Cybersecurity researchers at AhnLab Security Intelligence Center (ASEC) have uncovered a persistent campaign where attackers distribute proxyware malware through fake YouTube video download pages.
This operation, which mimics legitimate video downloading services, tricks users into installing malicious executables disguised as benign tools like WinMemoryCleaner.
The attackers leverage GitHub for malware hosting, a tactic consistent with prior incidents, leading to widespread infections particularly in South Korea.
By exploiting user searches for YouTube content, the malware propagates via pop-up ads or direct download links that appear with random probability, ensuring a stealthy infection chain that evades casual detection.
The attack begins when users input a YouTube video URL on the fraudulent site and click the download button, which occasionally redirects to a malicious executable named Setup.exe.
This file installs the downloader malware, WinMemoryCleaner.exe, into the %PROGRAMFILES%WinMemoryCleaner directory and executes a batch script, WinMemoryCleanerUpdate.bat, to run it with an “/update” argument.
The malware incorporates anti-analysis techniques, scanning for virtual machines and sandboxes before deploying a PowerShell script that installs Node.js and downloads additional JavaScript payloads.
These scripts are scheduled via Task Scheduler under tasks like “Schedule Update” and “WindowsDeviceUpdates,” enabling periodic execution.
The JavaScript communicates with a command-and-control (C&C) server, transmitting system details such as UUID, IP address, and geolocation, and receives PowerShell commands in return.
These commands facilitate the installation of proxyware variants, including DigitalPulse, Honeygain, and the newly observed Infatica, which hijacks the victim’s network bandwidth for unauthorized proxy services.
For instance, the Infatica variant deploys CleanZilo.exe, which loads infatica_agent.dll to siphon bandwidth, profiting the attackers while degrading the infected system’s performance.
This campaign represents an evolution in proxyware threats, where attackers repurpose legitimate bandwidth-sharing tools for illicit gains, akin to cryptojacking but focused on network resources rather than CPU cycles.
Unlike voluntary installations where users earn rewards, these infections involuntarily monetize victims’ connections, with profits funneled to the threat actors.
Recent cases show diversification in proxyware types, from DigitalPulse and Honeygain to Infatica, indicating adaptive tactics to bypass detection.
ASEC reports that systems in South Korea are prime targets, with malware employing evasion methods like environment checks and scripted persistence.
To counter this, users should avoid executables from unverified sources, including ad-laden sites and pop-ups.
For remediation, deploying antivirus solutions like AhnLab’s V3 is recommended, which detects variants under signatures such as Dropper/Win.Proxyware.C5783593 and Unwanted/Win.Proxyware.C5790566.
Ongoing monitoring of indicators of compromise (IOCs) is crucial for threat hunters, as attackers continue refining their methods.
| Type | IOCs |
|---|---|
| MD5 | 037e94519ce35ef944f1dc3f1434d09d 0af46f150e0ffa678d20fcbe5e145576 0af9e224a5469cc47706ab4253d108e9 0e6c41058975c1288da2f41abc5d9345 14c89939209ee3d0d1977a2e92897dfc |
| URLs | https://a.pairnewtags.com/p.js https://d14vmbql41e8a5.cloudflare.net/pas.js https://d8mrs2p5baql5.cloudflare.net/CleanZilo.exe https://d8mrs2p5baql5.cloudflare.net/infatica_agent.dll https://ferntier.com/m.js |
| FQDNs | 4tressx.com cloudnetpr.com connectiondistribute.com diskcleanu.com fastconnectnetwork.com |
| Detection Names | Dropper/Win.Proxyware.C5783593 (2025.07.30.02) Dropper/Win.Proxyware.C5790716 (2025.08.21.02) Downloader/Win.Proxyware5790717 (2025.08.21.02) And others as listed in ASEC reports |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
