xRAT Malware Targets Windows Users Masquerading as Adult Game

/ Daily Cyber News, Cybercrime, Malware, Security, Threat

A new malware threat called xRAT, also known as QuasarRAT, has been targeting Windows users across Korea, exploiting popular webhard file-sharing services.
The Ahnlab Security Intelligence Center (ASEC) recently detected xRAT being distributed as fake adult games. The remote access trojan (RAT) combines advanced evasion techniques with social engineering, making it particularly dangerous for everyday users.

Malicious File structure (Source - ASEC)
Malicious File structure (Source – ASEC)

Attackers exploit the widespread use of webhard platforms in Korea, uploading compressed files disguised as legitimate games or adult content. Unsuspecting users download these files thinking they are safe, allowing malware to infect systems without immediate detection.

Part of the injection code (Source - ASEC)
Part of the injection code (Source – ASEC)

Coordinated Campaign and Distribution

ASEC analysts found multiple distributions linked to the same threat actor, suggesting a coordinated campaign. Although many posts were removed before analysis, investigators confirmed that several games contained identical malware payloads.

Infection and Persistence Mechanism

The malware’s technical structure is sophisticated:

  • Users download a ZIP file containing components like Game.exe, Data1.Pak, and supporting files.
  • Game.exe acts as a launcher rather than a real game.
  • When users click “Play,” Data1.Pak is copied to the Locales_module folder as Play.exe. Simultaneously, Data2.Pak and Data3.Pak are deployed to the Windows Explorer directory as GoogleUpdate.exe and WinUpdate.db.
  • GoogleUpdate.exe executes, locating WinUpdate.db in the same directory and using AES decryption to extract the final shellcode.

The shellcode is injected into explorer.exe, a core Windows process, granting xRAT elevated privileges. The malware also patches the EtwEventWrite function in explorer.exe, disabling Event Tracing for Windows (ETW) logging. This prevents security tools and administrators from detecting malicious activity through normal event logs.

The final injected code is the active xRAT payload, capable of:

  • Collecting system information
  • Monitoring keyboard inputs
  • Performing unauthorized file transfers

The xRAT campaign highlights the risks of social engineering combined with sophisticated malware designed to evade detection while gaining persistent control over infected Windows systems.



Found this article interesting? Follow us on  X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.

Related Posts