Analysis Summary

A newly discovered variant of the ViperSoftX malware family emerged in early 2025, representing a significant shift in both tactics and sophistication. This PowerShell-based stealer showcases a high degree of modularity, stealth, and resilience, signaling a departure from its earlier, more basic 2024 version. Unlike its predecessor, the latest strain features an advanced persistence mechanism, enhanced detection evasion techniques, and a broadened targeting scope, including password managers, crypto wallets, and detailed system reconnaissance.

The malware operates through a multi-stage execution model, using GUID-based mutexes, encrypted communication, and intelligent session handling to bypass behavioral analysis and remain under the radar. Its use of modern .NET APIs, combined with stealthy HTTP communication mimicking legitimate browser behavior, makes it particularly challenging for traditional security tools to detect. The inclusion of PowerShell background jobs, multiple fallback persistence methods, and professional-grade C2 infrastructure coordination suggests that this campaign is being run by a highly skilled and well-resourced threat actor.

This evolution of ViperSoftX poses a serious threat to both individuals and organizations, especially those in the finance, cryptocurrency, and tech sectors. Given its stealth, adaptability, and data theft capabilities, immediate attention is required to detect, mitigate, and defend against this evolving malware strain.

Impact

• Sensitive Data Theft
• Security Bypass

Indicators of Compromise

SHA1

• 0bb560376254bae42dabd323fd283bc640a9cc64

• b473b6daa93bb5a7a47c9b9208afb41ef6c6d7a1

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Allow PowerShell only for trusted users or disable it where not needed.
• Set alerts for unusual PowerShell use (like background jobs or encoded commands).
• Monitor scheduled tasks, especially unknown or suspicious entries.
• Check the Startup folder for unknown .ps1 or .bat files and remove them.
• Block or monitor outgoing traffic to unknown IPs or suspicious domains.
• Detect web traffic that includes encoded or base64 content.
• Use updated antivirus or EDR tools to catch behavior-based threats.
• Use tools like AppLocker to block unauthorized script execution.
• Test suspicious PowerShell scripts in a sandbox before running them.