Ddos 
K7 Labs has unveiled a detailed analysis of a new PowerShell-based malware campaign that builds on 2024’s ViperSoftX family β now with enhanced modularity, stealth, and resilience. Identified in early 2025 through samples circulating across underground forums and threat hunting communities, this evolution demonstrates a sharper focus on persistence and detection evasion.
βThe sample in question resembles ViperSoftX stealers from 2024, but with a notable increase in modularity, stealth, and persistence mechanisms,β the researchers wrote in the introduction.
The malware exhibits a structured, multi-phase execution model, from initialization to command-and-control (C2) communication. The key differentiators are its modular design and intelligent session management β a leap from its predecessor’s more straightforward approach.
One of the first enhancements spotted is in the use of mutexes:
βThe 2025 version uses a GUID-style mutex identifier and increases the sleep time to 300 seconds β this delays sandbox detection…β
By replacing static mutex naming with dynamically generated GUIDs, the malware not only evades detection but ensures only one instance runs concurrently, sidestepping traditional anti-malware hooks.
Unlike its 2024 counterpart, which delegated persistence to external loaders, the 2025 variant self-manages its foothold using a three-layer fallback system:
- Scheduled Task: A Windows logon task named WindowsUpdateTask.
- Registry Entry: Run key under HKCU.
- Startup Folder: A batch script dropped in the userβs startup directory.
βThe script copies itself to AppData\Microsoft\Windows\Config\winconfig.ps1,β the researchers detailed, showing how stealth and redundancy are now built-in.
In terms of C2 interaction, the malware has graduated from plaintext POSTs and deprecated WebClient calls to encrypted XOR-encoded payloads and modern .NET HttpClient APIs.
βIn 2025 it adopts HttpClient from the modern .NET API… aligning better with legitimate software behavior thereby staying under the radar.β
Moreover, the malware checks server state continuously using clever synchronization tactics:
βEvery 30s: Checks if the C2 has restarted… If yes β reset session. Else β fetch new commands.β
This capability β tracking infrastructure redeployments β suggests professional-grade backend coordination, rare in commodity malware.
The malware now supports broader reconnaissance:
- Public IP address via multiple fallback services
- System information harvesting
- Targeting password managers like KeePass
- Extended wallet targeting: MetaMask, Ledger, Coinbase, Exodus, and more.
It even mimics browser behavior in its request formatting, embedding metadata in base64-encoded HTTP GETs to avoid triggering intrusion detection systems.
Payload execution has also matured. βThe current variant creates PowerShell jobs to run each decoded payload,β making detection harder and execution more stable.
Using PowerShell background jobs instead of synchronous shell commands allows the malware to continue running silently while tasks execute in the background.
Related Posts:
- Information-Stealing ViperSoftX Malware Targets Cryptocurrencies and Password Managers Across the Globe
- ViperSoftX Malware: Arabic-Speaking Attackers Exploit PowerShell in New Cyberattack Campaign
- Unmasking Kimsuky’s Latest Tactics: A Deep Dive into Malicious Scripts and Payloads
- ViperSoftX Leverages Deep Learning with Tesseract to Exfiltrate Sensitive Information
- The Zero-Detection PHP Backdoor Glutton Exposed
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
