# [HIGH] Argamal: Malware hidden in hentai games **Source:** Securelist (Kaspersky) **Published:** 2026-06-03 **Article:** https://securelist.com/argamal-rat-distributed-with-hentai-games/119999/ ## Threat Profile Table of Contents Technical details Background Delivery Script executor Malicious agent Other delivery methods Infrastructure Victims Attribution Conclusions Indicators of Compromise Authors Mikhail Reznichenko In April 2026, we discovered a new malware campaign targeting players of “hentai” games. Once launched, the infected games install a previously unknown malicious implant on the user’s machine. After a few days, the implant downloads and executes a Trojan, resulting in full sys… ## Indicators of Compromise (high-fidelity only) - **IPv4 (defanged):** `186.158.223.35` - **Domain (defanged):** `asper1.freeddns.org` - **Domain (defanged):** `winst0.kozow.com` - **Domain (defanged):** `country1.ignorelist.com` - **SHA1:** `42add9475e67a1ccc6a6af94b5475d3defc01b85` - **SHA1:** `edce72f59e4c1d136cd1946af70d334c19df858d` ## MITRE ATT&CK Techniques - **T1071.001** — Web Protocols - **T1071.004** — DNS - **T1071** — Application Layer Protocol - **T1053.005** — Scheduled Task - **T1059.001** — PowerShell - **T1027** — Obfuscated Files or Information - **T1053.005** — Persistence (article-specific) - **T1546.015** — Event Triggered Execution: Component Object Model Hijacking - **T1112** — Modify Registry - **T1140** — Deobfuscate/Decode Files or Information - **T1546.015** — Event Triggered Execution: COM Hijacking - **T1027.013** — Obfuscated Files or Information: Encrypted/Encoded File - **T1105** — Ingress Tool Transfer - **T1197** — BITS Jobs - **T1071.001** — Application Layer Protocol: Web Protocols - **T1095** — Non-Application Layer Protocol - **T1568.002** — Dynamic Resolution: Domain Generation - **T1571** — Non-Standard Port - **T1053.005** — Scheduled Task/Job: Scheduled Task - **T1059.001** — Command and Scripting Interpreter: PowerShell - **T1574.001** — Hijack Execution Flow: DLL Search Order Hijacking - **T1204.002** — User Execution: Malicious File - **T1195.002** — Supply Chain Compromise: Compromise Software Supply Chain ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Argamal COM Hijack of Windows Color System Calibration Loader CLSID `UC_137_6` · phase: **install** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=t count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where (Registry.registry_path="*B210D694-C8DF-490D-9576-9E20CDBC20BD*" OR Registry.registry_path="*722D0F89-B69C-4700-AE8C-4A44350E4876*") (Registry.registry_path="*InprocServer32*" OR Registry.registry_value_name="ShellFolder") Registry.registry_value_data="*AppData*Local*.dll" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_name Registry.process_path | `drop_dm_object_name(Registry)` | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql DeviceRegistryEvents | where Timestamp > ago(7d) | where ActionType in ("RegistryValueSet","RegistryKeyCreated") | where RegistryKey has_any ("{B210D694-C8DF-490D-9576-9E20CDBC20BD}","{722D0F89-B69C-4700-AE8C-4A44350E4876}") | where RegistryKey has "InprocServer32" or RegistryValueName =~ "ShellFolder" | where RegistryValueData has "AppData\\Local" and RegistryValueData endswith ".dll" | project Timestamp, DeviceName, InitiatingProcessAccountName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine | order by Timestamp desc ``` ### Argamal MI_V / MI_V2 Environment Variable Stage Handoff `UC_137_7` · phase: **install** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=t count min(_time) as firstTime max(_time) as lastTime values(Registry.registry_value_data) as data values(Registry.process_name) as proc from datamodel=Endpoint.Registry where Registry.registry_path="*\\Environment*" Registry.registry_value_name IN ("MI_V","MI_V2") by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name | `drop_dm_object_name(Registry)` | eval ValueLen=len(data) | where ValueLen>200 | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql DeviceRegistryEvents | where Timestamp > ago(30d) | where ActionType == "RegistryValueSet" | where RegistryKey endswith "\\Environment" | where RegistryValueName in~ ("MI_V","MI_V2") | extend ValueLen = strlen(tostring(RegistryValueData)) | project Timestamp, DeviceName, InitiatingProcessAccountName, RegistryKey, RegistryValueName, ValueLen, RegistryValueDataPreview = substring(tostring(RegistryValueData),0,160), InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName | order by Timestamp desc ``` ### Argamal Stage2 BITSAdmin Pull of zaesdl.dat from GitHub `UC_137_8` · phase: **c2** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=t count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as cmd values(Processes.parent_process_name) as parent from datamodel=Endpoint.Processes where Processes.process_name="bitsadmin.exe" (Processes.process="*zaesdl.dat*" OR (Processes.process="*github*" AND Processes.process="*transfer*")) by Processes.dest Processes.user Processes.process_name | `drop_dm_object_name(Processes)` | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where FileName =~ "bitsadmin.exe" | where ProcessCommandLine has_any ("/transfer","/addfile","/create","/resume") | where ProcessCommandLine has_any ("zaesdl.dat","raw.githubusercontent.com","github.com","gist.githubusercontent.com") | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, FolderPath | order by Timestamp desc ``` ### Argamal RAT C2 Beacon — 186.158.223.35 / freeddns / kozow / ignorelist / UDP-57441 / TCP-3747 `UC_137_9` · phase: **c2** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=t count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.transport) as proto values(All_Traffic.app) as app from datamodel=Network_Traffic.All_Traffic where (All_Traffic.dest="186.158.223.35" OR All_Traffic.dest_ip="186.158.223.35" OR All_Traffic.dest IN ("asper1.freeddns.org","winst0.kozow.com","country1.ignorelist.com") OR (All_Traffic.dest_port IN (57441,3747,63559))) by All_Traffic.src All_Traffic.dest_ip All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(30d) | where (RemoteIP == "186.158.223.35") or (RemoteUrl in~ ("asper1.freeddns.org","winst0.kozow.com","country1.ignorelist.com")) or (RemotePort in (57441,3747,63559) and InitiatingProcessFolderPath has "AppData\\Local") | project Timestamp, DeviceName, RemoteIP, RemotePort, Protocol, RemoteUrl, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, InitiatingProcessParentFileName | order by Timestamp desc ``` ### Argamal Scheduled Task Pointing at AppData\Local DLL via Color System Calibration Loader `UC_137_10` · phase: **install** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=t count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as cmd from datamodel=Endpoint.Processes where (Processes.process_name="schtasks.exe" OR Processes.process_name="powershell.exe" OR Processes.process_name="pwsh.exe") (Processes.process="*/create*" OR Processes.process="*Register-ScheduledTask*" OR Processes.process="*New-ScheduledTask*") (Processes.process="*Calibration Loader*" OR Processes.process="*WindowsColorSystem*" OR Processes.process="*MI_V*" OR (Processes.process="*AppData*Local*" AND Processes.process="*.dll*")) by Processes.dest Processes.user Processes.process_name Processes.parent_process_name | `drop_dm_object_name(Processes)` | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(30d) | where FileName in~ ("schtasks.exe","powershell.exe","pwsh.exe") | where ProcessCommandLine has_any ("/create","/change","Register-ScheduledTask","New-ScheduledTask") | where ProcessCommandLine has_any ("Calibration Loader","WindowsColorSystem","MI_V") or (ProcessCommandLine has "AppData\\Local" and ProcessCommandLine has ".dll" and ProcessCommandLine has_any ("rundll32","regsvr32","-Command","-EncodedCommand")) | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessFolderPath | order by Timestamp desc ``` ### Argamal Loader Artifacts — natives2_blob.bin / Modified ffmpeg.dll IOC Sweep `UC_137_11` · phase: **install** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=t count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_path) as path values(Filesystem.process_name) as proc from datamodel=Endpoint.Filesystem where (Filesystem.file_name="natives2_blob.bin" OR Filesystem.file_hash IN ("42add9475e67a1ccc6a6af94b5475d3defc01b85","edce72f59e4c1d136cd1946af70d334c19df858d")) by Filesystem.dest Filesystem.user Filesystem.file_name Filesystem.file_hash | `drop_dm_object_name(Filesystem)` | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql union (DeviceFileEvents | where Timestamp > ago(90d) | where FileName =~ "natives2_blob.bin" or SHA1 in~ ("42add9475e67a1ccc6a6af94b5475d3defc01b85","edce72f59e4c1d136cd1946af70d334c19df858d") | project Timestamp, DeviceName, Source="FileEvent", ActionType, FolderPath, FileName, SHA1, FileOriginUrl, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine), (DeviceImageLoadEvents | where Timestamp > ago(90d) | where FileName =~ "ffmpeg.dll" and SHA1 == "42add9475e67a1ccc6a6af94b5475d3defc01b85" | project Timestamp, DeviceName, Source="ImageLoad", ActionType, FolderPath, FileName, SHA1, FileOriginUrl="", InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine), (DeviceImageLoadEvents | where Timestamp > ago(90d) | where SHA1 == "edce72f59e4c1d136cd1946af70d334c19df858d" | project Timestamp, DeviceName, Source="ImageLoad", ActionType, FolderPath, FileName, SHA1, FileOriginUrl="", InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine) | order by Timestamp desc ``` ### Beaconing — periodic outbound to small set of destinations `UC_BEACONING` · phase: **c2** · confidence: **Medium** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count, values(All_Traffic.dest_port) AS ports from datamodel=Network_Traffic.All_Traffic where All_Traffic.action="allowed" AND All_Traffic.dest_category!="internal" by _time span=10s, All_Traffic.src, All_Traffic.dest | `drop_dm_object_name(All_Traffic)` | streamstats current=f last(_time) AS prev_time by src, dest | eval delta = _time - prev_time | stats avg(delta) AS avg_delta stdev(delta) AS sd_delta count by src, dest | where count > 30 AND sd_delta < 5 AND avg_delta>=30 AND avg_delta<=600 | sort - count ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(1d) | where RemoteIPType == "Public" and ActionType == "ConnectionSuccess" | project DeviceName, RemoteIP, RemotePort, Timestamp | sort by DeviceName asc, RemoteIP asc, RemotePort asc, Timestamp asc | extend prev_dev = prev(DeviceName, 1), prev_ip = prev(RemoteIP, 1), prev_port = prev(RemotePort, 1), prev_ts = prev(Timestamp, 1) | where DeviceName == prev_dev and RemoteIP == prev_ip and RemotePort == prev_port | extend delta_sec = datetime_diff('second', Timestamp, prev_ts) | summarize conn_count = count(), avg_delta = avg(delta_sec), stdev_delta = stdev(delta_sec) by DeviceName, RemoteIP, RemotePort | where conn_count > 30 and avg_delta between (30.0 .. 600.0) and stdev_delta < 5.0 | order by conn_count desc ``` ### Scheduled task created with suspicious image / encoded args `UC_SCHEDULED_TASK` · phase: **install** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="schtasks.exe" AND Processes.process="*/create*" AND (Processes.process="*powershell*" OR Processes.process="*cmd.exe*" OR Processes.process="*rundll32*" OR Processes.process="*-enc*" OR Processes.process="*FromBase64*" OR Processes.process="*\Users\Public*" OR Processes.process="*\AppData\*") by Processes.dest, Processes.user, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where FileName =~ "schtasks.exe" | where ProcessCommandLine has "/create" | where ProcessCommandLine has_any ("powershell","cmd.exe","rundll32","-enc","FromBase64","\Users\Public","\AppData\") | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName ``` ### PowerShell encoded / obfuscated command `UC_PS_OBFUSCATED` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("powershell.exe","pwsh.exe") AND (Processes.process="*-enc *" OR Processes.process="*EncodedCommand*" OR Processes.process="*FromBase64String*" OR Processes.process="*-nop*" OR Processes.process="*-w hidden*" OR Processes.process="*Invoke-Expression*" OR Processes.process="*IEX(*" OR Processes.process="*DownloadString*" OR Processes.process="*Net.WebClient*") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where FileName in~ ("powershell.exe","pwsh.exe") | where ProcessCommandLine matches regex @"(?i)(-enc|encodedcommand|frombase64string|-nop|-w\s+hidden|invoke-expression|iex\s*\(|downloadstring|net\.webclient)" | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine ``` ### Article-specific behavioural hunt — Argamal: Malware hidden in hentai games `UC_137_5` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — Argamal: Malware hidden in hentai games ``` | tstats `summariesonly` count earliest(_time) AS firstTime latest(_time) AS lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("ffmpeg.dll") OR Processes.process_path="*%USER%\AppData\Local*") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name, Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | append [ | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_path="*%USER%\AppData\Local*" OR Filesystem.file_name IN ("ffmpeg.dll")) by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ] ``` **Defender KQL:** ```kql // Article-specific bespoke detection — Argamal: Malware hidden in hentai games // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. DeviceProcessEvents | where Timestamp > ago(30d) | where (FileName in~ ("ffmpeg.dll") or FolderPath has_any ("%USER%\AppData\Local")) | project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FolderPath has_any ("%USER%\AppData\Local") or FileName in~ ("ffmpeg.dll")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Network connections to article IPs / domains** ([template](../_TEMPLATES.md#network-ioc)) — phase: **c2**, confidence: **High** - IP / domain IOC(s): `186.158.223.35`, `asper1.freeddns.org`, `winst0.kozow.com`, `country1.ignorelist.com` - **File hash IOCs — endpoint file/process match** ([template](../_TEMPLATES.md#hash-ioc)) — phase: **install**, confidence: **High** - file hash IOC(s): `42add9475e67a1ccc6a6af94b5475d3defc01b85`, `edce72f59e4c1d136cd1946af70d334c19df858d` ## Why this matters Severity classified as **HIGH** based on: IOCs present, 12 use case(s) fired, 23 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.