This threat involves a malicious campaign distributing Proxyware malware through fake YouTube video download websites. The attack vector is a downloader masquerading as a legitimate utility named WinMemoryCleaner. Upon execution, this downloader installs NodeJS on the victim's system and executes malicious JavaScript code. This script subsequently installs multiple Proxyware applications, including DigitalPulse, HoneyGain, and the more recent Infatica. Proxyware software typically allows users to share their internet bandwidth for profit, but in this malicious context, the infected system's network resources are exploited without user consent to generate illicit revenue for the attacker. Persistence is achieved by leveraging the Windows Task Scheduler to ensure the malware runs on system startup or at scheduled intervals. Additionally, the malware collects system information and sends it to a command and control (C&C) server, potentially enabling further malicious activities or updates. The campaign is notable for targeting users in South Korea, but the distribution method—fake YouTube video download sites—is globally accessible, posing a risk to users worldwide. The malware employs multiple techniques identified by MITRE ATT&CK tags such as T1053.005 (Scheduled Task), T1036.005 (Masquerading), T1082 (System Information Discovery), T1497 (Virtualization/Sandbox Evasion), T1059.001 and T1059.003 (Command and Scripting Interpreter), T1547.001 (Boot or Logon Autostart Execution), T1571 (Non-Standard Port), T1105 (Ingress Tool Transfer), and T1204.001 (User Execution). Indicators of compromise include specific file hashes and domains associated with the malware's infrastructure. No known exploits in the wild have been reported, but the campaign's medium severity rating reflects the potential for unauthorized bandwidth usage and system compromise. Users are advised to avoid downloading executables from untrusted sources and to maintain updated antivirus solutions to detect and prevent infection.

For European organizations, the primary impact of this Proxyware malware is the unauthorized consumption and exploitation of network bandwidth, which can degrade network performance and increase operational costs. The malware's persistence mechanisms and data exfiltration capabilities could also expose sensitive system information, potentially facilitating further targeted attacks or lateral movement within corporate networks. While the malware does not appear to directly steal credentials or cause data destruction, the covert use of network resources can disrupt business operations, especially in bandwidth-sensitive environments. Additionally, infected endpoints may be leveraged as part of larger proxy networks, potentially implicating organizations in malicious activities unknowingly, which could have reputational and legal consequences under European data protection and cybersecurity regulations such as GDPR and NIS Directive. The infection vector—fake YouTube video download sites—targets end users, so organizations with remote or hybrid workforces are at increased risk if employees download software from unverified sources. The use of NodeJS and JavaScript for malware execution also suggests that systems with developer tools or scripting environments enabled are more vulnerable. Overall, the threat could lead to reduced network efficiency, potential compliance issues, and increased incident response costs for European organizations.

European organizations should implement a multi-layered defense strategy tailored to this threat. First, enforce strict application control policies to prevent unauthorized installation of software, especially from untrusted websites masquerading as legitimate utilities. Endpoint protection platforms should be configured to detect and block known hashes and behaviors associated with Proxyware malware, including monitoring for suspicious NodeJS installations and Task Scheduler modifications. Network monitoring should be enhanced to detect unusual outbound connections to the identified C&C domains (e.g., cloudnetpr.com, connectiondistribute.com, ferntier.com, a.pairnewtags.com) and anomalous bandwidth usage patterns indicative of proxyware activity. User education campaigns must emphasize the risks of downloading executables from unofficial sources, particularly fake video download sites. Implementing web filtering to block access to known malicious domains and URLs can reduce exposure. Additionally, restrict or monitor the use of scripting environments like NodeJS on endpoints unless explicitly required for business purposes. Regularly audit scheduled tasks and startup entries to identify unauthorized persistence mechanisms. Incident response plans should include procedures for isolating infected machines and conducting forensic analysis to identify the scope of compromise. Finally, collaborate with ISPs and cybersecurity information sharing organizations to stay updated on emerging Proxyware threats and indicators.