Table of Contents
  • Home
  • /
  • Blog
  • /
  • What is ViperSoftX Malware? How to Protect from ViperSoftX Malware?
November 28, 2022

What is ViperSoftX Malware? How to Protect from ViperSoftX Malware?

What Is Vipersoftx Malware And How To Protect From Vipersoftx Malware

Google Chrome is a popular open-source browser used to access the internet and run multiple web applications; It is one of the most trustable browsing platforms all around the world. Even so, there are multiple attacks targeting google chrome, as it is the best place to steal credentials or other sensitive information.

In this article, we will discuss one of the wildly exploited attacks where the Google chrome extension was seen used as a cryptocurrency stealer, ViperSoftX Malware. Let’s see what is ViperSoftX Malware, how ViperSoftX Malware is misused as a cryptocurrency stealing Google chrome extension, and how to protect from ViperSoftX Malware.

What is a google chrome extension? Are they safe?

A google chrome extension is nothing but a software program that enhances user experience by providing customized features. Chrome extensions are built on web technologies such as CSS, HTML, and JavaScript.

A vast majority of extensions are considered safe however the concern is when it comes to permission, as it can access sensitive and critical information. They can be a potential attack vector if not managed correctly. Let’s look into one such case.

What is VipersoftX Malware?

ViperSoftX is a Windows malware that deploys a Google Chrome extension named ‘VenomSoftX’. This is an information stealer malware with very interesting obfuscation capabilities. ViperSoftX is a JavaScript-based RAT (remote access trojan), it was initially observed in the early 2020s, but these malwares have grown extensive and is being actively exploited recently.

ViperSoftX is mostly distributed via cracked software like Microsoft Office, Adobe illustrator, etc. These are also spread via torrent downloads. Only windows users have been impacted so far.

Recent Campaign Activity – Victims of ViperSoftX Malware Campaign

As per Avast, they have protected more than 93,000 users from this malware. This malware is distributed all around the world, mostly via torrent files or software-sharing sites. The most impacted countries are India (7,000+), the USA (6,000+), and Italy (5,000+).

Impacted countries since the beginning of 2022 Source: Avast

As of 8th November 2022, a total of $130,421.56 have been stolen by ViperSoftX and VenomSoftX from stolen cryptocurrencies. The below table shows an estimate of attacker earnings from multiple cryptocurrency wallets.

CryptocurrencyEarnings   in cryptocurrency~Earning   in USD
Bitcoin5.947 BTC$116,812.81
Ethereum5.312 ETH$7,826.13
Dogecoin34,355.528   DOGE$3,474.47
Bitcoin   Cach9.11997194   BCH$1,021.39
Cosmos   (ATOM)65.153   ATOM$846.44
Tezos191.445553   XTZ$241.32
Dash4.72446445   DASH$199

Source: Avast

How Does ViperSoftX Malware Campaign Work?- Attack Flow

This section is more focused on how ViperSoftX Malware is misused as a Cryptocurrency Stealing Google Chrome extension.

ViperSoftX pretends to be a cracked software as the victim downloads it. This malware is commonly named patch.exe or activator.exe. Activator.exe is the loader that decrypts data from itself using AES, the decrypted loader reveals five different files:

  • ViperSoftX PowerShell payload hidden as a log file

  • XML file (task scheduler)

  • A schedule task is created, and persistence is established using the VBS file

  • Cracked application binary

  • manifested file

The log file will usually be more than 5 MB and contains a single malicious line of code. This file will be stored under different names such as “driver” or “log” or a “text” file.

ViperSoftX malware is very skilled in hiding itself. Before executing the payload, it is protected by 8 layers of code obfuscation. 3 major types of obfuscation techniques used are:

  1. AES decryption: this will be the first layer

  2. Converting char arrays: usually, the 3rd layer and has a simple functionality of calculating a hard coded array of characters.

  3. UTF8 Decoding: this contains multiple code snippets, this type of decoding is the most recurring DE obfuscation layer

ViperSoftX achieves persistence by creating a copy of itself in %APPDATA%. The attacker also tries to make it look trustable by using legitimate names such as vpn_port.dll, and install.sig etc. The malware also drops another script file and creates a shortcut in the startup directory to invoke it. This is a VBS script file that later executes ViperSoftX.

Features of ViperSoftX Malware

The primary features of ViperSoftX include the following,

  • Stealing cryptocurrency

  • Fingerprinting the infected machine

    • Computer name and Username

    • OS information and its architecture

    • Any antivirus or other security software Installed and whether the solution is active or not.

  • Clipboard swapping

  • Command execution

  • Downloading and executing payloads

As we already mentioned, one of the critical payloads used by ViperSoftX is the chromium-based browser extension VenomSoftX. This extension has multiple unique features which provide complete access to every website the victim visit. It also could execute man-in-the-browser attacks to steal cryptocurrency by tampering with crypto addresses (API request tampering) on popular cryptocurrency exchanges. The stolen information and fingerprint are concatenated into one string, further encoded by base 64, and is shared with the hardcoded C&C server.

ViperSoftX scans the copied clipboard text content using predefined regular expressions, and if the expression matches any configured wallet address, the malware replaces the content with the attacker address notification to command and control. This is done in the X-notify HTTP header in the below format ‘Cryptocurrency type – victim’s address – attacker’s address.’

The attacker hides the malware as a chrome browser extension masqueraded as “Google Sheets 2.1” which is supposed to be a google productivity app.

Malicious extension (Credits: Avast)

ViperSoftX as a RAT (Remote Access Trojan)

ViperSoftX also provides RAT functionalities such as executing arbitrary commands downloading arbitrary payloads and executing itself, removing itself entirely from the system, etc. The malware can create an infinite loop and execute commands after every 3 seconds of sleep.

ViperSoftX passes information to the CNC server via the HTTP header, Where it provides OS information, computer name, username, etc. The commands implemented by ViperSoftX are:

ExExecutes JS code using eval().1. JavaScript code
CmdRuns a command through cmd.exe.1. Command line
DwnlExeRuns a PowerShell script that downloads an additional file to a specified location under %TEMP%, sleeps for 20 seconds, and then executes the downloaded payload.1. URL to download the file from 2. Path to save the file to
DwnlOnlyDownloads a file to predefined folders. Optionally, despite the name of the command, it executea the downloaded payload, like DwnlExe.1. URL from which to download the file 2. Name to save the file as. It is appended to the predefined folder path 3. Predefined destination folder: Startup, Temp, or Desktop  4. Boolean flag that indicates whether to also execute the file
SelfRemove Executes PowerShell one liners to delete the script from %APPDATA%, the VBScript and shortcut in the startup directory.
UpdateSRemoves all persistence for the current version and executes the new downloaded JS file.1. URL to download the file from 2. Path to save the file to

Source: Fortinet

As observed by Fortinet, the malware author continue to use multiple JavaScript-based payloads. This shows that the developer is more comfortable using JavaScript as his preferable programming language.

How to protect from ViperSoftX Malware?

JavaScript-based malware are on trend now, and the obfuscation capability of this malware is amazing. While the functionality is simple. If closely monitored, VipersoftX Malware can be detected easily, as it uses plaintext communication using a header, as it will stand out from regular traffic.

Any communication with the IOCs mentioned should be monitored closely to avoid damage to the organization.

Indicator of Compromise (IOC) of ViperSoftX Malware

SHA256 –

  • 65cb35d1b09097aa64b89062a060b3bb680bc4c962ff116f32edf92735f401eb

  • 4bb342c21ff563454d2fdc25eb3e63731d06d20c1fca2522061ad1ef38a53c89

  • 391e4b6ffb90303547d20baaa5695f2c0191f5461bb20cb885e170dd019e017c

  • 9e63d2ac3dc280a25c27a126752fdde1c8c5a0c4b4990f479a44dd8441b22ab3


File nameSHA256
Hidden log script first variant0bad2617ddb7586637ad81aaa32912b78497daf1f69eb9eb7385917b2c8701c2
Hidden log script second variant0cb5c69e8e85f44725105432de551090b28530be8948cc730e4b0d901748ff6f
ViperSoftX PowerShell23b9075dac7dbf712732bb81ecd2c21259f384eb79ae8fdebe29b7c5a12d0519
ViperSoftX’s browser installer5c5202ed975d6647bd157ea494d0a09aac41d686bcf39b16a870422fa77a9add


File nameSHA256

C&C communication

  • api.private-chatting[.]com

  • apps-analyser[.]com

  • wmail-blog[.]com

  • wmail-service[.]com

  • seko[.]vipers[.]pw

MITRE Techniques

  • T1027 (Obfuscated Files or Information)

  • T1059.001 (PowerShell)

  • T1059.007 (JavaScript)

  • T1115 (Clipboard Data)

  • T1140 (Deobfuscate/Decode Files or Information)

  • T1176 (Browser Extensions)

  • T1189 (Drive-by Compromise)

  • T1204.002 (Malicious File)

  • T1496 (Resource Hijacking)

List of wallet addresses


We hope this article helped in understanding what is ViperSoftX Malware, how ViperSoftX Malware is misused as a cryptocurrency stealing Google chrome extension, and how to protect from ViperSoftX Malware. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

Aroma Rose Reji

Aroma is a cybersecurity professional with more than four years of experience in the industry. She has a strong background in detecting and defending cyber-attacks and possesses multiple global certifications like eCTHPv2, CEH, and CTIA. She is a pet lover and, in her free time, enjoys spending time with her cat, cooking, and traveling. You can connect with her on LinkedIn.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription