Kaspersky GReAT researchers have uncovered a new Remote Access Trojan (RAT) targeting hundreds of users of adult games. The malware, dubbed Argamal, has already been detected in Russia, Brazil, Germany, Vietnam and in a multitude of other countries. While the campaign is primarily aimed at stealing data and credentials, the RAT also gives attackers full remote control over infected devices, enabling them to execute a wide range of malicious activities.
In April 2026, during routine telemetry monitoring, Kaspersky Global Research and Analysis Team uncovered a new malware campaign targeting players of adult games, commonly referred to as “hentai games.” The campaign relied on trojanized games that deployed a previously unknown malicious implant onto victims’ devices. After remaining dormant for several days, the implant downloaded and executed an additional trojan, ultimately leading to full system compromise and giving attackers extensive remote access to the infected machine.
The malicious games were distributed through multiple channels. Researchers identified several websites hosting game screenshots alongside download links that redirected users to PixelDrain, a legitimate file-sharing service frequently abused for malware delivery. In parallel, the trojanized installers were also spread via torrent trackers, including AniRena. In all observed cases, victims downloaded an archive containing the infected game files.
Malicious game torrent in AniRena
The malicious archive contained legitimate game files alongside a tampered library required for the game to run. As a result, the malicious code was automatically executed when the user launched the game, without affecting normal gameplay and making the infection less noticeable to victims.
During the investigation, researchers also identified additional delivery methods used to distribute the RAT. In some cases, the malicious payload was embedded directly within the game files and loaded through modified components bundled with the game. In another instance, the threat actor distributed a malicious file through a gaming forum, disguising it as a game cheat.
“Cybercriminals have long abused gaming-related content and unofficial software installers to distribute malware, relying on users downloading files from unverified sources with little suspicion. Throughout our analysis, we observed the malware being actively updated with new features and infrastructure changes, suggesting the campaign is ongoing and likely to evolve further. The growing availability of public tools and automation has made malware development easier and faster for threat actors. As a result, users should avoid downloading software from unofficial websites and platforms,” said Dmitry Galov, Head of Russia and CIS unit at Kaspersky Global Research and Analysis Team.
Based on technical information and comments in the code, the researchers assume with medium confidence that the developer of the downloader chain might be a Spanish-speaking threat actor.
Kaspersky solutions detect this threat as Trojan.Win32.Termixia.*, Trojan.Win32.Agent.*, HEUR:Trojan.Win32.Argamal.gen and HEUR:Trojan-Downloader.Win32.Argamal.gen.
For more details about Argamal malware visit securelist.com.
To stay safe, Kaspersky GReAT experts recommend users:
Be cautious with downloads. It’s safer to install games and mods only from official sources or reputable websites. Unofficial sources may contain malware.
Use a strong security solution on all computers and mobile devices, such as Kaspersky Premium. It will warn you and prevent any infection.
You can enable the ‘show file extensions’ option in the Windows settings. This will make it much easier to distinguish potentially malicious files. As Trojans are programs, you should be warned to stay away from file extensions like “exe”, “vbs” and “scr”. Cybercriminals could use several extensions to masquerade a malicious file as a video, photo, or a document.
About the Global Research & Analysis Team Established in 2008, Global Research & Analysis Team (GReAT) operates at the very heart of Kaspersky, uncovering APTs, cyber-espionage campaigns, major malware, ransomware and underground cyber-criminal trends across the world. Today GReAT consists of 35+ experts working globally – in Europe, Russia, Latin America, Asia and the Middle East. Talented security professionals provide company leadership in anti-malware research and innovation, bringing unrivaled expertise, passion and curiosity to the discovery and analysis of cyberthreats.
