ViperSoftX Malware Distributed by Arabic-Speaking Threat Actor
AhnLab SEcurity intelligence Center (ASEC) uncovered that attackers, suspected to be Arabic speakers, have been distributing ViperSoftX malware targeting Korean victims since April 1, 2025. ViperSoftX is typically spread through cracked software or torrents, masquerading as legitimate programs. The main characteristic of ViperSoftX is that it operates as a PowerShell script. During the C&C communication process, parameters such as “/api/”, “/api/v1”, “/api/v2”, “/api/v3/” are always included in the URI path. After the C&C communication process, additional malware is downloaded. In this particular campaign, while the initial distribution method of ViperSoftX remains unclear, the PowerShell and VBS code used for C&C communication contains Arabic comments, suggesting that the attacker is an Arabic speaker.
According to the AhnLab Smart Defense (ASD) infrastructure, the additional malware such as VBS downloader, malicious powershell script, PureCrypter (a downloader), and Quasar RAT are downloaded from ViperSoftX. The following information is identified during ViperSoftX C&C communication process.
1. VBS Downloader (File name: vbs.vbs)
ViperSoftX downloads a PowerShell script and a VBS file that executes the script from the threat actor’s C&C server, then executes them.
|
VBS downloader features |
| 1. Download PowerShell and VBS files from a remote server. |
| 2. Create the folder C:\ProgramData\SystemLoader if it does not exist. |
| 3. If the file run.vbs exists, execute run.vbs |
Table 1. VBS downloader features
Arabic Comment Information
- ‘ تحميل a.ps1 → Download a.ps1
- ‘ تحميل run.vbs → Download run.vbs
- ‘ تشغيل run.vbs إذا كان موجود → Run if run.vbs exists
Figure 1. VBS downloader
2. run.vbs
The VBS file executes a.ps1 using the following command:
- powershell -ExecutionPolicy Bypass -WindowStyle Hidden -File a.ps1
Figure 2. VBS Runner (run.vbs)
3. Powershell Downloader (File name: a.ps1)
This PowerShell script downloads and executes PureCrypter and Quasar RAT, adding Windows Defender exception paths to evade detection. It is designed to run with administrator privileges, ensuring that any subsequent malware also gains administrator access. The script’s primary function is to secure administrator privileges and bypass security software to execute remotely downloaded malware.
|
PowerShell Downloader Features |
| 1. Check for administrator privileges and re-execute with administrator privileges if not already running as admin. |
| 2. Do not display errors and progress. |
| 3. Use TLS 1.2 protocol and bypass server certificate validation to trust all certificates. |
| 4. Add exclusion path for Windows Defender at the folder directory (C:\, D:\ ) |
| 5. Create and execute a file at C:\ProgramData\NVIDIA.exe |
Table 2. PowerShell Downloader Features
Arabic Comment Information
- تأكد من تشغيل السكربت كـ Administrator، لو مش كده يعيد تشغيل نفسه كأدمن → Ensure the script is running as Administrator; if not, re-execute it as admin.
- إعدادات عامة → General settings.
- تأخير بسيط → Brief delay.
- إضافة استثناءات لـ Windows Defender مباشرة → Directly add exceptions to Windows Defender.
- تأخير تاني → Another delay.
- تحميل وتشغيل الملف بصمت → Download and execute the file silently.
- حذف الملف القديم لو موجود → Delete the old file if it exists.
- طريقة التحميل الأولى → First download method.
Figure 3. PowerShell script code
Additional Malware Downloaded by PowerShell
1. PureCrypter
PureCrypter [1] is a commercial .NET packer malware that has been on sale since 2021. It supports various features such as initial infection vectors (downloaders, VBA macros, loaders), injection methods, target settings, and detection evasion (Anti) techniques. In this attack, PureCrypter was used as a downloader. The key features of PureCrypter is using the protobuf library for network communication. This allows attackers to serialize commands or status information into predefined message structures when communicating with the C&C server.
Figure 4. PureCrypter’s ProtoBuf namespace
Figure 5. PureCrypter’s CallStak (ProtoBuf class used) during C&C communication
File Path
- %ALLUSERSPROFILE%\nvidia.exe
- %ALLUSERSPROFILE%\teamviewer.exe
- %ALLUSERSPROFILE%\temp.exe
- %ALLUSERSPROFILE%\words.exe
C&C Address
- 89.117.79[.]31:56005
- 89.117.79[.]31:56004
- 89.117.79[.]31:56003
- 65.109.29[.]234:7702
2. Quasar RAT
Quasar RAT is an open-source remote access tool (RAT) based on .NET. It provides features such as keylogging, executing remote commands, and uploading/downloading files. The threat actor is suspected to have used this RAT to control the infected system remotely.
Figure 6. Identified Quasar RAT namespace (related to xClient)
File Path
- %ALLUSERSPROFILE%\winrar.exe
- %ALLUSERSPROFILE%\micro.exe
C&C Address
- 65.109.29.234
Through this analysis, ASEC discovered that Arabic-speaking attackers have been distributing ViperSoftX malware to a broad range of targets in South Korea since April 1, 2025. The malware identified so far includes PureCrypter and Quasar RAT, but there is a possibility that other malicious software could also be installed. ASEC is actively monitoring and responding to this type of malware. To prevent infection from such malware, users should avoid downloading software from torrent sites or using cracked programs. Instead, they should use legitimate software and keep their antivirus solutions updated to the latest version.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
