{ "id": "1e164841-ca13-454f-8bb2-9062d4dadd55", "created_at": "2026-04-06T00:12:40.58808Z", "updated_at": "2026-04-12T02:22:19.60729Z", "deleted_at": null, "sha1_hash": "e60695fb97ee1b9491cf512d4b8da8a28072719c", "title": "In-depth Analysis of a 2025 ViperSoftX Variant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 825089, "plain_text": "In-depth Analysis of a 2025 ViperSoftX Variant\r\nPublished: 2025-06-03 · Archived: 2026-04-05 12:41:07 UTC\r\nIntroduction\r\nIn early 2025, new samples of PowerShell-based malware began appearing across underground forums and threat\r\nhunting communities. The sample in question resembles ViperSoftX stealers from 2024, but with a notable\r\nincrease in modularity, stealth, and persistence mechanisms. In this blog, we will dissect the code and map out its\r\nfunctions, mechanisms, and threats. We go on to assess the similarities/differences between the new and old\r\nViperSoftX variants.\r\nCode Execution Flow\r\nFig 1: Execution Flow\r\nThe above image illustrates the structured execution logic of the malware — highlighting its modular design and\r\ntask-oriented operation. This malware’s lifecycle can be broken down into several phases, wherein it initializes\r\nitself, sets up persistence, starts a session and does the C2 communication.\r\nInitialize-Mutex\r\nFig 2.1.1: Simple Mutex (2024)\r\nhttps://labs.k7computing.com/index.php/in-depth-analysis-of-a-2025-vipersoftx-variant\r\nPage 1 of 9\n\nThe 2024 version uses a basic mutex named with a static string. If the mutex already exists (meaning the malware\r\nis already running), it waits for 10 seconds before exiting.\r\nFig 2.1.2: GUID Mutex (2025)\r\nThe 2025 version uses a GUID-style mutex identifier and increases the sleep time to 300 seconds — this delays\r\nsandbox detection, increases the likelihood of avoiding behavioral analysis, and better ensures only one instance\r\nruns.\r\nPersistence Mechanism\r\nThe malware employs multiple persistence techniques to survive reboots. In the 2024 version the final payload\r\nfocused on data exfiltration and command-and-control communication, without managing its own persistence. The\r\npersistence mechanism was typically handled by a loader or dropper, not embedded in the final payload but in the\r\n2025 version it uses a robust 3-layer of fallback persistence strategy:\r\nScheduled Task (WindowsUpdateTask) triggered at logon.\r\nRun registry key under HKCU.\r\nBat file under startup folder.\r\nFig 3.1: Self-copy/Safekeeping\r\nThe script copies itself to AppData\\Microsoft\\Windows\\Config\\winconfig.ps1.\r\nFig 3.2: Batch launcher\r\nhttps://labs.k7computing.com/index.php/in-depth-analysis-of-a-2025-vipersoftx-variant\r\nPage 2 of 9\n\nCreates a hidden .bat launcher script that executes the .ps1 script and uses multiple layers of evasion and fallback\r\nif paths already exist.\r\nFig 3.3: Task Scheduler entry\r\nRegisters a Windows scheduled task named as WindowsUpdateTask that runs the batch file at user logon, ensuring\r\npersistence.\r\nFig 3.4: Run Entry\r\nCode to achieve persistence using the Windows Registry.\r\nFig 3.5: Startup Directory\r\nPlaces a bat file in the user’s startup directory. \r\nPrep Work\r\nFunction: Generate-RandomGUID\r\nThe 2024 version creates identifiers by querying hardware values like serial numbers.\r\nFig 4.1.1: Serial-base ID\r\nWhereas the recent variant generates a full 64-character hex GUID, making each infection uniquely traceable.\r\nhttps://labs.k7computing.com/index.php/in-depth-analysis-of-a-2025-vipersoftx-variant\r\nPage 3 of 9\n\nFig 4.1.2: Random GUID \r\nPasses this GUID as an argument to the Build/Parse-MetaRequest functions to identify the infected machine or\r\nvictim.\r\nFunction: Build-MetaRequest and Parse-MetaRequest\r\nFig 4.2 : Build-MetaRequest\r\n2025’s base64 request building and parsing mimic normal browser behavior, proving to be stealthier in the\r\nnetwork logs and sneaking past intrusion detection systems. It constructs a HTTP GET request, encodes it in\r\nbase64, and stores it in a variable ($meta_request). \r\nFig 4.3 : Parse-MetaRequest\r\nDecodes the base64 meta request ($meta_request) into its original ASCII form and uses regex to capture the 64-\r\ncharacter GUID from the path and stores it in the variable ($session.api_guid).\r\nFunction: Initialize-HttpClient\r\nIn the 2024 version it used System.Net.WebClient, which is a basic, deprecated .NET networking class.\r\nhttps://labs.k7computing.com/index.php/in-depth-analysis-of-a-2025-vipersoftx-variant\r\nPage 4 of 9\n\nFig: 4.4.1 : Web Client Setup\r\nIn 2025 it adopts HttpClient from the modern .NET API.\r\nFig 4.4.2: HTTP Client Setup\r\nThe shift to HttpClient provides more advanced capabilities — header manipulation, timeout control, and better\r\ncompatibility with HTTPS traffic — aligning better with legitimate software behavior thereby staying under the\r\nradar. \r\nFunction: Get-PublicIPAddress\r\nIn the 2024 version it does not explicitly attempt to gather the victim’s public IP address, but in 2025 it tries\r\nmultiple web services in fallback order.\r\nFig 4.5: Public IP Fetch\r\nCapturing public IPs helps attackers identify the infected device’s location and origin (e.g., via geolocation), and\r\ngroup infections by target region or campaign.\r\nExecute Core Functionality\r\nhttps://labs.k7computing.com/index.php/in-depth-analysis-of-a-2025-vipersoftx-variant\r\nPage 5 of 9\n\nFunction: Get-ServerID and Test-ServerRestarted\r\nFig 5.1 : Server Sync Check\r\nGet-ServerID: Makes a request to api/v1/server-id to retrieve a numerical ID — likely to be used to detect\r\nbackend redeployments.\r\nTest-ServerRestarted: Compares cached server ID with a new value. If changed, forces reinitialization of the\r\nsession. A clever way to stay in sync with changes on the attacker’s infrastructure. 2025’s version is aware of\r\nserver redeployments or migrations, and adjusts its session state accordingly. This is advanced behavior, usually\r\nseen in modular or professional toolkits.\r\nEvery 30s:\r\nChecks if the C2 has restarted (via Test-ServerRestarted)\r\nIf yes → reset session\r\nElse → fetch new commands from C2\r\nFunction: Get-Updates\r\nFig 5.2: Invoke-Request\r\nCalls the Get-UserInfo function to collect user information, converts it into JSON format, and passes it to the\r\nInvoke-Request function.\r\nhttps://labs.k7computing.com/index.php/in-depth-analysis-of-a-2025-vipersoftx-variant\r\nPage 6 of 9\n\nFig 5.3: Get-UserInfo\r\nFig 5.4: Recon targets\r\nFig 5.5: Keepass Target\r\n2025 supports a larger list of extensions and wallets (Exodus, Atomic, Electrum, Ledger), browser extensions\r\n(MetaMask, Binance, Coinbase), and Keepass configurations and returns (OS, username, IP, detected apps)\r\nmaking it easier to maintain or expand the malware’s functionalities.\r\nC2 Communication\r\nIn the 2024 variant it would send plain text or base64-encoded commands over HTTPS.\r\nFig: 5.6.1 Plain POST\r\nhttps://labs.k7computing.com/index.php/in-depth-analysis-of-a-2025-vipersoftx-variant\r\nPage 7 of 9\n\nWhereas in 2025, it encrypts the payload using a basic XOR cipher ($XOR_KEY=65) and POSTs the encrypted\r\nbuffer to the C2 server.\r\nFig 5.6.2: C2 Communication[POST]\r\nReceives the C2 server’s response — likely another base64-encoded or encrypted command. Decrypts the\r\nreceived data — reversing the encryption and returns the decrypted payload to the main loop.\r\nFig 5.7: C2 Communication[Get]\r\nPayload Execution (Set-Updates)\r\nThe 2024 version ran decoded strings as shell commands using cmd.exe.\r\nFig: 5.8.1 Payload Execution(CMD)\r\nThe current variant, creates PowerShell jobs to run each decoded payload.\r\nhttps://labs.k7computing.com/index.php/in-depth-analysis-of-a-2025-vipersoftx-variant\r\nPage 8 of 9\n\nFig 5.8.2: Payload Execution(POWERSHELL)\r\nPowerShell background jobs are less detectable, do not block execution, and are easier to time-out and discard if\r\nthey hang — improving stability and stealth. \r\nConclusion\r\nThe 2025 ViperSoftX variant marks a clear evolution over its 2024 predecessor. It demonstrates:\r\nBetter operational security (simple encryption, unique victim identification)\r\nImproved modularity and maintainability\r\nGreater target coverage and persistence\r\nDynamic infrastructure adaptation (via server ID sync)\r\nThis 2025 variant demonstrates how stealers are becoming more modular, evasive, and feature-rich, posing a\r\ngreater threat to crypto currency users and enterprises alike. As the stealer is aiming at the user’s sensitive\r\ninformation, protecting yourself with a reputable security product such as K7 Antivirus is necessary in today’s\r\nworld. We at K7 Labs provide detection for such kinds of stealers at different stages of infection and all the latest\r\nthreats.\r\nIOCs\r\nHASH VARIANT DETECTION NAME\r\nFEAA4AC1A1C51D1680B2ED73FF5DA5F2 2025 Trojan( 000112511 )\r\n6549099FECFF9D41F7DF96402BCCDE9B 2024 Trojan( 0001140e1 )\r\nSource: https://labs.k7computing.com/index.php/in-depth-analysis-of-a-2025-vipersoftx-variant\r\nhttps://labs.k7computing.com/index.php/in-depth-analysis-of-a-2025-vipersoftx-variant\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://labs.k7computing.com/index.php/in-depth-analysis-of-a-2025-vipersoftx-variant" ], "report_names": [ "in-depth-analysis-of-a-2025-vipersoftx-variant" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-12T02:00:03.085596Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "FROZENBARENTS", "Seashell Blizzard", "Quedagh", "TEMP.Noble", "ELECTRUM", "UAC-0113", "UAC-0082", "APT44", "VOODOO BEAR", "IRON VIKING", "G0034", "TeleBots", "IRIDIUM", "Blue Echidna" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-12T02:00:04.579883Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-12T02:00:03.467242Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-12T02:00:04.384657Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434360, "ts_updated_at": 1775960539, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e60695fb97ee1b9491cf512d4b8da8a28072719c.pdf", "text": "https://archive.orkl.eu/e60695fb97ee1b9491cf512d4b8da8a28072719c.txt", "img": "https://archive.orkl.eu/e60695fb97ee1b9491cf512d4b8da8a28072719c.jpg" } }