Stories from the SOC: Mystery of the postponed proxyware install

Nov. 25, 2025, 9:14 a.m.

Description

A suspicious PowerShell alert led to the discovery of an attack chain aimed at installing proxyware on a compromised system. The infection originated from a disk-cleaning utility installed three days prior, which included malicious scripts and established a connection to a C2 server. The attack utilized a download cradle and in-memory execution techniques to evade detection. The SOC team successfully intercepted the attack before the proxyware installation could complete. The incident highlights the risks associated with unauthorized software installations and the importance of restricting PowerShell access in corporate environments.

External References

https://expel.com/blog/stories-from-the-soc-mystery-of-the-postponed-proxyware-install
https://otx.alienvault.com/pulse/6924c9aad09e7e30fb5d9b70
Tags
powershell
node.js
c2 server
in-memory execution
proxyware
2025-11-24
download cradle
unauthorized software
disk-cleaning utility

Date

  • Created: Nov. 24, 2025, 9:10 p.m.
  • Published: Nov. 24, 2025, 9:10 p.m.
  • Modified: Nov. 25, 2025, 9:14 a.m.

Indicators

  • f05a06f1d20f437764fbdf1e8ed205b1702751e1319f128f8fba9be07f9e4413
  • 9e694f03742aa171cc0d4c84127e4fc8d3ae187ebb1c6905f144a744ce030577
  • 3e131fe553009de2645b0c68a4a731114973ddef040d313028499972d127182d
  • 58a02a4563a875f8f5304d72371e90f1a3a997579c54bd59b69e0ecb9b3b375d
  • http://featherstorage.com/1637.exe
  • maintenancesat.com
  • ilesystemwcm.com
  • featherstorage.com
  • diskcleanu.com
  • devicesetupx.com
  • filerit.com
Download all indicators here!

Attack Patterns