The cybersecurity landscape witnessed the emergence of new PowerShell-based malware samples circulating in underground forums and threat-hunting communities, marking a significant evolution of the notorious ViperSoftX stealer.
This updated variant, building on its 2024 predecessor, showcases remarkable advancements in modularity, stealth, and persistence mechanisms, posing a heightened threat to cryptocurrency users and enterprises.
Detailed analysis of the malware’s code reveals a sophisticated design with enhanced operational security and dynamic adaptability, making it a formidable challenge for defenders.
.png
)
Refined Execution Flow
The 2025 ViperSoftX variant demonstrates a meticulously structured execution flow, broken down into distinct phases: initialization, persistence setup, session management, and command-and-control (C2) communication.
Unlike the 2024 version, which relied on a static mutex with a simple 10-second delay to prevent multiple instances, the new variant employs a GUID-based mutex identifier and extends the delay to 300 seconds.
This clever tweak not only ensures singular execution but also delays detection by sandboxes and behavioral analysis tools.
Additionally, network stealth has been significantly improved through the adoption of HttpClient over the deprecated System.Net.WebClient, enabling advanced header manipulation and HTTPS compatibility that mimics legitimate software behavior.
C2 communication further evolves from plain text or base64-encoded data to payloads encrypted with a basic XOR cipher (key=65), rendering network logs less suspicious and bypassing traditional intrusion detection systems.
Robust Persistence
Persistence mechanisms in the 2025 variant are notably more robust, incorporating a three-layered fallback strategy to survive reboots a stark contrast to the 2024 version, where persistence was often delegated to external loaders.
The new approach includes a scheduled task named “WindowsUpdateTask” triggered at logon, a registry run key under HKCU, and a hidden batch file in the startup folder, ensuring the malware re-establishes itself post-reboot.
The script self-copies to a discreet location (AppData\Microsoft\Windows\Config\winconfig.ps1) and employs evasion tactics during deployment. Beyond persistence, the malware’s targeting scope has expanded significantly.
While the older variant focused on basic data exfiltration, the 2025 version targets an extensive array of cryptocurrency wallets (Exodus, Atomic, Electrum, Ledger), browser extensions (MetaMask, Binance, Coinbase), and KeePass configurations.
It also actively fetches the victim’s public IP via multiple fallback web services for geolocation and campaign tracking, a feature absent in its predecessor.
Enhanced modularity is evident in functions like Get-ServerID and Test-ServerRestarted, which enable the malware to detect C2 server redeployments and reinitialize sessions accordingly, showcasing professional-grade adaptability.
According to the Report, The 2025 ViperSoftX variant represents a clear leap forward, with improved operational security through unique victim identification, encrypted communications, and dynamic infrastructure synchronization.
Its modular design, broader target coverage, and persistent nature underscore the growing sophistication of stealers in the threat landscape.
Protecting against such evolving malware requires robust security solutions like K7 Antivirus, which offers detection at various infection stages.
K7 Labs remains committed to identifying and mitigating these advanced threats to safeguard users and organizations.
IOCs
| HASH | VARIANT | DETECTION NAME |
|---|---|---|
| FEAA4AC1A1C51D1680B2ED73FF5DA5F2 | 2025 | Trojan(000112511) |
| 6549099FECFF9D41F7DF96402BCCDE9B | 2024 | Trojan(0001140e1) |
To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here
