Argamal: Malware hidden in hentai games

MITRE Techniques

• [T1546.015 ] COM Hijacking – The malware persists by replacing the InprocServer32 entry for a Windows Color System calibration COM object, triggering on user logon (‘replacing the InprocServer32 entry’ / ‘allowing the malware to run at startup’).
• [T1053.005 ] Scheduled Task/Job: Scheduled Task – It creates tasks to launch Stage2 three days later and also abuses the WindowsColorSystem calibration loader task to run on each logon (‘creates a scheduled task that will execute three days later’ / ‘runs every time a user logs in’).
• [T1059.001 ] PowerShell – Stage1 and Stage2 are PowerShell scripts used to check the environment, set persistence data, and download/decrypt payloads (‘executes a Base64-encoded PowerShell script’ / ‘payload downloader script’).
• [T1027 ] Obfuscated Files or Information – The campaign uses Base64, string substitution, AES-CBC, and encrypted payloads to hide content (‘Base64-encoded PowerShell script’ / ‘encrypted payload’).
• [T1027.003 ] Steganography / Packed or Encoded Files and Information – The malware stores and decrypts payload data from disguised files such as zaesdl.dat and settings.dat (‘downloads an encrypted payload called zaesdl.dat’ / ‘saved in the settings.dat file’).
• [T1105 ] Ingress Tool Transfer – The downloader retrieves payloads from GitHub using bitsadmin.exe (‘downloads an encrypted payload called zaesdl.dat from GitHub’).
• [T1021 ] Remote Services – The RAT communicates with remote C2 servers over UDP and TCP for command-and-control (‘communicates with the C2 server using the 3747/tcp port’ / ‘sends UDP heartbeats’).
• [T1056.001 ] Keylogging – The article describes keyboard input control commands such as SKEY and cursor/mouse control, but not full keylogging; no clear keylogging is stated. (‘presses specified key’).
• [T1113 ] Screen Capture – The RAT can take screenshots and send them to C2 (‘SCREEN / SCREEN9: makes a screenshot’).
• [T1057 ] Process Discovery – It checks for security tools via tasklist and sends process-related data to C2 (‘checks for the presence of the following security solutions using the output of the tasklist command’ / ‘process list’).
• [T1012 ] Query Registry – It reads and writes registry keys for persistence and cleanup (‘sets the InprocServer32 registry key’ / ‘removes the changes made under the HKCUSOFTWAREClassesCLSID… registry key’).
• [T1547.001 ] Registry Run Keys / Startup Folder – The malware leverages registry-based startup behavior through COM registration under HKCU, causing execution at logon (‘allowing the malware to run during every user session’).
• [T1106 ] Native API – The payload uses Windows native execution functions and shell mechanisms such as ShellExecuteW, WinExec, and CreateProcessW (‘Execute command from the response using ShellExecuteW’).
• [T1569.002 ] System Services: Service Execution – No explicit service execution is described; commands are executed via task, shell, and WinExec instead. (‘RUNTASK’ / ‘RUNDOS’).