A new malware campaign is targeting a very specific habit: downloading adult games from unofficial sources. Argamal hides inside modified game archives, then gives attackers remote control over an infected device.
Kaspersky’s Global Research and Analysis Team said hundreds of users have already been infected across multiple countries, including Russia, Brazil, Germany, and Vietnam. The pattern suggests the campaign is not random, but a focused operation aimed at communities that often trust shared game files.
How the infection works
The malware was first detected in April 2026 through routine telemetry monitoring. According to Kaspersky, attackers distribute altered game archives that contain a malicious library inside what appears to be a normal installation package.
Once installed, Argamal does not always act immediately. It can wait for several days before downloading an additional trojan that opens the door to broader compromise and full control of the victim’s machine.
| Aspect | Details |
|---|---|
| Malware Name | Argamal (RAT) |
| Main Target | Adult game players or hentai game users |
| Distribution Channels | PixelDrain, AniRena (torrent), fake cheat forums |
| Impact | Credential theft and full remote device control |
| Suspected Attacker Origin | Spanish-speaking threat actors, with medium confidence |
Dmitry Galov, head of Kaspersky GReAT for Russia and CIS, said the campaign is still evolving. He noted that the malware is actively updated with new features and infrastructure changes.
“We observed the malware being actively updated with new features and infrastructure changes. The increasing availability of public tools and automation makes malware development easier for attackers,” he said.
What security teams have identified
Kaspersky has already mapped the threat into several detection families, including Trojan.Win32.Termixia.*, Trojan.Win32.Agent.*, HEUR:Trojan.Win32.Argamal.gen, and HEUR:Trojan-Downloader.Win32.Argamal.gen. These labels show that the threat has been tracked and categorized inside the company’s security systems.
| Detection Variant | Meaning |
|---|---|
| Trojan.Win32.Termixia.* | Argamal detection variant |
| Trojan.Win32.Agent.* | Argamal detection variant |
| HEUR:Trojan.Win32.Argamal.gen | Heuristic Argamal detection |
| HEUR:Trojan-Downloader.Win32.Argamal.gen | Argamal downloader detection |
Security steps users can take
Kaspersky GReAT recommends downloading games or modifications only from trusted websites and official platforms. It also advises Windows users to enable file extensions so they can spot disguised .exe, .vbs, or .scr files more easily.
The company further says a strong security suite such as Kaspersky Premium can help detect and block threats in real time. For users, the warning is straightforward: a file that looks like a harmless game can still hide malware capable of stealing credentials and opening illegal access to a computer system.
