{ "id": "1253ee5a-41a5-4c04-bf6d-bbd2b8a26adc", "created_at": "2026-04-06T00:21:14.839741Z", "updated_at": "2026-04-10T03:37:08.826547Z", "deleted_at": null, "sha1_hash": "3056bab1d973087bde8266a064a59ce29fceeb60", "title": "ViperSoftX Updates Encryption, Steals Data", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3452933, "plain_text": "ViperSoftX Updates Encryption, Steals Data\r\nBy By: Don Ovid Ladores Apr 24, 2023 Read time: 8 min (2106 words)\r\nPublished: 2023-04-24 · Archived: 2026-04-05 15:48:28 UTC\r\nViperSoftX, a type of information-stealing software, has been primarily reported as focusing on cryptocurrencies,\r\nmaking headlines in 2022 for its execution technique of hiding malicious code inside log files. Since it was first\r\ndocumented in November, we observed this malware campaign differentiating itself from its previous iteration\r\nwith the use of DLL sideloading for its arrival and execution technique. We also noted that this update includes a\r\nmore sophisticated encryption method of byte remapping and a monthly change in command-and-control (C\u0026C)\r\nserver. Without the correct byte map, the encrypted shellcode, including all components and relevant data, cannot\r\nbe correctly decrypted, making decryption and analysis of the shellcode more time-consuming for analysts.\r\nWe’ve noted a significant number of victims in the consumer and enterprise sectors, with Australia, Japan, and the\r\nUnited States as the top three countries affected by ViperSoftX in the consumer category. Meanwhile, victim\r\norganizations from Southeast Asian countries comprised the enterprise sector.\r\nFigure 1. Top 10 countries affected by ViperSoftX in both the consumer and enterprise sectors\r\nSource: Trend Micro™ Smart Protection Network™ (SPN)\r\nArrival routine\r\nFor majority of cases, ViperSoftX typically arrives as a software crack, an activator or a patcher, or a key\r\ngenerator (keygen). In blocking and detecting these illicit software solutions, we have come to believe that the\r\nhttps://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html\r\nPage 1 of 12\n\npeople behind these kinds of software try to convince users looking for bootleg software versions that these are\r\nnot malicious and are simply flagged as “false positives.” It is also a common gimmick for cybercriminals to pose\r\nmalware as a keygen or an activator. Actors behind ViperSoftX take this narrative a step further by using actual\r\nnon-malicious software to hide and pose as typical illegal software versions. ViperSoftX uses these files as\r\n“carriers” of the main malware encrypted within the overlay. \r\nWhile the malicious actors abuse neither definitive software nor target any definitive applications, they commonly\r\nuse multimedia editors or video format converters, cryptocurrency coinminer apps, phone-related desktop apps,\r\nand system cleaner apps. Through all the samples we analyzed, we consistently observed the following binary\r\ncarriers:\r\n1. gup.exe from Notepad++\r\n2. firefox.exe from Tor\r\n3. ErrorReportClient.exe from Magix, a type of multimedia-editing software \r\nFigure 2. Typical arrival package of the malware\r\nThe malware arrives as a package of the carrier executable and the decryptor/loader DLL, typically downloaded\r\nfrom the websites or torrents of (illegal) software solutions. For the most part, the malware is posed as a software\r\nactivator, patcher, or keygen, among other similar software executables. The malicious routine starts after the\r\nsoftware executables have been included and run in the system.\r\nWe also noticed that ViperSoftX’s primary C\u0026C servers for the second stage download would change on a\r\nmonthly basis:\r\nFebruary: chatgigi2[.]com\r\nMarch: arrowlchat[.]com\r\nApril: static-cdn-349[.]net\r\nInfection routine\r\nhttps://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html\r\nPage 2 of 12\n\nFigure 3. Execution flow of ViperSoftX\r\nViperSoftX first checks for a few virtualization strings and monitoring tools to check if the system is running a\r\nvirtual machine (VM). Using WQL command SELECT Manufacturer, Model FROM Win32_ComputerSystem to\r\nquery ROOT\\CIMV2, it checks for the following strings:\r\nVMWare\r\nVirtual\r\nThe malware checks if there are monitoring tools, specifically Process Monitor, running in the current machine\r\nwith the following strings:\r\nprocmon\r\nprocmon64\r\nprocmon64a\r\nLastly, ViperSoftX checks for a few installed and active antivirus products, namely:\r\nWindows Defender\r\nhttps://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html\r\nPage 3 of 12\n\nESET\r\nIf all checks pass, the malware proceeds to decrypt the PowerShell code and starts downloading the main\r\nViperSoftX routine. From there, the routine is its standard multistage download and execution routine.\r\nFigure 4. Execution of the first-stage PowerShell downloader after passing through blacklisting\r\nUnique encryption\r\nByte mapping is a considerably simple technique. It does not require any complex computations, and the only\r\noperation it requires is to put the correct byte in the correct location. For their part, cybercriminals benefit from\r\nthis malware as it reduces the presence and actions made by a large graph of objects.\r\nUnlike the typical bitwise operations from typical decryption routines, ViperSoftX uses byte remapping to ensure\r\nthat the shellcode cannot be easily decrypted without the correct byte map, weaving a cross-stitch template to the\r\npalette of 256 (0x100h) bytes. Though this is a very rigid method of hiding its codes, it provides some level of\r\nprotection against forced decryption.\r\nhttps://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html\r\nPage 4 of 12\n\nFigure 5. Comparison of two ViperSoftX carrier executables with byte remapping.\r\nNote: The bytes of the encrypted section is a specific index on the byte map found in the sideloaded DLL.\r\nComparing the mapping of the first four bytes on two samples shows that their offsets within the encrypted region\r\nremain the same since they result in a similar shellcode even if they are composed of different bytes per binary.\r\nWhen the screenshots of the two carrier executables are compared, the number (or code) changed but the\r\nlocation/offset remains the same. The same is true for all the other bytes. While analysts will see the pattern of the\r\narrangement, it is unlikely that they would be able to decrypt this without the correct sequence of bytes used in the\r\nmapping. If this pattern is a text or a string, it would not be difficult to apply brute force. However, considering\r\nthis is a byte character (with 256 different bytes) and an assembly code instruction at that, brute-forcing it would\r\nunlikely yield correctly decrypted results.\r\nWe have also found that each sideloader DLL has its own pair of executable and byte map, and a decryption\r\nattempt returns an incorrectly rearranged shellcode if used with another ViperSoftX-related executable. This\r\nensures that the shellcode will not be decrypted without the correct DLL since the latter contains the correct byte\r\nmap. Moreover, all the strings, binaries, and other relevant data within the ViperSoftX DLL also gets decrypted\r\nthe same way. Afterward, the shellcode will then decrypt and load the main ViperSoftX DLL embedded within the\r\ncarrier.\r\nhttps://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html\r\nPage 5 of 12\n\nFigure 6. ViperSoftX DLL containing the hard-coded byte map (256 bytes long denoting specific\r\nbytes from “0x00” to “0xff”)\r\nFigure 7. The actual bytes of the decrypted shellcode\r\nThis technique for encryption-decryption is not new but is mostly popular with script malware. As of this writing,\r\nthe most recent piece of malware that uses this technique is the JavaScript- or Windows Scripting File-packed\r\nMagnibernews article ransomware. Considering the former is a type of script malware, however, this technique for\r\nencryption-decryption is easily more discernable during analysis because both the encrypted data and the mapping\r\nhttps://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html\r\nPage 6 of 12\n\nare in the same file. In contrast to our ViperSoftX sample, which is a full binary file, the table becomes harder to\r\nfind. Furthermore, since the data to be decrypted is in another file, the routine becomes even more difficult to\r\ninvestigate, as analysts would need the correct pair for decryption.\r\nPassword theft\r\nSince it was first documented, ViperSoftX has been known as a cryptocurrency stealer. However, we found from\r\nour investigations that ViperSoftX can check not only for cryptocurrencies but also for a few password managers.\r\nIt also uses some basic anti-C\u0026C analyses by disallowing communications using web browsers.\r\nFigure 8. Response when accessing the C\u0026C via web browsers (top), and modifying the user-agent\r\nto access the C\u0026C and return encoded data (bottom)\r\nIt still downloads a PowerShell code (the main ViperSoftX script) to crawl through different paths in the system\r\nfor cryptocurrency wallets. ViperSoftX scans for these cryptocurrency wallets in local directories:\r\nhttps://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html\r\nPage 7 of 12\n\nArmory\r\nAtomic Wallet\r\nBinance\r\nBitcoin\r\nBlockstream Green\r\nCoinomi\r\nDelta\r\nElectrum\r\nExodus\r\nGuarda\r\nJaxx Liberty\r\nLedger Live\r\nTrezor Bridge\r\nThe malware also checks for the following wallets via browser extensions:\r\nBinance\r\nCoin98\r\nCoinbase\r\nJaxx Liberty\r\nMetaMask\r\nMew CX (now Enkrypt)\r\nInstall browser components:\r\nBrave Browser\r\nChrome\r\nFirefox\r\nMicrosoft Edge\r\nOpera\r\nThe updated version of ViperSoftX includes a check mechanism for two password managers, namely KeePass 2\r\nand 1Password. Noting the malware’s capability to scann KeePass, we looked into the possible abuse of the\r\nKeePass security gap CVE-2023-24055, which forces the application to dump stored passwords in plain text (a\r\nfeature already disabled in recent patches and versions). According to our investigation, although there are low\r\nnumbers of victims related to the exploit, the said detections do not appear related to ViperSoftX victims.\r\nhttps://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html\r\nPage 8 of 12\n\nFigure 9. PowerShell code searching for the browser link files to inject a command line and load\r\nmalicious extensions\r\nFigure 10. ViperSoftX scanning browser extensions and directories for wallets and password\r\nmanagers\r\nVictims affected: Consumers and businesses alike\r\nhttps://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html\r\nPage 9 of 12\n\nDue to the nature of its arrival technique, we primarily assumed that the targets and victims would be regular\r\nusers. However, we were surprised to see that the enterprise sector made up over 40% of the total number of\r\nvictims. It is also notable that the leading countries and regions affected by the malware campaign are Australia\r\nand Japan with almost the same numbers, while US came at a close third with almost half as much victims at the\r\nconsumer level. On the other hand, the majority of the affected enterprise sector can be found in Asia.\r\nFigure 11. Top 10 countries affected by ViperSoftX malware in the enterprise (top) and consumer (bottom) sectors\r\nSource: Trend Micro Smart Protection Network (SPN)\r\nConclusion and insights\r\nhttps://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html\r\nPage 10 of 12\n\nWhile other cybercriminals use sideloading to load another non-binary component (usually the encrypted payload,\r\nwhich comes together as a package with the normal executable and the sideloaded DLL), the chosen techniques of\r\nthe actors behind ViperSoftX (which involve using WMI Query Language (WQL), DLL sideloading/DLL load\r\norder hijacking, PowerShell reflective loading, browser hijacking, and C\u0026C protection) are sophisticated.\r\nThe cybercriminals behind ViperSoftX are also skilled enough to execute a seamless chain for malware execution\r\nwhile staying under the radar of authorities by selecting one of the most effective methods for delivering malware\r\nto consumers. Although we have observed some changes throughout their campaigns, the pace of ViperSoftX’s\r\ndevelopment can be considered slow compared to other types of stealer malware.\r\nThe group behind this malware has been doing this for a number of years, and it knows its target systems based on\r\nthe simultaneous use of techniques to steal cryptocurrencies and passwords. In this respect, we believe there are\r\nactually at least two groups responsible for this ViperSoftX campaign based on the malware’s C\u0026C\r\ncommunication. As the first set of players, the main group is responsible for the deployments. On the other hand,\r\nconsidering the monthly change of C\u0026C servers and communication exchange, we believe in the possibility of\r\nanother group involved based on the different coding or C\u0026C scheme. ViperSoftX uses a domain-generating\r\nalgorithm (DGA) to hide its C\u0026C server and generate useless traffic. From the DGA technique, we observed that\r\nmajority of the activities are dominated by the main group, which utilizes a simple DGA. However, there are a\r\nnumber of activities that appear to use a different DGA. We do not discount the possibility that these can either be\r\nolder samples or different operators entirely.\r\nWhile ViperSoftX appears to be targeting consumers considering its chosen means for entry, we found it\r\ninteresting that it also affects the business sector. One possible theory behind why businesses are affected by this\r\ncampaign has to do with recent layoffs and possible budget cuts. While some users might be looking to freelance\r\nand upend their incomes while in between jobs, others might have been prompted to download tools from\r\nunofficial platforms to “save costs” and circumvent tools not found in office-issued devices. Nonetheless, we\r\nstrongly recommend that users download the software and applications they need from official platforms. Cracks\r\nand other illegally owned software will only work for certain periods since majority of license verification\r\nmethods are now done in the cloud. If features such as updates to circumvent the replacement of cracks or patches\r\nare disabled, users would then be putting their respective systems at greater risk of attacks or infections.\r\nHere are some additional recommendations to prevent the risks of infection from malware types like ViperSoftX:\r\nDownload software and applications from official platforms and sources.\r\nInstead of downloading illegal software, choose alternative freeware solutions from reputable sources and\r\nplatforms.\r\nDownload security solutions that can detect and block malicious components in seemingly legitimate and\r\nnon-malicious software and applications.\r\nTrend Micro solutions\r\nTrend Micro customers are protected from threats like ViperSoftX with Trend Micro Vision One™products, which\r\nprovides multilayered protection and behavior detection, thereby blocking questionable behavior and tools before\r\na piece of malware can do any damage. Implementing a multifaceted approach can aid organizations in securing\r\npotential entry points into their systems such as endpoint, email, web, and network. With the help of security\r\nhttps://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html\r\nPage 11 of 12\n\nsolutions that can identify malevolent elements and questionable activities, enterprises can be safeguarded via\r\nautomated protection while also ensuring that no significant incidents go unnoticed.\r\nIndicators of Compromise (IOCs)\r\nThe list of IOCs can be downloaded here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html\r\nhttps://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html" ], "report_names": [ "vipersoftx-updates-encryption-steals-data.html" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434874, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3056bab1d973087bde8266a064a59ce29fceeb60.pdf", "text": "https://archive.orkl.eu/3056bab1d973087bde8266a064a59ce29fceeb60.txt", "img": "https://archive.orkl.eu/3056bab1d973087bde8266a064a59ce29fceeb60.jpg" } }