fK2H#ypa7@b5NqZ$Q4xmeF.s69uB>jkdWCvPAgD*XwO:iR~TrMV0YGl8z<JcS

All symbols not used in the key remain unchanged.

String decryption

The payload checks for the presence of the following security solutions using the output of the tasklist command:

Kaspersky
Avast
McAfee
BitDefender
MalwareBytes
+36 other solutions

Security solution detection logic

The payload itself is a RAT with broad functionality. The default C2 server is asper1[.]freeddns[.]org for earlier versions and Winst0[.]kozow[.]com for the latest versions of the payload. Both domains point to 186[.]158.223.35. We also saw another IP address for the first C2 in pDNS records, though we haven’t actually seen it in use. The C2 address can change based on a C2 reply or when certain conditions are met. For example, if the user’s default locale is set to “zh-CN”, the RAT sets its C2 address to country1[.]ignorelist[.]com. During most of our investigation, this domain pointed to 127[.]0.0.1, but starting April 26, it has been pointing to 186[.]158.223.35 as well.

The payload sends UDP heartbeats to port 57441 of the C2 server. These heartbeats contain information about detected security solutions, system startup time, time since last input activity, architecture info, machine IP address and username.

The C2 may respond to the heartbeat. Based on this response, the payload can perform different actions. Below is the full list of available commands.

Response first byte	Description
0x31	Run DLL on the system
0x57	Send UDP request to the specified address
0x55	Open file or link from the response
0x50	Collect information about the infected system (e.g. process list and architecture)
0x53	Execute command from the response using ShellExecuteW
0x52	Run the file specified in the response using WinExec
0x42	Delete the file specified in the response
0x41	Update C2 domain
0x59	Get new payload: connect to C2 port 63559/UDP, get new DLL and update COM path in the registry

The C2 can also set a flag in the response that will turn on the extended RAT mode. In this mode, the payload communicates with the C2 server using the 3747/tcp port.

TCP communications are encrypted using a simple substitution cipher. Each character is replaced using a fixed mapping defined by the key:

koP]Y4Os-_t?cB',aK.Wm>QM2[U!^C`*@Ff:X\6Dp8H%ATydE<e(#G&LhwRZ5znjJqgNrl)I7V$3=910"+Svxi/;ub

This key corresponds position-by-position to the standard ASCII character sequence:

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}

In other words, each character in the ASCII set is replaced by the corresponding character in the key string.

C2 requests and responses are divided into two parts by the first space character. The first part is a command and the second part is usually an argument.
After connecting and before receiving information from the C2, the malware sends metadata about the infected machine using the NOOP command. This metadata includes a run cycle counter, mounted drive metadata, time since the last input activity and data about the display settings.

Based on the C2 command, the malware can execute commands on the infected machine, perform reboot and shutdown actions, control the cursor, take screenshots, compress files into archives, and send files to other specified servers. In short, it can fully control the machine. The full list of commands is as follows:

System control

KILL REBOOT: Reboots the infected system
KILL POWER: Shuts down the infected system
KILL SELF: Same as the QUIT command (described below)
KILL ME: Exits process running the malware

Surveillance

SCREEN / SCREEN9: makes a screenshot, saves it to the ~wra1269.tmp file and sends it to the C2

File operations

DELETE <filename>: deletes specified file
DELDIR <dirname>: deletes specified directory
REN <file path 1>#<file path 2>: moves specified file
MAKDIR <path>: creates directory
ZIPFILE <file or folder name> / ZIPFOLDER <file or folder name>: compresses specified file/folder into a .zip archive
TAR <file or folder name> / TAR2 <file or folder name>: compresses specified file/folder into a .tar archive
GETFILEDATE <filename>: sends file’s last modification date
SETFILEDATE <filename>: sets file’s last modification date
GETFILEACC <filename>: sends file’s last access date
DWLOAD <filename>: sends file to the C2
UPLOAD <filename>#<C2 address>: uploads file to the specified C2 server

Reconnaissance

USER: sends username
KALIVE: sends run cycle counter
IDLE: sends number of seconds passed since last input activity
DRIVES: sends information about mounted drives
FOLDEX <folder type>: sends full path to a directory of the specified type:
– type = 0x63: temporary directory
– type = 0x64: \Google\Chrome\User Data\Default\ in AppData\Local folder
– type = 0x65: \Downloads\ in user home directory
– type = 0x66: \Microsoft\Excel\XLSTART\ in AppData folder
– type = 0x67: AppData folder
LFILES <folder path>: lists and sends paths to all files in the directory
OSVER: sends information about user, hostname, OS architecture and version
COMPILERDATE: sends constant hardcoded in the RAT, e.g., 25.10.2025

Generic control

DSOCKE: recreates TCP keep-alive socket
QUIT: notifies the C2 about quitting, closes the socket and stops the process
RUNHID <command> / RUN <command>: runs specified command inside ShellExecuteW
RUNDOS <command>: runs specified command inside CreateProcessW
RUNTASK <command>: creates, runs and deletes task that executes specified command
SKEY <key code>: presses specified key
MOUSE FREEZE: freezes mouse movement
MOUSE <command>: clicks the specified mouse button or sets the cursor position to the specified coordinates

Other delivery methods

During our research, we also observed other delivery methods for the RAT. Instead of patching FFmpeg and downloading the payload from GitHub, the attackers included the main payload as libpython64.dat or another file with a similar name in the lib\py3-windows-x86_64 directory of the game. This .dat file was loaded by one of the libraries used in the game, which was patched for this purpose.

In another case, the threat actor posted their malicious DLL file (payload downloader) on a gaming forum, disguising it as a cheat.

Infrastructure

Our research revealed the following infrastructure was used in this attack.

Domain	IP	First seen	ASN
asper1[.]freeddns[.]org	181[.]116.218.56	September 16, 2024	11664
	186[.]158.223.35	July 01, 2025	11664
country1[.]ignorelist[.]com	186[.]158.223.35	September 10, 2025	11664
	127[.]0.0.1	November 11, 2025	–
Winst0.kozow[.]com	186[.]158.223.35	April 26, 2026	11664

Victims

According to our telemetry, hundreds of individuals were infected with this malware. The majority of the victims were located in Russia, Brazil, Germany and Vietnam.

Distribution of victims (download)

Attribution

Based on the language of the comments in the code, infrastructure data and other facts we assess with medium confidence that the developer of the downloader chain speaks Spanish.

The actor behind this attack uses Spanish in variable names and comments. For example, the Base64-decoded delivery script contains the following lines:

Part of the PowerShell script used in the payload delivery

In addition, the JavaScript code from the website distributing infected games contains variable names, function names and comments in Spanish:

JavaScript code from the malicious site

Notably, the malware payloads used in this attack had previously chosen 127.0.0.1 as their C2 server when the victim’s default locale is set to “zh-CN”, thus not targeting Chinese users. This may indicate that the attacker is associated with a Chinese-speaking threat actor or uses payloads developed by a Chinese-speaking threat actor. However, we still believe it’s unlikely that the developer of these delivery chains is Chinese-speaking.

Conclusions

The Argamal Trojan is a new RAT targeting individuals who seek adult games. During our analysis, we observed a steady stream of updates to the payload, including the addition of new features and fixes for various bugs, as well as changes to the infrastructure. This leads us to believe that the threat actor behind this malware will continue to develop and enhance it. The campaign’s goal is likely data and credential theft; however, the RAT enables the attacker to take full control of the device and execute any malicious activity they want.

Creating malware in today’s development landscape has become significantly easier thanks to the wide availability of detailed guides, tooling, and automation resources. As a result, it is crucial not only to detect known malware but also to identify new and evolving threats as they emerge. Kaspersky solutions prevented the malicious activity in the earliest stages of the attack. The solutions help ensure device security by identifying not only known threats but also the behavior of the software and its actions, providing comprehensive protection against malware.