Argamal
Argamal is a previously unknown remote access trojan (RAT) identified by Kaspersky in a campaign discovered in April/spring 2026. It was distributed primarily through trojanized adult “hentai” games, including archives shared via dedicated adult-game websites, PixelDrain links, torrent trackers such as AniRena, and at least one gaming forum post where a malicious DLL was disguised as a cheat. Related malicious DLL components in the infection chain were assessed to have existed since at least 2024.
The infection chain used modified game components, including a patched ffmpeg.dll (SHA1: 42add9475e67a1ccc6a6af94b5475d3defc01b85) that imported DllGetClassObject from natives2_blob.bin (SHA1: edce72f59e4c1d136cd1946af70d334c19df858d). That DLL executed a Base64-encoded PowerShell Stage1 loader, which performed anti-analysis checks for Sandboxie and Procmon64, stored a Stage2 script in MI_V and later MI_V2 environment variables, created temporary CLSID registry entries under HKCU\SOFTWARE\Classes\CLSID{722D0F89-B69C-4700-AE8C-4A44350E4876}, and scheduled Stage2 to run once after three days. Stage2 downloaded an encrypted payload named zaesdl.dat from GitHub using bitsadmin.exe, saved it as settings.dat, and decrypted it with AES-CBC using key/IV zbcd1j9234r670eh. It then established persistence by COM hijacking HKCU\SOFTWARE\Classes\CLSID{B210D694-C8DF-490D-9576-9E20CDBC20BD}\InprocServer32, abusing the \Microsoft\Windows\WindowsColorSystem\Calibration Loader scheduled task so the malware executed at user logon. Kaspersky also observed alternate delivery variants embedding the main payload as libpython64.dat or similarly named files loaded through patched game libraries.
Argamal provides near-complete control of infected Windows systems. Reported capabilities include remote command execution; running DLLs; opening files or links; deleting files; downloading updated payloads; screenshots; cursor control; simulated key presses; file compression and archiving; file upload, download, and exfiltration; process termination; reboot and shutdown; and drive/OS reconnaissance. The malware also collected information about installed security software by parsing tasklist output for Kaspersky, Avast, McAfee, BitDefender, MalwareBytes, and dozens of additional products. Early payloads used a 0xB0C1D4E9 rolling XOR self-decryption routine, while newer versions used string obfuscation based on substitution ciphers.
Command-and-control activity included UDP heartbeats to port 57441 containing security-product detections, startup time, idle time, architecture, IP address, and username. The C2 could issue commands and deliver new payloads over UDP port 63559. In extended RAT mode, Argamal communicated over TCP port 3747 using a substitution-cipher-based protocol. Observed C2 domains included asper1[.]freeddns[.]org, Winst0[.]kozow[.]com, and country1[.]ignorelist[.]com; primary domains resolved to 186[.]158.223.35 during the investigation. On systems with zh-CN locale, the malware switched C2 to country1[.]ignorelist[.]com.
Kaspersky reported hundreds of infections affecting private individuals in multiple countries, with the largest share in Russia and additional victims observed in Brazil, Germany, and Vietnam. The campaign’s primary objective was assessed as theft of data and account credentials. Based on Spanish-language comments, variable names, and infrastructure artifacts, Kaspersky assessed with moderate/medium confidence that the downloader-chain developer or operators were Spanish-speaking.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueАтаки начинаются с архивов, содержащих зараженную игру. После запуска на компьютер жертвы устанавливается скрытый вредоносный модуль.
Initial Access
2 techniquesBoth the dedicated websites and torrents delivered an archive containing the infected game. This archive contained fully functional, legitimate game files, as well as a modified FFmpeg DLL... Since the game needs ffmpeg.dll to run properly, the library loads as soon as the user starts the game.
Зараженные игры распространялись в виде архива... внутри находились полностью функциональные легитимные файлы игры вместе с измененным ffmpeg.dll... Также троянизированные игры распространялись через разные торрент-трекеры
Execution
9 techniquesStage1 also creates a scheduled task that will execute three days later. This task executes Stage2 and runs once.
После этого операторы Argamal могут удаленно выполнять команды на зараженной машине...
Файл natives2_blob.bin представляет собой DLL, которая при загрузке выполняет PowerShell-скрипт, закодированный в Base64.
Based on the C2 command, the malware can execute commands on the infected machine ... RUNHID <command> / RUN <command> : runs specified command inside ShellExecuteW RUNDOS <command> : runs specified command inside CreateProcessW
0x53 Execute command from the response using ShellExecuteW 0x52 Run the file specified in the response using WinExec
Stage2 is a payload downloader script... downloads an encrypted payload called zaesdl.dat from GitHub using bitsadmin.exe.
Атаки начинаются с архивов, содержащих зараженную игру. После запуска на компьютер жертвы устанавливается скрытый вредоносный модуль.
Persistence
2 techniquesPrivilege Escalation
1 techniqueStealth
5 techniquesThe natives2_blob.bin file is a DLL that executes a Base64-encoded PowerShell script ... Early payload versions decrypted themselves ... The samples we found had string encryption ... TCP communications are encrypted using a simple substitution cipher.
Stage2 is a payload downloader script... downloads an encrypted payload called zaesdl.dat from GitHub using bitsadmin.exe.
This PowerShell script, which we’ll call Stage1, performs basic checks for controlled environments. For example, it checks for the Sandboxie folder in Program Files and Procmon64 in the process list.
Discovery
6 techniquesThese heartbeats contain information about ... username ... USER : sends username
проверяет наличие защитных продуктов... анализируя вывод команды tasklist ... команда 0x50: собрать информацию о зараженной системе (например, список процессов)
Подробный технический анализ малвари показал, что Argamal может ... собирать информацию о защитном ПО на устройстве...
LFILES <путь к папке> : перечисляет и передает пути ко всем файлам в каталоге.
This PowerShell script, which we’ll call Stage1, performs basic checks for controlled environments. For example, it checks for the Sandboxie folder in Program Files and Procmon64 in the process list.
The payload checks for the presence of the following security solutions using the output of the tasklist command: Kaspersky, Avast, McAfee, BitDefender, MalwareBytes +36 other solutions.
Collection
2 techniquesПосле этого операторы Argamal могут ... делать скриншоты...
После этого операторы Argamal могут ... архивировать файлы и отправлять их на свои серверы...
Command and Control
4 techniquesThe payload sends UDP heartbeats to port 57441 of the C2 server... In this mode, the payload communicates with the C2 server using the 3747/tcp port.
Stage2 is a payload downloader script... downloads an encrypted payload called zaesdl.dat from GitHub using bitsadmin.exe.
отправляет heartbeat-сообщения по протоколу UDP... подключиться к порту 63559/udp командного сервера, получить новую DLL
Несколько дней он никак не проявляет себя, а затем загружает дополнительную полезную нагрузку, которая завершает компрометацию устройства.
Exfiltration
1 techniqueПосле этого операторы Argamal могут ... архивировать файлы и отправлять их на свои серверы...
IOCs tracked for this family
25 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Previously unknown remote access trojan distributed via trojanized adult games, torrent trackers, and gaming forums. After infection it provides attackers near-complete control of the system, including remote command execution, screenshots, cursor control, file archiving and exfiltration, reboot/shutdown, persistence, security software reconnaissance, and downloading additional modules from C2 servers. The campaign appears focused on data and account theft.
Argamal is a newly identified RAT delivered via trojanized adult games. It uses a staged infection chain with PowerShell-based downloaders, COM hijacking for persistence, GitHub-hosted encrypted payload retrieval, anti-analysis checks, and broad remote-control capabilities including command execution, file operations, screenshots, system reconnaissance, mouse/keyboard control, and payload updates.
Argamal is a newly identified remote access trojan delivered via trojanized adult games. It establishes persistence through COM hijacking of the Windows Color System Calibration Loader task, delays execution for several days, downloads an encrypted payload from GitHub, and provides full remote control of infected systems including command execution, file operations, screenshots, mouse/keyboard control, and payload updates.
Argamal is a newly identified malware family delivered via trojanized adult games. It uses a staged infection chain with PowerShell downloaders, establishes persistence through COM hijacking of the Windows Color System Calibration Loader task, downloads encrypted payloads from GitHub, and ultimately deploys a full-featured RAT capable of command execution, file operations, screenshots, system control, and remote administration.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.