Back

Argamal Malware Campaign Targets Hentai Game Players Worldwide

Severity: High (Score: 69.5)

Sources: Securelist, Kaspersky

Published: 2026-06-03 · Updated: 2026-06-03

Keywords: games, malware, argamal, kaspersky, hidden, hentai, targeting

Severity indicators: malware

Summary

In April 2026, Kaspersky discovered a new malware campaign named Argamal, targeting players of hentai games. This Remote Access Trojan (RAT) compromises systems by installing a malicious implant that later downloads a Trojan, granting attackers full control. The malware has been detected in multiple countries, including Russia, Brazil, and Germany. Distribution occurs through infected game downloads from websites and torrent trackers like AniRena, often disguised as legitimate game files. The malware employs COM hijacking for persistence and uses modified DLLs to execute malicious scripts. Kaspersky has identified various delivery methods, including embedding malicious payloads directly within game files. The campaign is ongoing, with the malware being actively updated. Users are advised to avoid downloading games from unverified sources. Key Points: • Argamal is a new RAT targeting players of hentai games, allowing full system compromise. • The malware is distributed via infected game downloads from websites and torrent trackers. • Kaspersky has detected Argamal in multiple countries, indicating a widespread impact.

Detailed Analysis

**Impact** Hundreds of users worldwide, including in Russia, Brazil, Germany, and Vietnam, have been targeted by this campaign. The primary victims are players of adult-themed games, specifically hentai games. The malware enables full system compromise, allowing attackers to steal data and credentials and gain broad remote control over infected devices. The campaign affects individual users rather than specific business sectors. **Technical Details** The infection vector is trojanized hentai games distributed via dedicated websites redirecting to PixelDrain and torrent trackers such as AniRena. The malware uses a modified FFmpeg DLL and a secondary DLL executing Base64-encoded PowerShell scripts to establish persistence through COM hijacking by modifying the InprocServer32 registry keys. A scheduled task triggers the payload downloader, which retrieves an AES-CBC encrypted payload from GitHub. Kaspersky detects the malware as Trojan.Win32.Termixia.*, Trojan.Win32.Agent.*, HEUR:Trojan.Win32.Argamal.gen, and HEUR:Trojan-Downloader.Win32.Argamal.gen. No CVEs exploited were reported. **Recommended Response** Avoid downloading games and related software from unofficial or unverified sources, especially adult-themed content. Deploy endpoint security solutions capable of detecting the specified Trojan families and enable features such as file extension visibility to identify suspicious files. Monitor for scheduled tasks and unusual COM object registry modifications, particularly under HKCU\SOFTWARE\Classes\CLSID. No specific patches are indicated; focus on detection and prevention of unauthorized persistence mechanisms.

Source articles (2)

  • Argamal: Malware hidden in hentai games — Securelist · 2026-06-03
    In April 2026, we discovered a new malware campaign targeting players of “hentai” games. Once launched, the infected games install a previously unknown malicious implant on the user’s machine. After a…
  • Kaspersky discovers Argamal: a new malware hidden in games for adults — Kaspersky · 2026-06-03
    Kaspersky GReAT researchers have uncovered a new Remote Access Trojan (RAT) targeting hundreds of users of adult games. The malware, dubbed Argamal, has already been detected in Russia, Brazil, German…

Timeline

  • 2026-04-01 — Discovery of Argamal malware campaign: Kaspersky's telemetry monitoring revealed a new RAT targeting hentai game players, leading to system compromises.
  • 2026-04-01 — Malware distribution methods identified: Infected games were found on various websites and torrent trackers, including AniRena, disguised as legitimate files.
  • 2026-04-01 — Malware execution method detailed: The malware uses COM hijacking and modified DLLs to maintain persistence and execute malicious scripts.

Related entities

  • Malware (Attack Type)
  • Trojan (Attack Type)
  • Brazil (Country)
  • Germany (Country)
  • Russia (Country)
  • Vietnam (Country)
  • asper1.freeddns.org (Domain)
  • country1.ignorelist.com (Domain)
  • premium.it (Domain)
  • securelist.com.to (Domain)
  • trojan-downloader.win32.argamal.gen.in (Domain)
  • winst0.kozow.com (Domain)
  • 186.158.223.35 (Ipv4)
  • Argamal (Malware)
  • Termixia (Malware)
  • T1053 - Scheduled Task/Job (Mitre Attack)
  • T1059.001 - PowerShell (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1547 - Boot Or Logon Autostart Execution (Mitre Attack)
  • T1574 - Hijack Execution Flow (Mitre Attack)
  • Ffmpeg (Tool)
  • Bitsadmin.exe (Tool)
  • PowerShell (Tool)
  • RenPy (Platform)
  • RPG Maker MV (Platform)
  • Windows (Platform)
  • 02819d200d1424882af81cb504b3e8614b32397a (Sha1)
  • 1405a3c5e0aeb08012484134e16cdec4ab29b4a4 (Sha1)
  • 17f8f8f34dfa737f36182fed7ff9e9814a114058 (Sha1)
  • 2423a5bf0fa7cb9ec09211630a5488629499691b (Sha1)
  • 29f1d346a6e71774c7dad25b90f446b2974393df (Sha1)
  • 42add9475e67a1ccc6a6af94b5475d3defc01b85 (Sha1)
  • 535f4337f261b6da20a3c614eb13270bed2d533a (Sha1)
  • 5f1f3689bcf23de1b280b5f35712946da0f7978f (Sha1)
  • 69331cfdac792dc79240e6a6bb6e803eabd70beb (Sha1)
  • 76253fb55aed707440e808ea78e7101318436b1c (Sha1)
  • 901cfa97b1baaf908fd4a02bb52d970f576c4193 (Sha1)
  • 954722b0c9c678b1313d1f8b204e102842dc5889 (Sha1)
  • 9803604ec45f31f9ef75bcca1e1310d8ac1fc3a6 (Sha1)
  • ae4601a19d28332a3ec6ac31b385cdf53be53450 (Sha1)
  • c2d9d48b3b10bd58cdf5df9463e3ffcd60533ff3 (Sha1)
  • d2cb0d7a9ad2b5d4ea7c2da8aec62beb37cf36d6 (Sha1)
  • dad26f61da7b8bccc78364411812be74c025b475 (Sha1)
  • e05f1767c2a337910ed75e90288838d6d0541164 (Sha1)
  • e815a9b418d09c2d4bcd074c2c0bc21406eeb22f (Sha1)
  • edce72f59e4c1d136cd1946af70d334c19df858d (Sha1)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed