A sophisticated proxyjacking campaign is targeting systems in South Korea, attributed to the actor Larva-25012 , which distributes proxyware disguised as legitimate Notepad++ installers.
The campaign demonstrates significant technical evolution, using process injection in explorer.exe , Python and JavaScript- based loaders, and advanced evasion techniques. Proxyjacking allows attackers to install hidden proxies on victims’ devices, exploiting their bandwidth for profit, unlike legitimate proxyware that pays users.
Active since at least 2024, Larva-25012 has distributed variants such as DigitalPulse, Honeygain, and Infatica . The group previously used deceptive advertisements and cracking sites; more recent campaigns instead leverage compromised GitHub repositories to spread malicious installers disguised as popular utilities.
The initial payload, DPLoader , ensures persistence via Task Scheduler and communicates with C&C servers. New variants include MSI installers based on C++ DLLs and ZIP archives with malicious DLLs sideloaded alongside legitimate installers. In both cases, PowerShell or Python droppers are distributed that disable Windows Defender protections and install proxyware.
DPLoader, as reported in the analysis by Asec researchers, exists in JavaScript and Python versions, both capable of transmitting system information to C&Cs. The final payloads inject obfuscated proxyware into explorer.exe , triggering network bandwidth sharing. Infatica, in particular, creates scheduled tasks disguised as Microsoft security tools.
Users should only download software from official sources . Organizations should monitor suspicious scheduled tasks (e.g., Notepad Update Scheduler ) and detect anomalies related to process injection and Python installation in AppData . Compromised systems require immediate deployment of EDR solutions and comprehensive security audits.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
