Proxyware Being Distributed Through Ad Pages

Jan. 21, 2025, 6:48 p.m.

Description

Security researchers have confirmed the unauthorized installation of proxyware on systems through advertisement pages from freeware software sites. The proxyware, identified as DigitalPulse, allows threat actors to share a portion of the system's Internet bandwidth for financial gain without user consent. The campaign involves a downloader disguised as an auto-clicker program that employs various anti-analysis techniques. It ultimately installs DigitalPulse proxyware, signed with a Netlink Connect certificate, through a series of PowerShell and JavaScript routines. Users are advised to exercise caution when installing executable files from untrusted sources to prevent such infections.

External References

https://asec.ahnlab.com/en/85798/
https://otx.alienvault.com/pulse/678fe476046407d25584c8fe
Tags
powershell
lummac2
javascript
adware
downloader
2025-01-21
digitalpulse
proxyware
autoclicker

Date

  • Created: Jan. 21, 2025, 6:16 p.m.
  • Published: Jan. 21, 2025, 6:16 p.m.
  • Modified: Jan. 21, 2025, 6:48 p.m.

Indicators

  • c.pairnewtags.com
  • a.pairnewtags.com
  • filerit.com
Download all indicators here!

Attack Patterns

  • AutoClicker
  • DigitalPulse
  • LummaC2
  • T1543.003
  • T1059.005
  • T1547.001
  • T1059.007
  • T1071.001
  • T1218
  • T1027