Cybersecurity researchers identified an evolved variant of the PowerShell-based ViperSoftX stealer spreading across underground forums and threat intelligence communities.
This latest sample reflects a major milestones in modularity, evasion tactics, and persistence capabilities compared to its earlier 2024 counterpart, posing heightened risks to both cryptocurrency users and enterprises.
Enhanced Execution Flow
The core execution logic of the new ViperSoftX stealer demonstrates a highly structured and modular design.
Upon activation, the malware initiates itself, establishes persistence, manages session states, and orchestrates encrypted command-and-control (C2) communications, ensuring continuous operation and adaptability.
Unlike the 2024 version which relied on static string mutexes and limited itself to simple data exfiltration the 2025 variant leverages a GUID-based mutex for unique infection tracking and introduces a significant increase in waiting time (up to 300 seconds) to deflect sandbox detection, thus enhancing stealth.
A major leap in persistence is observed: while the previous version depended on external loaders or droppers for system persistence, the new variant incorporates a multi-layered fallback mechanism directly within its core.
This includes creating scheduled tasks (e.g., “WindowsUpdateTask”), manipulating HKCU registry run keys, and deploying batch script launchers under the user’s startup folder.
The malware also self-copies to obfuscated paths under AppData and sets up hidden batch launchers to ensure it survives routine system reboots and user logouts.
Preparation routines have also evolved. The new ViperSoftX generates full 64-character random GUIDs for each infection, further complicating traditional detection and attribution efforts.
These GUIDs are embedded within base64-encoded HTTP GET requests, closely mimicking legitimate browser activity to slip past intrusion detection systems.
Communication with the C2 infrastructure is now handled using the modern HttpClient API, as opposed to the deprecated System.Net.WebClient, providing more advanced HTTP header control, improved timeout management, and more convincing traffic patterns.
The stealer methodically collects public IP addresses from multiple fallback sources enabling attackers to geo-locate victims or correlate infections by campaign.
The main loop continuously checks for signs of C2 server redeployment, syncing server IDs and resetting session states as needed, a technique rarely seen outside sophisticated criminal toolkits.
When collecting user data, ViperSoftX 2025 covers an expanded spectrum of targets ranging from major cryptocurrency wallets (Exodus, Atomic, Electrum, Ledger) and browser crypto extensions (MetaMask, Binance, Coinbase) to KeePass password configuration files.
This data is aggregated, JSON-formatted, and funneled back through an encrypted C2 channel employing a custom XOR cipher, making interception and analysis more labor-intensive for defenders.
Stealthier Payload Execution
Payload execution has similarly advanced: where the 2024 variant spawned shell commands via cmd.exe, the latest version launches background PowerShell jobs.
This approach not only reduces detection by endpoint security solutions but also ensures the malware remains stable and responsive to C2 instructions, discarding or timing out stalled jobs as needed.
According to the Report, The 2025 ViperSoftX variant marks a noteworthy evolution in the PowerShell malware landscape.
By integrating robust self-persistence, advanced C2 synchronization, unique victim identification, and broader reconnaissance, this stealer now resembles the design and operational maturity of professional, modular infostealer frameworks.
With its enhanced evasion, expanded target coverage, and dynamic infrastructure adaptability, ViperSoftX is a growing threat to both individual crypto users and enterprise networks.
Security vendors such as K7 Labs have adapted detection mechanisms to counter these advanced variants at multiple stages of the infection cycle.
IOCs
| HASH | VARIANT | DETECTION NAME |
|---|---|---|
| FEAA4AC1A1C51D1680B2ED73FF5DA5F2 | 2025 | Trojan( 000112511 ) |
| 6549099FECFF9D41F7DF96402BCCDE9B | 2024 | Trojan( 0001140e1 ) |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Update
