Bandwidth Bandits: Fake Notepad++ Installers Hide “Proxyjacking” Malware

A new wave of cyberattacks is targeting users looking for free software, turning their computers into unwilling participants in bandwidth-sharing schemes. AhnLab Security Intelligence Center (ASEC) has issued a warning about a campaign by the threat actor Larva-25012, who is distributing malware disguised as the popular text editor Notepad++.

The attack is a classic example of “Proxyjacking,” a technique where attackers install software to silently siphon off a victim’s internet bandwidth for profit.

The campaign preys on users searching for cracked or pirated software. The threat actor lures victims to “fake websites posing as pages for downloading cracked or pirated software”. These sites, which claim to be “user-friendly and comprehensive,” offer malicious installers for tools like AutoClicker, SteamCleaner, and most notably, Notepad++.

Once a user downloads and runs the “Setup.zip” file, they aren’t just getting a text editor. “The variant delivered through ‘Setup.zip’ contains both the legitimate Notepad++ installer (‘Setup.exe’) and a malicious loader DLL named ‘TextShaping.dll'”.

The malware employs a technique called DLL side-loading to evade detection. When the victim launches the legitimate Notepad++ installer, it unwittingly loads the malicious TextShaping.dll from the same folder.

This DLL then decrypts a payload in memory, which eventually installs DPLoader, a downloader malware. “Once registered in the Windows Task Scheduler, DPLoader executes persistently and retrieves commands from its C&C server”.

To stay hidden, the malware actively tampers with system defenses. “The script also modifies Windows Defender policies by adding exclusion paths, disabling security notifications, and preventing malware sample submissions”.

The ultimate goal of this campaign is profit, but not through ransomware or data theft. Instead, the attackers install Proxyware—software that shares the host’s internet connection.

“Proxyjacking refers to an attack in which Proxyware is installed on a victim’s machine without consent, allowing an attacker to monetize the victim’s internet bandwidth”.

The malware installs known proxyware agents like Infatica and DigitalPulse. In a clever bit of camouflage, the Infatica agent is registered as a scheduled task named “Microsoft Anti-Malware Tool,” making it look like a legitimate system process to the untrained eye.

Larva-25012 is constantly refining its methods. ASEC researchers noted that the attacker is “actively changing techniques to evade detection—such as injecting Proxyware into the Windows Explorer process or leveraging Python-based loaders”.

For users, this serves as a stark reminder: downloading software from unofficial sources often comes with a hidden price tag—in this case, your own internet connection.

Related Posts:

• Exploit Kits, Cryptominers, Proxyjackers: The New Face of Selenium Grid Abuse
• Mimo Strikes Magento: New Campaign Shifts to Cryptojacking, Proxyjacking, & Stealthy Persistence
• YouTube Downloader Sites Are Now Hiding Proxyware to Hijack Your Bandwidth
• Notepad Goes Private: Microsoft Adds On-Device AI
• Popular Chinese Text Editors Compromised in Targeted Attack