Proxyware Disguised as Notepad++ Tool
AhnLab SEcurity intelligence Center(ASEC) is monitoring Proxyjacking attacks and continuously disclosing distribution cases and IoCs identified in South Korea. The threat actor Larva‑25012, known for deploying Proxyware, has recently begun using malware disguised as a Notepad++ installer. In addition, the attacker is actively changing techniques to evade detection—such as injecting Proxyware into the Windows Explorer process or leveraging Python-based loaders.
Proxyjacking refers to an attack in which Proxyware is installed on a victim’s machine without consent, allowing an attacker to monetize the victim’s internet bandwidth by sharing part of it with external networks. Proxyware is a program that shares a portion of the host system’s available network bandwidth with third parties, typically providing financial compensation to users who voluntarily install it. However, when an attacker secretly installs Proxyware without permission, the infected system’s bandwidth is hijacked, and all profits go directly to the attacker. This tactic is similar to Cryptojacking, with the key difference being that attackers deploy Proxyware instead of cryptocurrency miners. While Cryptojacking exploits hardware resources (CPU/GPU) to mine coins, Proxyjacking exploits network bandwidth.
1. Previous Attacks
The Larva‑25012 threat actor has been active since at least 2024, distributing multiple types of Proxyware, including DigitalPulse [1], Honeygain, Infatica, and others. The attacker primarily spreads Proxyware installers through advertisements on websites that offer free YouTube video downloads [2] [3] [4]. They also distribute malware through ads on fake websites posing as pages for downloading cracked or pirated software, such as cracks and keygens. [5]
The actor frequently distributes installer files impersonating legitimate applications such as AutoClicker, FastCleanPlus, WinMemoryCleaner, and SteamCleaner. These installers drop the downloader malware DPLoader. Once registered in the Windows Task Scheduler, DPLoader executes persistently and retrieves commands from its C&C server. All PowerShell scripts observed to date have included logic to install various Proxyware tools, although the attacker retains the ability to deploy other forms of malware at their discretion.
2. Malware Distribution
In recent attack cases, the threat actor has been distributing malware through advertisement pages on websites posing as download portals for cracked or otherwise illegal software.
Figure 1. Malware download portal
As in previous cases, the files delivered through these malicious ad pages are ultimately hosted on GitHub. Earlier campaigns used an MSI installer named “Setup.msi” as the initial malicious payload. However, in the most recent distribution cases, the attacker has switched to a ZIP archive named “Setup.zip”, which contains the embedded malware inside.
Figure 2. Disguised malware uploaded to GitHub
3. Malicious Installers
3.1. Setup.msi
The variant distributed through “Setup.msi” differs from earlier campaigns. Instead of being developed in .NET, this version is written in C++ and delivered as a DLL. Once executed, the malware registers itself in the Windows Task Scheduler under the name “Notepad Update Scheduler” and is launched via Rundll32.exe.
Figure 3. Task Scheduler entry responsible for executing the installed malicious DLL
Alongside the legitimate Notepad++ installation, the DLL injects shellcode into the AggregatorHost.exe process. This shellcode contains a dropper that generates an internal PowerShell script. Unlike previous variants that employed numerous anti‑analysis techniques, this sample contains no additional anti‑analysis mechanisms.
Figure 4. Routine that generates the PowerShell payload
The PowerShell script performs actions consistent with prior attacks. It installs NodeJS, creates two obfuscated JavaScript malware files—DPLoader—using a random folder name and GUID‑formatted file names, and registers them in the Task Scheduler under “UNBScheduler” and “UNPScheduler”. To evade detection, the script also modifies Windows Defender policies by adding exclusion paths, disabling security notifications, and preventing malware sample submissions.
Figure 5. JavaScript‑based malware (DPLoader) registered in the Task Scheduler
3.2. Setup.zip
The variant delivered through “Setup.zip” contains both the legitimate Notepad++ installer (“Setup.exe”) and a malicious loader DLL named “TextShaping.dll”. When the user launches Setup.exe, the malware is executed through DLL side‑loading. Inside TextShaping.dll, encrypted shellcode is stored and decrypted at runtime. This shellcode then decrypts an embedded dropper and executes it directly in memory.
Figure 6. Malware inside Setup.zip
Figure 7. Loader malware and decrypted dropper
The dropper creates “tmp.ps1”, a PowerShell script that retrieves the official Python installer from the Python website and installs Python, then deploys a Python‑based variant of DPLoader. It also generates a GUID‑named VBS launcher designed to execute DPLoader through Python, and finally registers this launcher in the Windows Task Scheduler under “Notepad Update Scheduler” to ensure persistent execution.
| Type | Path |
|---|---|
| Python | “%LOCALAPPDATA%\Notepad\Notepad\[GUID]\” |
| Launcher | %LOCALAPPDATA%\Notepad\Notepad\[GUID]\[GUID].vbs |
| DPLoader | %LOCALAPPDATA%\Notepad\Notepad\[GUID]\[GUID] |
Table 1. Malware installation paths
4. DPLoader
4.1. JavaScript Version
The obfuscated JavaScript malware communicates with the C&C server by transmitting the following system information, and it can execute commands received in the server’s response. This variant has been consistently observed in a similar form since it was first identified, and for classification purposes, it is referred to here as DPLoader.
| Field | Data |
|---|---|
| os_type | “Windows_NT” |
| os_name | “win32” |
| os_release | Operating system version |
| os_version | Operating system type |
| os_hostname | Computer name |
| os_arch | Operating system architecture |
| machine_id | Machine ID |
| agent_version | Agent version (“2.0.0-js”) |
| session_id | Session ID |
| publisher_id | Random number (used as an argument when executing the JavaScript malware) |
Table 2. Transmitted data
Figure 8. PowerShell Command Received in Response
4.2. Python Version
The Python version of DPLoader is simpler and less obfuscated compared to its JavaScript counterpart. When transmitting system information and retrieving commands from the C&C server, it communicates via the “/d” URL endpoint, while the “/e” endpoint is used exclusively for error reporting.
Figure 9. Main routine of the Python‑based DPLoader
| Field | Data |
|---|---|
| agent_version | Agent version (“1.0.0-py”) |
| machine_id | Machine ID (GUID) |
| os_name | “win32” |
| os_version | Operating system type |
| publisher_id | “8101” |
Table 3. Data transmitted by the Python-based DPLoader
5. Proxyware
5.1. Infatica
The DPLoader registered under the “UNBScheduler” task installs Infatica Proxyware, consistent with previous campaigns. In earlier variants, the PowerShell installer registered “CleanZilo.exe” as “LAN Network Status”, which then loaded and executed “infatica_agent.dll”, the Infatica Proxyware module located in the same directory. In the most recent samples, however, the attacker now creates a Task Scheduler entry named “Microsoft Anti-Malware Tool” and registers “MicrosoftAntiMalwareTool.exe” instead. The script also disables Windows Defender, suppresses tasks used in older attacks (such as “FastCleanPlus”), and sends installation results to an additional C&C server.
5.2. DigitalPulse
The DPLoader registered under the “UNPScheduler” task installs DigitalPulse Proxyware. The downloaded PowerShell script creates a scheduled task named “SyncTaskUpdatescheduler”, which uses Rundll32.exe to execute the downloaded “syncupdates.dll”. Like the malicious Notepad++ DLL described earlier, syncupdates.dll exposes an exported function named “start” and serves as an injector. However, in this case, the injected target is the explorer.exe process.
Figure 10. Injection routine
The final payload injected into Explorer is an obfuscated version of DigitalPulse Proxyware, written in Go. Once executed, it collects basic system information, sends it back to the C&C server, and then activates its proxy‑sharing functionality.
Figure 11. Comparison between the previous DigitalPulse Proxyware variant and the newly observed obfuscated version
The Python version of DPLoader also retrieves and executes PowerShell commands that download and install the same DigitalPulse Proxyware. The downloaded malware is stored at: “%LOCALAPPDATA%\Microsoft\Microsoft Windows Pluton\[GUID]\MicrosoftWindowsPlutonTaskScheduler.dll”. It is registered under the Task Scheduler entry “MicrosoftWindowsPlutonTaskScheduler”, which runs the DLL using Rundll32.exe. This DLL also functions as an injector, ultimately injecting DigitalPulse Proxyware into the explorer.exe process.
Figure 12. Downloaded PowerShell command used to deploy the Proxyware payload
6. Conclusion
Recently, various types of Proxyware have been actively distributed through illegal software crack download pages. Proxyware malware is similar to cryptocurrency miners in that it generates profit by exploiting system resources—specifically, network bandwidth rather than CPU or GPU power. A growing number of systems in South Korea have become targets of these proxy‑abuse attacks.
Users should avoid installing executables from suspicious websites, advertisements, pop‑ups, or file‑sharing communities, and should only download software from official sources. Systems that may already be compromised should install and run security solutions such as AhnLab V3 to prevent further malware infections.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
