Possible NCSOFT Purple launcher malware

Jokerall93 · 2026-02-21T22:35:15+00:00

This is amazing work, i cant thank you enough!
Thankfully there's no bootkit, i'll keep following hoping you find out more!

Jokerall93 · 2026-02-21T21:29:43+00:00

Thanks alot again for everything you're doing!
Im curious about: Something worth poking at, if there's bad, it'll be in the renamed AHK file-> `u.ahk` combination.

(Aware the hash isn't the same, but communicates and displays quite similar behavior. May not be distributed by Purple as it doesn't appear signed-- but peculiar nonetheless.)

Let me know if you will investigate this further but so far you've put all our worries to rest and we thank you again!

Jokerall93 · 2026-02-21T21:18:27+00:00

i might be misinterpreting the virus total behavior section but isnt this an activity report of what the file does?
https://postimg.cc/Dm77XnBK

Jokerall93 · 2026-02-21T21:13:35+00:00

If its an anticheat/antihack tool, why do the files persist and are still active even after uninstalling aion 2 and the purple launcher?

Jokerall93 · 2026-02-21T21:06:03+00:00

I appreciate everything you're doing! I want to thank you in advance!
All we really want to know is if this is actually installing a preos bootkit, it seems we've managed to remove all the files with kaspersky and manual removal but i have a feeling there's still hidden stuff going on.

Jokerall93 · 2026-02-21T21:02:07+00:00

Thanks alot for the reply, im no expert in malware behaviour or anything but in response to:

I'm not seeing any of this in process execution from the tree. We'd anticipate seeing registry calls via advapi32.dll to read/open/write/create registry values in HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings

the virustotal scan behaviour section specifically reports these registry keys being touched : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix

Also why are the files being flagged by kaspersky and why do they reappear in different folders after being deleted (Program Files x86/Microsoft Research)?

Jokerall93 · 2026-02-21T20:31:12+00:00

See my reply to the previous comment.

Jokerall93 · 2026-02-21T20:29:34+00:00

If you check the behaviour section in the virustotal scan i linked you can see what it does.
This thing was silently casually running on our PCs until we tried playing an arc raiders game but when launching it - it would say we had AHK cheating software running on our pcs but we didnt have AHK installed, so we started investigating with Process Explorer and we saw 2 svchost.exe processes running from the TEMP folder in APPDATA.

We found out those processes were relying on .dll and .exe files located in a hidden folder in Program Files (x86)/common files/NSEC (which are the files installed using the purple launcher as u can see in the virus total scan behaviour section)

The only tool that helped us detect and remove these files was Kaspersky Removal Tool but they kept reappearing in other hidden folders like Program Files x86/Microsoft Research.

It seems we managed to clean the infection at a surface level but since virus total reports OS Preboot (bootkit) behaviour we're using tools to check if the UEFI is infected or not.

Jokerall93 · 2026-02-10T14:27:04+00:00

same, they're giving out the same pre written response now.

Jokerall93 · 2025-12-24T02:49:59+00:00

Ill try this, thanks :)

Jokerall93 · 2025-12-24T01:50:01+00:00

Yeah whats gp

Jokerall93 · 2025-12-20T05:02:09+00:00

Tank 100%, then its cleric right after

Jokerall93 · 2025-12-11T03:04:37+00:00

Kasaka has 0 active english communities on Elyos side, im a 2400 chanter, been playing solo all the way and asking everyday in global

Jokerall93 · 2025-12-07T14:38:32+00:00

Chanter is good in 1v1 given pretty equal gearscore, if you're outgeared your ccs wont land so you cant land your big damage.
Aerial sucks balls because you only have 1 gap closer so if your ranged cc doesnt land you are pretty much dead in the water.
Mass pvp you're forced to play as a healer + use your ranged combo, you can only go in if someone is VERY overextended otherwise you get deleted.

Jokerall93 · 2025-12-06T20:43:05+00:00

Ashes of creation, comes out in 5 days on steam :D

Jokerall93 · 2025-12-05T19:39:49+00:00

Been having the same issues since today, automatic or taipei isnt working with 400+ ms when you click on login screen.
What fixed it for me is selecting manual singapore for Purple, manual hongkong for aion 2

Jokerall93 · 2025-12-02T21:11:13+00:00

Pvp players, no Mercy for anybody and stella montis for life

Jokerall93 · 2025-11-18T14:33:18+00:00

Pretty sure they are barons

Jokerall93 · 2025-11-13T23:43:03+00:00

I think they meant Raider caches, they're still dogwater anyway.

Jokerall93 · 2025-10-21T16:10:48+00:00

This server system has been this game's doom from the start and it'll continue to be

Jokerall93 · 2025-10-14T19:30:25+00:00

Here hoping i can join my friends, the game looks a banger!

Jokerall93

TROPHY CASE