AhnLab Security intelligence Center (ASEC) has revealed a cyberattack campaign where Arabic-speaking attackers are distributing ViperSoftX malware, targeting victims in South Korea since April 1, 2025.
First discovered masquerading as cracked software on torrent platforms, ViperSoftX distinguishes itself by using PowerShell scripts for initial execution and command-and-control (C&C) communication. ASEC notes:
βViperSoftX is typically spread through cracked software or torrents, masquerading as legitimate programsβ¦ The main characteristic of ViperSoftX is that it operates as a PowerShell script.β
The malware communicates with its C&C servers using URI paths that always include patterns like β/api/v1β or β/api/v3/β, and then silently downloads further payloads.
The ASEC report highlights Arabic-language comments embedded in both the PowerShell and VBScript payloads, strongly indicating the origin of the threat actors.
The additional malware downloaded by ViperSoftX includes:
VBS Downloader: This component downloads PowerShell and VBS files from the attackerβs C&C server and executes them. It also has the capability to create a specific folder (βC:\ProgramData\System Loaderβ) and execute a VBS file named βrun.vbsβ if it exists.PowerShell Downloader: This script downloads and executes PureCrypter and Quasar RAT. It also attempts to evade detection by adding exclusion paths to Windows Defender. The PowerShell script is designed to gain administrator privileges, ensuring that any subsequently downloaded malware also operates with elevated privileges.PureCrypter: Described as a commercial .NET packer malware, PureCrypter has been available since 2021 and is used as a downloader in this campaign. It employs the protobuf library for network communication, enabling attackers to serialize commands and status information.Quasar RAT: This is an open-source remote access tool (RAT) that provides attackers with capabilities such as keylogging, remote command execution, and file uploading/downloading. It is suspected that the attackers use this RAT to remotely control infected systems.ASECβs analysis confirms that Arabic-speaking attackers have been distributing ViperSoftX malware to various targets in South Korea since the beginning of April 2025. While PureCrypter and Quasar RAT have been identified, there remains a possibility of additional malware being installed.