_.png)
![[The AI Show Episode 151]: Anthropic CEO: AI Will Destroy 50% of Entry-Level Jobs, Veo 3’s Scary Lifelike Videos, Meta Aims to Fully Automate Ads & Perplexity’s Burning Cash](https://www.marketingaiinstitute.com/hubfs/ep%20151%20cover.png)
![[FREE EBOOKS] Solutions Architect’s Handbook, Continuous Testing, Quality, Security, and Feedback & Four More Best Selling Titles](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![From electrical engineering student to CTO with Hitesh Choudhary [Podcast #175]](https://cdn.hashnode.com/res/hashnode/image/upload/v1749158756824/3996a2ad-53e5-4a8f-ab97-2c77a6f66ba3.png?#)
_Michael_Vi_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![watchOS 26 May Bring Third-Party Widgets to Control Center [Report]](https://www.iclarified.com/images/news/97520/97520/97520-640.jpg)
![AirPods Pro 2 On Sale for $169 — Save $80! [Deal]](https://www.iclarified.com/images/news/97526/97526/97526-640.jpg)
Threat Actors Using ViperSoftX Malware to Exfiltrate Sensitive Details
Korean cybersecurity researchers have uncovered a sophisticated malware campaign targeting cryptocurrency users worldwide, with ViperSoftX emerging as a persistent threat that continues to evolve its attack methodologies. First identified by Fortinet in 2020, this malware has demonstrated remarkable longevity and adaptability, consistently updating its techniques to bypass security measures while maintaining its core objective of […] The post Threat Actors Using ViperSoftX Malware to Exfiltrate Sensitive Details appeared first on Cyber Security News.
Korean cybersecurity researchers have uncovered a sophisticated malware campaign targeting cryptocurrency users worldwide, with ViperSoftX emerging as a persistent threat that continues to evolve its attack methodologies.
First identified by Fortinet in 2020, this malware has demonstrated remarkable longevity and adaptability, consistently updating its techniques to bypass security measures while maintaining its core objective of stealing digital assets and sensitive information from infected systems.
The malware primarily spreads through deceptive distribution channels, masquerading as cracked software, key generators for legitimate applications, and even eBooks distributed via torrent sites.
This distribution strategy exploits users’ desire for free software, turning their trust into a vulnerability that threat actors readily exploit.
The campaign has shown particular effectiveness in targeting users who download illegal software duplicates, making it one of the primary initial access tactics observed alongside poorly managed service exploits and malicious email attachments.
ASEC analysts identified that ViperSoftX operators have significantly expanded their arsenal beyond simple cryptocurrency theft, now deploying additional malware families including Quasar RAT for remote access, PureCrypter as an executable loader, and PureHVNC for comprehensive system control.
The researchers noted that while the threat actors are not specifically targeting South Korea, the widespread use of cracked software distribution methods has resulted in numerous confirmed infection cases across the region, highlighting the global reach of this campaign.
.webp)
The malware’s impact extends beyond individual cryptocurrency theft, as it establishes persistent backdoors that allow threat actors to execute arbitrary commands, download additional payloads, and maintain long-term access to compromised systems.
This creates a cascading security risk where initial cryptocurrency-focused attacks can evolve into comprehensive data breaches and system compromises affecting both individual users and potentially their organizational networks.
Advanced Persistence Mechanisms and System Integration
ViperSoftX demonstrates sophisticated persistence capabilities through its strategic use of Windows Task Scheduler, implementing multiple registration methods to ensure continued execution even after system reboots.
The malware employs at least two distinct persistence techniques, each designed to evade detection while maintaining reliable command and control communication with its operators.
The primary persistence method involves creating scheduled tasks that execute malicious PowerShell scripts through VBScript commands.
These tasks are programmed to read specific byte sequences from seemingly legitimate log files, which actually contain Base64-encrypted PowerShell code embedded at predetermined offsets.
The malware reads exactly 0x1A6 bytes from offset 0x1F843C of the target file, decrypts this data into Base64 format, and executes it as a PowerShell downloader.
This technique demonstrates the malware’s ability to hide its payload within apparently innocuous system files, making detection significantly more challenging for traditional security tools.
001F8440 62 47 55 67 4B 43 52 30 63 6E 56 6C 4B 53 42 37
001F8450 44 51 6F 67 49 43 41 67 64 48 4A 35 49 48 73 4E DQogICAgdHJ5IHSN
001F8460 43 69 41 67 49 43 41 67 49 43 41 67 4A 48 49 67 CiAgICAgICAgJHIg
001F8470 50 53 42 4A 62 6E 5A 76 61 32 55 74 55 6D 56 7A PSBJbnZva2UtUmVz.webp)
The encrypted PowerShell script demonstrates the malware’s sophisticated obfuscation techniques, embedding executable code within what appears to be error message text.
The secondary persistence mechanism utilizes registry-based storage, where PowerShell scripts are placed in the %SystemDirectory% path and configured to read encrypted commands from specific registry keys such as “HKLM\SOFTWARE\HPgs6ZtP670 / xr417LXh.”
This dual-layered approach ensures that even if one persistence method is detected and removed, the malware can continue operating through its backup channels, maintaining its foothold on compromised systems while downloading additional payloads and executing threat actor commands.
Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests
The post Threat Actors Using ViperSoftX Malware to Exfiltrate Sensitive Details appeared first on Cyber Security News.
