Proxyware Malware Being Distributed on YouTube Video Download Site
AhnLab SEcurity intelligence Center (ASEC) introduced a case of threat actors distributing proxyware through the advertising page of a freeware software site in the past blog post “DigitalPulse Proxyware Being Distributed Through Ad Pages” [1]. The same threat actor has been continuously distributing proxyware, and multiple infection cases have been found in South Korea. This report shares the latest attack cases and indicators of compromise (IoCs). The proxyware that is ultimately installed is mostly the one from DigitalPulse used in the past proxyjacking attack campaigns. However, there have also been cases where Honeygain’s proxyware is being distributed.
1. Proxyjacking
A Proxyjacking attack is a method by which threat actors generate profit by installing Proxyware without user consent and sharing part of the infected system’s Internet bandwidth externally. Proxyware is a program that shares a portion of the available Internet bandwidth from the installed system with external parties. Normally, users who install Proxyware voluntarily receive monetary compensation in exchange for providing bandwidth. However, when threat actors secretly install Proxyware without consent, the infected system’s bandwidth is illicitly hijacked, and the profits are redirected to the threat actors. This attack is similar to Cryptojacking, with the key difference being that instead of installing a CoinMiner to exploit system resources for cryptocurrency mining, Proxyware is installed to exploit the system’s bandwidth.
Proxyjacking attacks have been reported not only by ASEC but also by several other security vendors. In 2023, LevelBlue introduced a Proxyjacking campaign that involved the installation of Proxyware known as DigitalPulse. This campaign was reported to have infected at least 400,000 Windows systems. As previously covered in earlier ASEC blog posts, numerous cases of DigitalPulse Proxyware infections have also been confirmed in Korea, and similar attacks continue to be observed in recent incidents.
2. Attacks Disguised as YouTube Download Pages
Some users search Google with keywords related to downloading YouTube videos for free. The issue arises when attempting to download videos from certain websites, as malware is downloaded instead.
Figure 1. YouTube video download page
When a user enters the URL of a YouTube video, the site displays a download button. However, clicking the “Download Now” button redirects the user either to an advertisement page or to a malware download page.
Figure 2. Malware being downloaded instead of the video
The threat actor leveraged GitHub as a malware distribution platform, uploading malicious files across multiple repositories as shown below.
Figure 3. Malware uploaded to GitHub
3. Malware Information
Figure 4. Malware installation flowchart
The behavior of the malware is identical to previous cases. It disguises itself as an installer named “QuickScreenRecoder”, but in reality, it is malware that executes a PowerShell script. Similar to earlier variants, after passing through routines that check for loaded DLLs or virtual machines, it generates and executes a PowerShell script responsible for installing Proxyware. During this process, NodeJS is installed, a malicious JavaScript file is downloaded, and the task is registered in the Windows Task Scheduler.
The scheduled task for executing the malicious JavaScript through NodeJS is registered under the name “DefragDiskCleanup”. Once the JavaScript is executed through NodeJS, it connects to a C&C server, sends basic system information in the same format observed in previous incidents, and then carries out additional commands based on the server’s response. The downloaded response is ultimately a PowerShell command that installs Proxyware.
Figure 5. Registered task
The downloaded response is a PowerShell command that downloads and runs a PowerShell script, and in most cases, it installs DigitalPulse Proxyware. However, recent cases have also confirmed the installation of Honeygain Proxyware. In these instances, the threat actor installs Honeygain’s Proxyware “hgsdk.dll” and registers a launcher named “FastCleanPlus.exe” in the Task Scheduler to execute it.
Figure 6. Compressed file containing Honeygain Proxyware
The launcher is responsible for invoking the hgsdk_start() function within “hgsdk.dll”, passing the threat actor’s API key as a parameter.
Figure 7. Routine of the Honeygain Proxyware launcher
5. Conclusion
Recently, DigitalPulse and Honeygain Proxyware have been distributed through YouTube video download pages. DigitalPulse was previously known to have infected at least 400,000 Windows systems during a Proxyjacking campaign, and although the certificate differs, the same Proxyware was used in the newly identified cases. Proxyware malware is similar to CoinMiners in that it uses system resources to generate financial gain.
Users should be cautious of installing executable files from suspicious websites, such as those with ads or pop-ups, or from file-sharing sites, instead of official sources. In addition, if your system is already infected, you should install V3 products to prevent further malware infection.
File Detection
- Dropper/Win.Proxyware.C5783593 (2025.07.30.02)
- Unwanted/Win.Proxyware.R712792 (2025.07.14.00)
- Unwanted/Win.Proxyware.R716288 (2025.07.30.02)
- Trojan/Win.Proxyware.C5783607 (2025.07.30.02)
- Trojan/Win.Proxyware.C5783598 (2025.07.30.02)
- Downloader/Powershell.Proxyware.SC288772 (2025.07.20.00)
- Downloader/Powershell.Proxyware.SC287573 (2025.07.25.02)
- Downloader/JS.Proxyware.SC289893 (2025.07.29.00)
- Unwanted/Win.Proxyware.C5783612 (2025.07.30.02)
- Unwanted/Win.Proxyware.C5783613 (2025.07.30.02)
- Downloader/JS.Proxyware.SC290084 (2025.07.30.02)
- Downloader/JS.Proxyware.SC290112 (2025.07.31.00)
- Downloader/JS.Proxyware.SC290113 (2025.07.31.00)
- Downloader/Powershell.Proxyware.SC290085 (2025.07.30.02)
- Downloader/Powershell.Proxyware.SC290086 (2025.07.30.02)
- Downloader/Powershell.Proxyware.SC290087 (2025.07.30.02)
- Downloader/Powershell.Proxyware.SC290088 (2025.07.30.02)
Behavioral Diagnosis
- Execution/MDP.Powershell.M2514
※ For more information, please refer to the attachment.
