Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
FCC Bans Chinese Telecom Equipment From Huawei, ZTE, Others Over Security Risks
July 2, 2026
Critical JetBrains Flaws Allow Auth Bypass, Code Execution
July 2, 2026
Critical Microsoft Defender, Sysmon Flaw Lets Attackers Disable Security
July 2, 2026
Home/Threats/xRAT Malware Attacking Windows Users Disguised as Adult Game
Threats

xRAT Malware Attacking Windows Users Disguised as Adult Game

A dangerous new malware is now actively targeting Windows users in Korea. It’s primarily distributed via webhard file-sharing services. The Ahnlab Security Intelligence Center recently...

Sarah simpson
Sarah simpson
January 9, 2026 2 Min Read
60 0

A dangerous new malware is now actively targeting Windows users in Korea. It’s primarily distributed via webhard file-sharing services.

The Ahnlab Security Intelligence Center recently identified xRAT, also known as QuasarRAT, being distributed as fake adult games to unsuspecting users.

This remote access trojan represents a significant security concern for Windows systems, combining sophisticated evasion techniques with social engineering tactics that make it particularly dangerous to everyday users.

The malware takes advantage of webhard services, which are extremely popular in Korea for distributing content.

Threat actors exploit this platform’s accessibility by uploading compressed files disguised as innocent games and adult content.

Users see what appears to be legitimate game downloads but instead receive malicious files hidden behind attractive file names and descriptions.

This deception strategy has proven highly effective, allowing attackers to compromise systems without raising user suspicion during the initial download phase.

Malicious file structure (Source - ASEC)
Malicious file structure (Source – ASEC)

ASEC analysts identified that multiple similar distributions occurred through the same threat actor, suggesting a coordinated campaign.

Although many posts were deleted by the time of analysis, investigators confirmed that numerous games shared identical malware payloads.

Infection and Persistence Mechanism

The technical structure of this attack reveals sophisticated engineering. When users download the malware, they receive a ZIP file containing multiple components including Game.exe, Data1.Pak, and supporting files.

Upon execution, Game.exe acts as a launcher rather than an actual game application.

When users click the play button, the malware copies Data1.Pak to the Locales_module folder as Play.exe, while simultaneously deploying Data2.Pak and Data3.Pak to the Windows Explorer directory path as GoogleUpdate.exe and WinUpdate.db respectively.

The infection chain becomes more complex when GoogleUpdate.exe executes. It searches for WinUpdate.db in the same directory and applies AES encryption decryption to extract the final shellcode.

Part of the injection code (Source - ASEC)
Part of the injection code (Source – ASEC)

This shellcode gets injected into explorer.exe, a critical Windows process, allowing the malware to operate with elevated privileges.

Notably, the malware patches the EtwEventWrite function in explorer.exe with a specific return instruction, effectively disabling Event Tracing for Windows logging.

This persistence technique prevents security tools and administrators from detecting malicious activity through standard event logs.

The final injected code is the actual xRAT payload, which performs dangerous operations including system information collection, keyboard monitoring, and unauthorized file transfers.

Security professionals recommend downloading programs exclusively from official sources and exercising extreme caution when accessing file-sharing websites to prevent such infections.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwarePatchSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Fog Ransomware Attacking US Organizations Leveraging Compromised VPN Credentials

Next Post

Europol‑Backed Operation Leads to 34 Arrests in Black Axe Crime Network Bust

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
WinRAR 7.23 Patches Critical Heap Overflow Vulnerability CVE-2024-XXXX
July 2, 2026
Medtronic Confirms Data Breach, Corporate IT Systems Compromised
July 2, 2026
Critical ClamAV Vulnerabilities Let Attackers Trigger DoS
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us