Following successful execution, the malware proceeds to download and execute additional payloads including PureCrypter, a commercial .NET packer that employs protobuf libraries for network communication, and Quasar RAT, an open-source remote access tool that provides comprehensive system control capabilities. The PowerShell script contains numerous Arabic comments indicating its functions, including “إعدادات عامة” (General settings) and “إضافة استثناءات Windows Defender مباشرة” (Directly add exceptions to Windows Defender). A sophisticated malware campaign utilizing the notorious ViperSoftX malware has been targeting users through cracked software and torrent downloads since early April 2025. This initial downloader contains Arabic comments such as “تحميل a.ps1” (Download a.ps1) and “تحميل run.vbs” (Download run.vbs), providing clear evidence of the attackers’ origins. During this communication process, the malware consistently includes parameters such as “/api/”, “/api/v1”, “/api/v2”, or “/api/v3/” in the URI path, creating a distinctive network signature. ASEC researchers noted that the threat actors behind this campaign appear to be Arabic speakers, as evidenced by Arabic comments embedded within the PowerShell and VBS code used for C&C communication. This PowerShell-based threat operates through a multi-stage infection process, establishing command and control communications before downloading additional malicious payloads. ViperSoftX operates by masquerading as legitimate software in cracked application packages, establishing itself on victim systems before communicating with command and control (C&C) servers. After successfully establishing communication, the malware proceeds to download and execute additional malicious components. To protect against ViperSoftX infections, users should avoid downloading software from unauthorized sources such as torrent sites and refrain from using cracked programs. The malware has been primarily observed targeting South Korean users, though its distribution methods suggest a potentially wider impact across multiple regions. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The infection mechanism showcases sophisticated evasion techniques, particularly through a PowerShell downloader (a.ps1) that verifies and obtains administrator privileges if not already running with elevated permissions. The analysis revealed that the attack campaign began on April 1, 2025, with a primary focus on South Korean victims, though the distribution scope may be expanding. The infection chain begins with the download of a VBS downloader that creates a persistence folder at C:\ProgramData\SystemLoader and downloads additional components. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.
This Cyber News was published on cybersecuritynews.com. Publication date: Sun, 13 Apr 2025 00:30:04 +0000