The latest version of the ViperSoftX malware not only steals crypto assets from 17 different wallets but also now retrieves access credentials from KeePass and 1Password. The software often disguises itself as a crack or keygen. The malware first emerged in 2020 as a JavaScript-based remote access Trojan (RAT) and crypto thief. However, the software developers later released even more dangerous versions. The tool now also steals data from popular password managers KeePass and 1Password.

Furthermore, the creators of the malware have continuously expanded the range of supported crypto wallets. In a recent report, BleepingComputer lists a total of 17 wallet providers that the ViperSoftX malware can target, including prominent ones like MetaMask, Electrum, Exodus, Binance, Coinbase, and Atomic Wallet.

ViperSoftX often presents itself as a crack, keygen, or seemingly harmless software. The malware is known for installing a browser extension called "VenomSoftX," which is compatible with popular web browsers such as Chrome, Brave, Edge, Opera, and Firefox. This allows them to attempt to infiltrate systems worldwide, targeting both end-users and businesses.

Once the malware is installed on a target system, it starts stealing information from crypto wallets and password managers KeePass 2 and 1Password. It then transmits the acquired data to a server controlled by the attacker. The developers have implemented DLL sideloading, which allows the malware to assume the context of a trusted process, making it less likely to trigger alarms in various security tools.

Furthermore, the malware analyzes its environment before starting its operations. It only proceeds if it is not running within a virtual machine and does not detect specific monitoring or antivirus tools. ViperSoftX obfuscates its own code using "byte mapping," making the decryption and analysis of the malware significantly more challenging. It also protects its malicious traffic through a new communication blocker.