ViperSoftX Attackers Target Monero
AhnLab SEcurity intelligence Center (ASEC) has confirmed that the ViperSoftX attackers are installing coin miners to mine Monero cryptocurrency. ViperSoftX is a remote control malware that steals cryptocurrency wallet addresses. These attackers primarily distribute malware disguised as cracks or keygens for legitimate software, or as eBooks. In addition to ViperSoftX, they have also used tools such as QuasarRAT, PureRAT (PureHVNC), and ClipBanker, all aimed at remote control and cryptocurrency wallet address theft. However, recent cases have revealed that they are now installing coin-mining malware to mine Monero.
1. ViperSoftX
ViperSoftX was first identified by Fortinet in 2020. It installed Remote Access Trojan (RAT) malware that capable of controlling infected systems and information-stealing malware that targets cryptocurrency wallet addresses. [1] In 2022, Avast reported new activities of ViperSoftX. Instead of using JavaScript like before, the attackers switched to PowerShell scripts and added features such as clipboard hijacking and additional payload installation. They also used VenomSoftX, a malicious Chrome-based browser extension, to steal information. [2] A 2023 report by TrendMicro discussed ViperSoftX’s distribution methods and revealed that a new routine was added to check whether password managers like “KeePass 2” and “1Password” were installed. [3] In 2024, Trellix disclosed cases where ViperSoftX was distributed via torrents disguised as eBooks. [4]
ViperSoftX targets systems worldwide, and many infections have been observed in South Korea as well. AhnLab Security intelligence Center (ASEC) has published blog posts detailing attacks against targets in Korea. In 2024, ASEC reported TesseractStealer, malware that uses an open-source Tesseract OCR engine to extract text from images and steal passwords or cryptocurrency wallet details. [5] In 2025, ASEC highlighted new threats like PureRAT and ClipBanker, which focus on remote access and wallet address theft. [6]
2. Malware Analysis
2.1. Initial Script
ViperSoftX registers tasks in the Windows Task Scheduler to periodically execute malicious PowerShell scripts. These scripts either read and decrypt data from a specific offset within a disguised file or retrieve PowerShell commands stored in the registry for execution. This technique remains unchanged in recent attacks. Additionally, ViperSoftX still uses methods such as generating C&C addresses through a Domain Generation Algorithm (DGA) and abusing DNS TXT records, similar to earlier campaigns.
Figure 1. Obtaining C&C server via DGA
Figure 2. Encrypted PowerShell commands downloaded
The PowerShell commands identified in the attack cases are as follows, and they are used to install ViperSoftX and other malware.
Figure 3. The additional payload downloader script
2.2. ViperSoftX
ViperSoftX retains the same structure as previously analyzed variants. It can execute additional commands, install payloads, monitor windows related to cryptocurrency wallet applications, track clipboard content for wallet addresses, and transmit system information.
| Command | Function |
|---|---|
| Cmd | Run PowerShell command |
| DwnlExe | Download and run executable file |
| SelfRemove | End |
| RestartClient | End |
Table 1. Commands supported by ViperSoftX
Additionally, ViperSoftX uses another script to monitor the presence of cryptocurrency wallet applications, browser extensions, and password managers such as KeePass and 1Password on the infected system.
Figure 4. Routine for monitoring cryptocurrency wallets and password managers
2.3. QuasarRAT
QuasarRAT is an open-source RAT malware developed in .NET that provides remote control features such as process and file management, system operations, remote command execution, and file upload/download. It also supports features like keylogging and credential harvesting to steal user information stored on infected systems.
Figure 5. Decrypted QuasarRAT configuration data
2.4. PureRAT and PureLogs Downloader
While ViperSoftX attackers previously relied mainly on QuasarRAT for system control, in 2025 they began using malware like PureRAT. PureRAT is a RAT that offers remote control features such as file, task, process, and registry management. It also provides advanced capabilities through plugins, including Hidden Virtual Network Computing (HVNC), remote desktop access, keylogging, and clipboard hijacking, enabling full remote control of infected systems.
Figure 6. PureRAT configuration
PureRAT is developed and sold by a developer known as PureCoder, who also offers other malware such as PureCrypter and PureLogs. Among the malware used in attacks, some variants—though currently unable to communicate with their C&C servers—are believed to function as downloaders for PureLogs, an Infostealer.
Figure 7. Downloader configuration
2.4. Coin Miner
Some downloaders used in attacks, such as those leveraging QuasarRAT or PureRAT, are designed to fetch additional payloads. Although these samples currently cannot communicate with their C&C servers, evidence suggests they also function as coin miners. Notably, their configuration data includes details related to XMRig, a popular Monero cryptocurrency mining tool.
Figure 8. Coin Miner configuration data
2. Malware Analysis
ViperSoftX attackers have been targeting cryptocurrency users for years and continue to actively distribute malware. Their goal is to steal cryptocurrency-related information or disrupt transactions using various malicious tools. Once infected with ViperSoftX, attackers can gain full control of the system and steal not only the data mentioned above but potentially much more victim data. Recently, cases of coin miner installation have been confirmed, allowing attackers to exploit system resources to mine Monero cryptocurrency.
Users should avoid downloading software from suspicious websites or file-sharing platforms. Also, it is important to apply the latest security patches to your operating system and installed applications, and keep security solutions such as V3 updated to block known attacks.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
