Proxyware Malware Being Distributed on YouTube Video Download Site – 2

AhnLab SEcurity intelligence Center (ASEC) has covered cases where Proxyware malware is distributed by sites posing as YouTube video download pages. Although the attack methods and malware installed are similar, the same attacker continues to distribute the malware, leading to the infection of numerous systems. The following blog posts detail the latest attack cases:

 

• DigitalPulse Proxyware Being Distributed Through Ad Pages
• Proxyware Malware Being Distributed on YouTube Video Download Site

 

Figure 1. Attack Flow

 

1. Propagation

Users can access the following YouTube download page while searching for YouTube videos to download. On the page, users can enter the address of a YouTube video and click the Download Video button to download the video file. The problem is that with random probability, an ad page or a page to download Proxyware can pop up. Note that the attacker characteristic is uploading malware to GitHub, similar to the previous cases.

Figure 2. YouTube Downloader Page and Malware Download Link

When the user clicks the “Download” button, the downloaded executable file is disguised as WinMemoryCleaner and contains a feature to install Proxyware.

Figure 3. Malware Disguised as WinMemoryCleaner

Figure 4. WinMemoryCleaner Tool Installed with Malware

The downloader file “Setup.exe” installs the downloader malware WinMemoryCleaner.exe to the “%PROGRAMFILES%\WinMemoryCleaner” directory and runs “WinMemoryCleanerUpdate.bat.” “WinMemoryCleanerUpdate.bat” is responsible for running WinMemoryCleaner.exe with the “/update” argument.

Figure 5. Downloader Malware Installation Path

 

2. Proxyware Installer Malware

“WinMemoryCleaner.exe” scans the virtual machine and sandbox environments, as in the previous cases, and runs a PowerShell script. The PowerShell script installs NodeJS, downloads the JavaScript malware, and registers it to the Task Scheduler. Unlike the past, two tasks are registered recently. The tasks are registered as “Schedule Update” and “WindowsDeviceUpdates” respectively.

Figure 6. Analysis Interference Technique Same as Previous Case

Figure 7. The Two Registered Tasks

A malicious JavaScript that is executed via Node.js periodically through the Task Scheduler is responsible for installing Proxyware. The JavaScript sends the following basic information to the C&C server, and can execute when receiving PowerShell commands in response. The PowerShell commands received in response can be used to install another malicious JavaScript or to install the final Proxyware.

Figure 8. Information Sent to C&C Server

 

3. Proxyware

Proxyware is a program that shares some of the internet bandwidth available in the infected system with external parties. Generally, users who install Proxyware receive a certain amount of money instead of providing bandwidth. If Proxyware is installed by an attacker without the user’s consent, the infected system loses network bandwidth involuntarily, and the profit goes to the attacker, as in the case of the attack currently being discussed. 

The attacker distributing malware disguised as a YouTube download page has previously installed DigitalPulse Proxyware. Cases of installing Honeygain’s Proxyware have also been covered in the previous post. While cases of installing existing Proxyware continue to occur, additional cases of installing Infatica Proxyware have been confirmed recently.

The PowerShell command received from the C&C server installs a program called CleanZiloApp and registers it as a task named “LAN Network Status.” The final executable, “CleanZilo.exe,” loads and runs “infatica_agent.dll” located in the same directory when executed, causing users to lose network bandwidth.

Figure 9. Malware Installing Infatica Proxyware

 

4. Conclusion

Lately, various Proxywares are being distributed through YouTube pages that allow users to download videos. Attackers who previously installed DigitalPulse and HoneyGain Proxywares are also installing Infatica Proxyware. Similar to coin miners, Proxyware malware profits by utilizing the system’s resources, and many systems in South Korea have recently become the targets of these attacks.

Users should be cautious of installing executable files from suspicious websites, including non-official websites, advertisements, pop-ups, and file-sharing sites. For already infected systems, users must install V3 programs to prevent further malware infections.

 

[V3 Detection Name]

• Dropper/Win.Proxyware.C5783593 (2025.07.30.02)
• Dropper/Win.Proxyware.C5790716 (2025.08.21.02)
• Downloader/Win.Proxyware5790717 (2025.08.21.02)
• Downloader/JS.Proxyware.SC291256 (2025.08.21.02)
• Downloader/JS.Proxyware.SC291257 (2025.08.21.02)
• Downloader/JS.Proxyware.SC291258 (2025.08.21.02)
• Downloader/JS.Proxyware.SC291259 (2025.08.21.02)
• Downloader/Powershell.Proxyware.SC291260 (2025.08.21.02)
• Downloader/Powershell.Proxyware.SC291261 (2025.08.21.02)
• Downloader/Powershell.Proxyware.SC291262 (2025.08.21.02)
• Downloader/JS.Downloader.SC291265 (2025.08.21.03)
• Downloader/Powershell.Proxyware.SC291266 (2025.08.21.03)
• Unwanted/Win.Proxyware.C5790566 (2025.08.21.02)
• Unwanted/Win.Proxyware.C5790567 (2025.08.21.02)

 

MD5

037e94519ce35ef944f1dc3f1434d09d

0af46f150e0ffa678d20fcbe5e145576

0af9e224a5469cc47706ab4253d108e9

0e6c41058975c1288da2f41abc5d9345

14c89939209ee3d0d1977a2e92897dfc

URL

https[:]//a[.]pairnewtags[.]com/p[.]js

https[:]//d14vmbql41e8a5[.]cloudfront[.]net/pas[.]js

https[:]//d8mrs2p5baql5[.]cloudfront[.]net/CleanZilo[.]exe

https[:]//d8mrs2p5baql5[.]cloudfront[.]net/infatica_agent[.]dll

https[:]//ferntier[.]com/m[.]js

FQDN

4tressx[.]com

cloudnetpr[.]com

connectiondistribute[.]com

diskcleanu[.]com

fastconnectnetwork[.]com