{"id":3471,"date":"2026-06-03T10:03:58","date_gmt":"2026-06-03T10:03:58","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/03\/argamal-malware-hidden-in-hentai-games\/"},"modified":"2026-06-03T10:03:58","modified_gmt":"2026-06-03T10:03:58","slug":"argamal-malware-hidden-in-hentai-games","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/06\/03\/argamal-malware-hidden-in-hentai-games\/","title":{"rendered":"Argamal: Malware hidden in hentai games"},"content":{"rendered":"
\n

\"\"<\/p>\n

In April 2026, we discovered a new malware campaign targeting players of \u201chentai\u201d games. Once launched, the infected games install a previously unknown malicious implant on the user\u2019s machine. After a few days, the implant downloads and executes a Trojan, resulting in full system compromise and broad remote control capabilities for the attackers. We dubbed this malware family \u201cArgamal\u201d.<\/p>\n

The malware uses COM hijacking to persist on the victim\u2019s machine, replacing the InprocServer32<\/code> entry for Windows Color System Calibration Loader DLL. This task is triggered when the user logs in, effectively allowing the malware to run at startup.<\/p>\n

Kaspersky solutions detect this threat as Trojan.Win32.Termixia.*<\/code>, Trojan.Win32.Agent.*<\/code>, HEUR:Trojan.Win32.Argamal.gen<\/code> and HEUR:Trojan-Downloader.Win32.Argamal.gen<\/code>.<\/p>\n

Technical details<\/h2>\n

Background<\/h3>\n

In April, as part of our ongoing monitoring of telemetry data, we found some suspicious DLLs. Further analysis revealed that various versions of these DLLs have existed since at least 2024.<\/p>\n

The DLLs were spawned by different games written using various game engines and programming languages, including RenPy (Python) and RPG Maker MV (JavaScript), among others. However, they all had one thing in common: they were all hentai games. We searched for the distribution sources and found a number of websites hosting game screenshots and download links. These links redirected users to PixelDrain, a free file transfer service.<\/p>\n

\"Adult<\/a><\/p>\n

Adult games catalogue<\/p>\n<\/div>\n

In addition to these websites, the trojanized games have also been distributed via different torrent trackers, including AniRena.<\/p>\n

\"Malicious<\/a><\/p>\n

Malicious game torrent in AniRena<\/p>\n<\/div>\n

Delivery<\/h3>\n

Both the dedicated websites and torrents delivered an archive containing the infected game.<\/p>\n

\"Contents<\/a><\/p>\n

Contents of the game archive<\/p>\n<\/div>\n

This archive contained fully functional, legitimate game files, as well as a modified FFmpeg DLL (SHA1: 42add9475e67a1ccc6a6af94b5475d3defc01b85<\/code>), that imported the DllGetClassObject<\/code> function from a file called natives2_blob.bin<\/code>. Since the game needs ffmpeg.dll<\/code> to run properly, the library loads as soon as the user starts the game.<\/p>\n

Script executor<\/h3>\n

The natives2_blob.bin<\/code> (SHA1: edce72f59e4c1d136cd1946af70d334c19df858d<\/code>) file is a DLL that executes a Base64-encoded PowerShell script when loaded.<\/p>\n

\"The<\/a><\/p>\n

The natives2_blob.bin file code<\/p>\n<\/div>\n

This PowerShell script, which we\u2019ll call Stage1<\/code>, performs basic checks for controlled environments. For example, it checks for the Sandboxie folder in Program Files and Procmon64 in the process list. If all the checks indicate that the process is not running in a controlled environment, it proceeds to establish persistence.<\/p>\n

Stage1<\/code> sets the MI_V<\/code> environment variable (and also MI_V2<\/code> in the new versions of malware) for the current user to another Base64-encoded PowerShell script, which we\u2019ll call Stage2<\/code>. After that, it sets the InprocServer32<\/code> registry key at HKCUSOFTWAREClassesCLSID{722D0F89-B69C-4700-AE8C-4A44350E4876}<\/code> to a random DLL file name in a random subdirectory of %USER%AppDataLocal<\/code>, as well as the ShellFolder<\/code> subkey to another random DLL file name in the same location. Stage1<\/code> also creates a scheduled task that will execute three days later. This task executes Stage2<\/code> and runs once.<\/p>\n

Stage2<\/code> is a payload downloader script. It takes previously generated DLL filenames from the registry and downloads an encrypted payload called zaesdl.dat<\/code> from GitHub using bitsadmin.exe<\/code>. The downloaded payload is saved in the settings.dat<\/code> file in the randomly chosen subdirectory of %USER%AppDataLocal<\/code>. Stage2<\/code> decrypts it using AES-CBC with the key zbcd1j9234r670eh<\/code> and an IV equal to the key. The decrypted payload is then saved in the DLL file specified in the ShellFolder<\/code> registry subkey.<\/p>\n

The decrypted payload is set as InprocServer32<\/code> at HKCUSOFTWAREClassesCLSID{B210D694-C8DF-490D-9576-9E20CDBC20BD}<\/code>, which is a COM object used by the MicrosoftWindowsWindowsColorSystemCalibration<\/code> Loader scheduled task. This task runs every time a user logs in, allowing the malware to run during every user session.<\/p>\n

Before quitting, Stage2 also removes the changes made under the HKCUSOFTWAREClassesCLSID{722D0F89-B69C-4700-AE8C-4A44350E4876}<\/code> registry key, unsets the MI_V<\/code> environment variable (and MI_V2 in newer versions), and removes the scheduled task that launched Stage2<\/code>.<\/p>\n

Malicious agent<\/h3>\n

Early payload versions decrypted themselves using the 0xB0C1D4E9<\/code> rolling XOR key, where the decryption key for the i + 1<\/code> block is the encrypted content of the i<\/code> block (each encrypted block being four bytes long). The most recent agent versions don\u2019t do that.<\/p>\n

The samples we found had string encryption; they use a simple substitution with a key that corresponds position-by-position to the following alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789@#$.\/:<>*&~<\/code>. The decryption process involves finding the position of each symbol of the encrypted strings in the key, and replacing it with the symbol that occupies the same position in the alphabet.
\nDuring our investigation, we found the following keys were used:<\/p>\n