ViperSoftX has mutated: hackers created an invulnerable crypto-stealer
It hides in the system, waits 300 seconds, and only then starts the hunt.
On underground forums, new samples of PowerShell-based malware have begun circulating, representing a modernized version of the well-known data stealer ViperSoftX. The new 2025 variant shows a significant technical leap compared to previous versions released in 2024. Enhanced modularity, stealth, and resistance to removal make it especially dangerous for both cryptocurrency users and corporate systems.
Code analysis confirms that the malware has received numerous upgrades aimed at increasing its resilience and complicating detection. Its architecture has become more flexible and dynamic, and its entire lifecycle—from initialization to interaction with the command server—has been carefully thought out.
The launch process has been significantly overhauled in the new version. Unlike the 2024 variant, which used a simple 10-second delay and a static mutex, the updated build now uses a GUID identifier to prevent multiple instances from running simultaneously and increases the pause to 300 seconds. This not only prevents parallel execution of several instances but also reduces the likelihood of detection in sandboxes and behavioral analysis systems.
For network obfuscation, the malware has moved from the outdated System.Net.WebClient component to the more modern HttpClient, allowing it to manipulate HTTP headers and maintain secure HTTPS connections, mimicking the behavior of legitimate software. Additionally, data transmission between the infected host and the command server is now encrypted using a simple XOR algorithm with key 65, instead of being sent in plaintext or base64 as before. This approach complicates network traffic analysis and helps evade standard detection systems.
Persistence mechanisms in the system have become noticeably more robust. While the 2024 version of ViperSoftX often relied on external loaders, the current variant includes three backup methods to survive reboots. A scheduled task disguised as a system task—“WindowsUpdateTask”—is created, along with an autorun registry key in HKCU and a hidden BAT file in the user’s startup folder. The script itself is copied to an inconspicuous path, “AppData\Microsoft\Windows\Config\winconfig.ps1,” and is masked during installation.
The malicious code’s functionality has also expanded significantly. In addition to basic data collection, it now targets numerous cryptocurrency wallets, including Exodus, Atomic, Electrum, and Ledger. Browser extensions for cryptocurrency management—MetaMask, Binance, and Coinbase—are also targeted, as well as KeePass configuration files.
Additionally, the malware requests the victim’s IP address via a series of backup external services to use this data for geolocation and to tie the infection to a specific campaign. Previous versions did not have this mechanism.
The modular structure has become even more sophisticated: functions like Get-ServerID and Test-ServerRestarted allow the malware to track changes in the C2 infrastructure and automatically re-establish communication if the server has moved or been restarted. This brings the malware closer to the level of tools used in professional targeted attacks.
The report’s authors emphasize that the new ViperSoftX build represents not just an evolution but a qualitative leap forward. Unique victim identification, encrypted communication, and synchronization with the command server make it an extremely difficult target for detection and analysis. Its expanded list of targets and high resilience raise the bar for all similar tools in the malware ecosystem.
To protect against such threats, experts recommend using comprehensive solutions capable of detecting malicious activity at different stages of infection.
