ViperSoftX Malware Distributed by Arabic-Speaking Threat Actor

Description

An Arabic-speaking threat actor has been distributing ViperSoftX malware to Korean victims since April 1, 2025. The malware, typically spread through cracked software or torrents, operates as a PowerShell script and communicates with C&C servers. The campaign involves downloading additional malware, including a VBS downloader, malicious PowerShell script, PureCrypter, and Quasar RAT. The attackers use Arabic comments in their code and employ various techniques to evade detection, such as adding Windows Defender exception paths. The PowerShell downloader ensures administrator privileges and bypasses security software. PureCrypter, a commercial .NET packer, is used as a downloader, while Quasar RAT provides remote access capabilities. Users are advised to avoid downloading software from torrent sites and to keep their antivirus solutions updated to prevent infection.