Proxyware Malware Being Distributed on YouTube Video Download Site

Aug. 22, 2025, 6:55 p.m.

Description

A malicious campaign is targeting users through fake YouTube video download sites, distributing Proxyware malware. The attack involves a downloader disguised as WinMemoryCleaner, which installs NodeJS and runs malicious JavaScript. This script then installs various Proxyware programs, including DigitalPulse, HoneyGain, and recently, Infatica. The malware uses Task Scheduler for persistence and sends system information to a C&C server. The Proxyware exploits the infected system's network bandwidth for the attacker's profit. Users in South Korea have been particularly targeted. To prevent infection, users should avoid installing executables from suspicious websites and use antivirus software.

External References

https://asec.ahnlab.com/en/89787
https://otx.alienvault.com/pulse/68a84f04510bd6992ad887e0
Tags
malware
javascript
youtube
downloader
c&c
digitalpulse
proxyware
task scheduler
nodejs
2025-08-22
honeygain
bandwidth
infatica

Date

  • Created: Aug. 22, 2025, 11:05 a.m.
  • Published: Aug. 22, 2025, 11:05 a.m.
  • Modified: Aug. 22, 2025, 6:55 p.m.

Attack Patterns

  • Infatica
  • HoneyGain
  • Proxyware
  • DigitalPulse