{
	"id": "b0d5d9f5-d773-4053-98f1-474f15ef1661",
	"created_at": "2026-04-06T00:14:38.797185Z",
	"updated_at": "2026-04-10T03:36:00.891199Z",
	"deleted_at": null,
	"sha1_hash": "7df428ab7c79a5e51a99de0cf85b12ad528a695b",
	"title": "Proxyware Disguised as Notepad++ Tool - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4414430,
	"plain_text": "Proxyware Disguised as Notepad++ Tool - ASEC\r\nBy ATCP\r\nPublished: 2026-01-18 · Archived: 2026-04-05 17:55:30 UTC\r\nAhnLab SEcurity intelligence Center(ASEC) is monitoring Proxyjacking attacks and continuously disclosing\r\ndistribution cases and IoCs identified in South Korea. The threat actor Larva‑25012, known for deploying\r\nProxyware, has recently begun using malware disguised as a Notepad++ installer. In addition, the attacker is\r\nactively changing techniques to evade detection—such as injecting Proxyware into the Windows Explorer process\r\nor leveraging Python-based loaders.\r\nProxyjacking refers to an attack in which Proxyware is installed on a victim’s machine without consent, allowing\r\nan attacker to monetize the victim’s internet bandwidth by sharing part of it with external networks. Proxyware is\r\na program that shares a portion of the host system’s available network bandwidth with third parties, typically\r\nproviding financial compensation to users who voluntarily install it. However, when an attacker secretly installs\r\nProxyware without permission, the infected system’s bandwidth is hijacked, and all profits go directly to the\r\nattacker. This tactic is similar to Cryptojacking, with the key difference being that attackers deploy Proxyware\r\ninstead of cryptocurrency miners. While Cryptojacking exploits hardware resources (CPU/GPU) to mine coins,\r\nProxyjacking exploits network bandwidth.\r\n1. Previous Attacks\r\nThe Larva‑25012 threat actor has been active since at least 2024, distributing multiple types of Proxyware,\r\nincluding DigitalPulse [1], Honeygain, Infatica, and others. The attacker primarily spreads Proxyware installers\r\nthrough advertisements on websites that offer free YouTube video downloads [2] [3] [4]. They also distribute\r\nmalware through ads on fake websites posing as pages for downloading cracked or pirated software, such as\r\ncracks and keygens.  [5]\r\nThe actor frequently distributes installer files impersonating legitimate applications such as AutoClicker,\r\nFastCleanPlus, WinMemoryCleaner, and SteamCleaner. These installers drop the downloader malware DPLoader.\r\nOnce registered in the Windows Task Scheduler, DPLoader executes persistently and retrieves commands from its\r\nC\u0026C server. All PowerShell scripts observed to date have included logic to install various Proxyware tools,\r\nalthough the attacker retains the ability to deploy other forms of malware at their discretion.\r\n2. Malware Distribution\r\nIn recent attack cases, the threat actor has been distributing malware through advertisement pages on websites\r\nposing as download portals for cracked or otherwise illegal software.\r\nhttps://asec.ahnlab.com/en/92183/\r\nPage 1 of 12\n\nFigure 1. Malware download portal\r\nAs in previous cases, the files delivered through these malicious ad pages are ultimately hosted on GitHub. Earlier\r\ncampaigns used an MSI installer named “Setup.msi” as the initial malicious payload. However, in the most recent\r\ndistribution cases, the attacker has switched to a ZIP archive named “Setup.zip”, which contains the embedded\r\nmalware inside.\r\nhttps://asec.ahnlab.com/en/92183/\r\nPage 2 of 12\n\nFigure 2. Disguised malware uploaded to GitHub\r\n3. Malicious Installers\r\n3.1. Setup.msi\r\nThe variant distributed through “Setup.msi” differs from earlier campaigns. Instead of being developed in .NET,\r\nthis version is written in C++ and delivered as a DLL. Once executed, the malware registers itself in the Windows\r\nTask Scheduler under the name “Notepad Update Scheduler” and is launched via Rundll32.exe.\r\nFigure 3. Task Scheduler entry responsible for executing the installed malicious DLL\r\nAlongside the legitimate Notepad++ installation, the DLL injects shellcode into the AggregatorHost.exe process.\r\nThis shellcode contains a dropper that generates an internal PowerShell script. Unlike previous variants that\r\nemployed numerous anti‑analysis techniques, this sample contains no additional anti‑analysis mechanisms.\r\nhttps://asec.ahnlab.com/en/92183/\r\nPage 3 of 12\n\nFigure 4. Routine that generates the PowerShell payload\r\nThe PowerShell script performs actions consistent with prior attacks. It installs NodeJS, creates two obfuscated\r\nJavaScript malware files—DPLoader—using a random folder name and GUID‑formatted file names, and registers\r\nthem in the Task Scheduler under “UNBScheduler” and “UNPScheduler”. To evade detection, the script also\r\nmodifies Windows Defender policies by adding exclusion paths, disabling security notifications, and preventing\r\nmalware sample submissions.\r\nFigure 5. JavaScript‑based malware (DPLoader) registered in the Task Scheduler\r\n3.2. Setup.zip\r\nThe variant delivered through “Setup.zip” contains both the legitimate Notepad++ installer (“Setup.exe”) and a\r\nmalicious loader DLL named “TextShaping.dll”. When the user launches Setup.exe, the malware is executed\r\nthrough DLL side‑loading. Inside TextShaping.dll, encrypted shellcode is stored and decrypted at runtime. This\r\nshellcode then decrypts an embedded dropper and executes it directly in memory.\r\nhttps://asec.ahnlab.com/en/92183/\r\nPage 4 of 12\n\nFigure 6. Malware inside Setup.zip\r\nFigure 7. Loader malware and decrypted dropper\r\nThe dropper creates “tmp.ps1”, a PowerShell script that retrieves the official Python installer from the Python\r\nwebsite and installs Python, then deploys a Python‑based variant of DPLoader. It also generates a GUID‑named\r\nVBS launcher designed to execute DPLoader through Python, and finally registers this launcher in the Windows\r\nTask Scheduler under “Notepad Update Scheduler” to ensure persistent execution.\r\nhttps://asec.ahnlab.com/en/92183/\r\nPage 5 of 12\n\nType Path\r\nPython “%LOCALAPPDATA%\\Notepad\\Notepad\\[GUID]\\”\r\nLauncher %LOCALAPPDATA%\\Notepad\\Notepad\\[GUID]\\[GUID].vbs\r\nDPLoader %LOCALAPPDATA%\\Notepad\\Notepad\\[GUID]\\[GUID]\r\nTable 1. Malware installation paths\r\n4. DPLoader\r\n4.1. JavaScript Version\r\nThe obfuscated JavaScript malware communicates with the C\u0026C server by transmitting the following system\r\ninformation, and it can execute commands received in the server’s response. This variant has been consistently\r\nobserved in a similar form since it was first identified, and for classification purposes, it is referred to here as\r\nDPLoader.\r\nField Data\r\nos_type “Windows_NT”\r\nos_name “win32”\r\nos_release Operating system version\r\nos_version Operating system type\r\nos_hostname Computer name\r\nos_arch Operating system architecture\r\nmachine_id Machine ID\r\nagent_version Agent version (“2.0.0-js”)\r\nsession_id Session ID\r\npublisher_id\r\nRandom number (used as an argument when executing the JavaScript\r\nmalware)\r\nTable 2. Transmitted data\r\nhttps://asec.ahnlab.com/en/92183/\r\nPage 6 of 12\n\nFigure 8. PowerShell Command Received in Response\r\n4.2. Python Version\r\nThe Python version of DPLoader is simpler and less obfuscated compared to its JavaScript counterpart. When\r\ntransmitting system information and retrieving commands from the C\u0026C server, it communicates via the “/d”\r\nURL endpoint, while the “/e” endpoint is used exclusively for error reporting.\r\nhttps://asec.ahnlab.com/en/92183/\r\nPage 7 of 12\n\nFigure 9. Main routine of the Python‑based DPLoader\r\nField Data\r\nagent_version Agent version (“1.0.0-py”)\r\nmachine_id Machine ID (GUID)\r\nos_name “win32”\r\nos_version Operating system type\r\npublisher_id “8101”\r\nTable 3. Data transmitted by the Python-based DPLoader\r\n5.1. Infatica\r\nhttps://asec.ahnlab.com/en/92183/\r\nPage 8 of 12\n\nThe DPLoader registered under the “UNBScheduler” task installs Infatica Proxyware, consistent with previous\r\ncampaigns. In earlier variants, the PowerShell installer registered “CleanZilo.exe” as “LAN Network Status”,\r\nwhich then loaded and executed “infatica_agent.dll”, the Infatica Proxyware module located in the same directory.\r\nIn the most recent samples, however, the attacker now creates a Task Scheduler entry named “Microsoft Anti-Malware Tool” and registers “MicrosoftAntiMalwareTool.exe” instead. The script also disables Windows\r\nDefender, suppresses tasks used in older attacks (such as “FastCleanPlus”), and sends installation results to an\r\nadditional C\u0026C server.\r\n5.2. DigitalPulse\r\nThe DPLoader registered under the “UNPScheduler” task installs DigitalPulse Proxyware. The downloaded\r\nPowerShell script creates a scheduled task named “SyncTaskUpdatescheduler”, which uses Rundll32.exe to\r\nexecute the downloaded “syncupdates.dll”. Like the malicious Notepad++ DLL described earlier, syncupdates.dll\r\nexposes an exported function named “start” and serves as an injector. However, in this case, the injected target is\r\nthe explorer.exe process.\r\nFigure 10. Injection routine\r\nThe final payload injected into Explorer is an obfuscated version of DigitalPulse Proxyware, written in Go. Once\r\nexecuted, it collects basic system information, sends it back to the C\u0026C server, and then activates its\r\nproxy‑sharing functionality.\r\nhttps://asec.ahnlab.com/en/92183/\r\nPage 9 of 12\n\nFigure 11. Comparison between the previous DigitalPulse Proxyware variant and the newly observed obfuscated\r\nversion\r\nThe Python version of DPLoader also retrieves and executes PowerShell commands that download and install the\r\nsame DigitalPulse Proxyware. The downloaded malware is stored at:\r\n“%LOCALAPPDATA%\\Microsoft\\Microsoft Windows Pluton\\\r\n[GUID]\\MicrosoftWindowsPlutonTaskScheduler.dll”. It is registered under the Task Scheduler entry\r\n“MicrosoftWindowsPlutonTaskScheduler”, which runs the DLL using Rundll32.exe. This DLL also functions as\r\nan injector, ultimately injecting DigitalPulse Proxyware into the explorer.exe process.\r\nFigure 12. Downloaded PowerShell command used to deploy the Proxyware payload\r\n6. Conclusion\r\nRecently, various types of Proxyware have been actively distributed through illegal software crack download\r\npages. Proxyware malware is similar to cryptocurrency miners in that it generates profit by exploiting system\r\nhttps://asec.ahnlab.com/en/92183/\r\nPage 10 of 12\n\nresources—specifically, network bandwidth rather than CPU or GPU power. A growing number of systems in\r\nSouth Korea have become targets of these proxy‑abuse attacks.\r\nUsers should avoid installing executables from suspicious websites, advertisements, pop‑ups, or file‑sharing\r\ncommunities, and should only download software from official sources. Systems that may already be\r\ncompromised should install and run security solutions such as AhnLab V3 to prevent further malware infections.\r\nMD5\r\n01f6153a34ab6974314cf96cced9939f\r\n05e27d1d0d1e24a93fc72c8cf88924f8\r\n0fe7854726d18bbc48a5370514c58bea\r\n171e48e5eeae673c41c82292e984bac9\r\n18c1e128dbfe598335edb2ce3e772dd1\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttps[:]//armortra[.]xyz/8101[.]py\r\nhttps[:]//d37k0r4olv9brc[.]cloudfront[.]net/93845[.]ps1\r\nhttps[:]//d37k0r4olv9brc[.]cloudfront[.]net/MicrosoftAntiMalwareTool[.]exe\r\nhttps[:]//d37k0r4olv9brc[.]cloudfront[.]net/infatica_agent[.]dll\r\nhttps[:]//github[.]com/JamilahZakiyya/note/raw/main/Setup[.]msi\r\nAdditional IOCs are available on AhnLab TIP.\r\nFQDN\r\narmortra[.]xyz\r\neasy-horizon[.]com\r\nfurtheret[.]com\r\ntrustv[.]xyz\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nhttps://asec.ahnlab.com/en/92183/\r\nPage 11 of 12\n\nSource: https://asec.ahnlab.com/en/92183/\r\nhttps://asec.ahnlab.com/en/92183/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://asec.ahnlab.com/en/92183/"
	],
	"report_names": [
		"92183"
	],
	"threat_actors": [
		{
			"id": "67fa0af2-a1f8-4942-af06-f744fb491c0b",
			"created_at": "2026-01-22T02:00:03.667688Z",
			"updated_at": "2026-04-10T02:00:03.920186Z",
			"deleted_at": null,
			"main_name": "Larva‑25012",
			"aliases": [],
			"source_name": "MISPGALAXY:Larva‑25012",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434478,
	"ts_updated_at": 1775792160,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7df428ab7c79a5e51a99de0cf85b12ad528a695b.pdf",
		"text": "https://archive.orkl.eu/7df428ab7c79a5e51a99de0cf85b12ad528a695b.txt",
		"img": "https://archive.orkl.eu/7df428ab7c79a5e51a99de0cf85b12ad528a695b.jpg"
	}
}