Cybersecurity firm Kaspersky has discovered a new campaign delivering malware to people downloading adult video games. Detected in April 2026, Kaspersky’s investigation suggests that this malware is named Argamal, and it is hidden inside hentai game installers. Argamal is a remote access Trojan (RAT) that allows hackers to remotely control a person’s computer.
Researchers note that Normal internet scams usually give you a broken file that will not open. These infected downloads actually include fully working games built on common systems like RenPy or RPG Maker. The game runs exactly as you want it to, so you never realise your machine is under someone’s control.
How the Attack Works
These malicious files are distributed via different platforms such as adult game sites, file-sharing platforms like PixelDrain, and torrent trackers such as AniRena. The game archive, when downloaded, launches a rigged version of a standard library file called FFmpeg DLL and another file named natives2_blob.bin right after the game starts.
This rigged library loads into the computer memory without any warning screens popping up, and immediately runs a PowerShell script. To avoid detection, the script first checks the system for monitoring tools like Sandboxie or Procmon64.
If the computer seems safe, the malware waits. Three days later, a scheduled task opens and uses a tool called bitsadmin.exe to download an encrypted file (zaesdl.dat) from GitHub, and decrypts it using AES-CBC encryption to create the main Trojan module.
To ensure persistence on the device, the malware uses COM hijacking. It alters the registry entries for a real Windows feature called the Windows Color System Calibration Loader. This feature runs every time a user logs into their PC, meaning the malware automatically starts up during every new user session.
What Hackers Can Do
Argamal malware immediately sends UDP heartbeats (updates) to attackers’ servers once active on the device. These servers are hosted on domains such as asper1.freeddns.org and Winst0.kozow.com.
This allows the attackers full control over the system. They can now perform malicious activities of all sorts, ranging from stealing files, reading private chats, and gathering financial data to taking screenshots, swapping crypto-wallet addresses, and streaming live videos.
Kaspersky has detected hundreds of users infected so far, mostly in Russia, Brazil, Germany, and Vietnam. Code analysis suggests that the attackers speak Spanish. A crucial finding is that the malware purposefully avoids targeting users in China. Nevertheless, all users of Hentai games must avoid unverified adult sites and use real-time security software.
(Photo by Urim Pormeia on Unsplash)
