Hackers Are Hiding the New Argamal RAT Inside Fully Working Hentai Games

Hackers are distributing a new remote access Trojan (RAT) dubbed Argamal by hiding it inside fully functional hentai games. Discovered by cybersecurity firm Kaspersky in April 2026, the malware grants attackers complete control over infected systems while victims play the game without suspicion.

Normal internet scams usually give you a broken file that will not open. These infected downloads actually include fully working games built on common systems like RenPy or RPG Maker. The game runs exactly as you want it to, so you never realise your machine is under someone’s control.

- Kaspersky

These malicious files are actively distributed across adult game sites, file-sharing platforms like PixelDrain, and torrent trackers such as AniRena. Because the games operate flawlessly, the infection can persist for months before a user notices any unauthorized activity on their device.

When a user downloads and launches the game archive, it triggers a rigged version of a standard library file called FFmpeg DLL, alongside a secondary file named natives2_blob.bin. This rigged library loads directly into the computer's memory without triggering any warning screens, immediately executing a PowerShell script.

To evade detection, the script first scans the system for monitoring tools like Sandboxie or Procmon64. If the environment appears safe, the malware enters a dormant state for three days. Once the waiting period ends, a scheduled task activates and utilizes a legitimate Windows tool to fetch the payload.

bitsadmin.exe

This tool downloads an encrypted file (zaesdl.dat) from GitHub. The malware then decrypts it using AES-CBC encryption to construct the main Trojan module. To ensure persistence, Argamal utilizes COM hijacking, altering the registry entries for a legitimate Windows feature known as the Windows Color System Calibration Loader. Because this feature runs every time a user logs in, the malware automatically launches during every new session.

Once active, Argamal sends UDP heartbeats to attacker-controlled servers, allowing hackers to steal files, read private chats, gather financial data, swap crypto-wallet addresses, and even stream live video. To secure your device, follow these steps:

• Avoid Unverified Sources: Stop downloading games from unverified adult sites and torrent trackers like AniRena.
• Deploy Active Scanning: Ensure you are running real-time security software capable of detecting memory-loaded PowerShell scripts.
• Monitor Network Traffic: Check your network logs for unauthorized UDP heartbeats connecting to domains such as asper1.freeddns.org and Winst0.kozow.com.

The deployment of Argamal highlights a sophisticated evolution in social engineering. By embedding the payload within fully functional games built on popular engines, attackers eliminate the immediate suspicion that usually follows a broken executable. Furthermore, the deliberate three-day delay before downloading the GitHub payload is a calculated move to outlast the automated analysis windows of standard security sandboxes.

Kaspersky's telemetry reveals hundreds of infections primarily in Russia, Brazil, Germany, and Vietnam, while code analysis indicates the attackers speak Spanish. Crucially, the malware is programmed to explicitly avoid targeting users in China. This geographic exclusion, combined with the use of legitimate system tools like bitsadmin.exe, suggests a highly targeted operation designed to quietly harvest credentials and crypto assets without drawing the ire of massive state-level cybersecurity apparatuses.