Argamal: Malware hidden in hentai games

Description

In April 2026, researchers discovered a malware campaign targeting players of adult-themed games. The infected games install a previously unknown implant called Argamal that downloads and executes a RAT after several days, resulting in full system compromise. The malware uses COM hijacking to persist, replacing the InprocServer32 entry for Windows Color System Calibration Loader DLL. Delivery occurs through trojanized games distributed via dedicated websites and torrent trackers, containing modified FFmpeg DLLs that load malicious components. The RAT provides broad functionality including system control, surveillance, file operations, and reconnaissance capabilities. Hundreds of victims have been identified primarily in Russia, Brazil, Germany, and Vietnam. Attribution suggests a Spanish-speaking developer, with infrastructure pointing to ASN 11664 and multiple C2 domains.