A sophisticated malware campaign utilizing the notorious ViperSoftX malware has been targeting users through cracked software and torrent downloads since early April 2025.

This PowerShell-based threat operates through a multi-stage infection process, establishing command and control communications before downloading additional malicious payloads.

The malware has been primarily observed targeting South Korean users, though its distribution methods suggest a potentially wider impact across multiple regions.

ViperSoftX operates by masquerading as legitimate software in cracked application packages, establishing itself on victim systems before communicating with command and control (C&C) servers.

During this communication process, the malware consistently includes parameters such as “/api/”, “/api/v1”, “/api/v2”, or “/api/v3/” in the URI path, creating a distinctive network signature.

After successfully establishing communication, the malware proceeds to download and execute additional malicious components.

ASEC researchers noted that the threat actors behind this campaign appear to be Arabic speakers, as evidenced by Arabic comments embedded within the PowerShell and VBS code used for C&C communication.

The analysis revealed that the attack campaign began on April 1, 2025, with a primary focus on South Korean victims, though the distribution scope may be expanding.

Infection Chain

The infection chain begins with the download of a VBS downloader that creates a persistence folder at C:\ProgramData\SystemLoader and downloads additional components.

This initial downloader contains Arabic comments such as “تحميل a.ps1” (Download a.ps1) and “تحميل run.vbs” (Download run.vbs), providing clear evidence of the attackers’ origins.

The infection mechanism showcases sophisticated evasion techniques, particularly through a PowerShell downloader (a.ps1) that verifies and obtains administrator privileges if not already running with elevated permissions.

This script adds exception paths to Windows Defender for key system directories, effectively bypassing security protections.

The PowerShell script contains numerous Arabic comments indicating its functions, including “إعدادات عامة” (General settings) and “إضافة استثناءات Windows Defender مباشرة” (Directly add exceptions to Windows Defender).

Following successful execution, the malware proceeds to download and execute additional payloads including PureCrypter, a commercial .NET packer that employs protobuf libraries for network communication, and Quasar RAT, an open-source remote access tool that provides comprehensive system control capabilities.

The PowerShell script code with Arabic comments enables these downloads.

To protect against ViperSoftX infections, users should avoid downloading software from unauthorized sources such as torrent sites and refrain from using cracked programs.

Instead, legitimate software from official sources and up-to-date antivirus solutions remain the most effective preventive measures.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!

Also Read: