Ddos 
In the world of network administration and secure development, specialized tools like “proxifiers” are essential for tunneling traffic through secured environments. However, a new report from Kaspersky Labs reveals that a simple search for this software has become a gateway to a sophisticated and persistent cryptocurrency-stealing Trojan.
Since the beginning of 2025, over 2,000 users—primarily in India and Vietnam—have fallen victim to a campaign that weaponizes the desire for “free” versions of proprietary software.
The attack typically begins with a web search for “Proxifier.” Attackers have successfully gamed search engine algorithms to place malicious links at the very top of the results page. Often, these links lead to a GitHub repository that masquerades as an official source for the software.
As the Kaspersky report details, “if you search for Proxifier (or a proxifier), one of the top results in popular search engines is a link to a GitHub repository. That’s exactly where the source of the primary infection lives”.
Once a user downloads the file, they trigger what researchers describe as an “incredibly long infection chain”. To remain under the radar, the malware avoids traditional “on-disk” files where possible, opting instead for fileless techniques.
The multi-stage process involves:
- PowerShell Scripts: A sequence of scripts fetched from sources like GitHub and Pastebin.
- Registry Persistance: Malicious code is hidden within Windows Registry keys.
- Stealthy Execution: The final payload, a ClipBanker, is injected into legitimate-looking processes like fontdrvhost.exe.
The ClipBanker’s goal is simple but effective: it monitors the victim’s clipboard for cryptocurrency wallet addresses. When it detects one, it silently replaces it with an address controlled by the attackers, diverting funds during transactions.
The report notes that “70% of these detections came from the Kaspersky Virus Removal Tool, a free utility used to clean devices that are already infected”. This suggests that the “marathon” infection chain is highly effective at evading standard real-time protection, leaving users unaware of the compromise until long after the damage is done.
The Kaspersky analysis highlights a classic trap in the digital age. As the report concludes, “this campaign is yet another perfect example of the old adage: ‘buy cheap, pay twice’. Trying to save a buck on software, combined with a lack of caution when hunting for free solutions, can lead to an infection and the subsequent theft of funds”.
The attackers are “aggressively promoting their sites in search results and using fileless techniques alongside a marathon infection chain to stay under the radar,” creating a threat that is remarkably difficult to stop once it begins.
To protect your assets, security experts recommend downloading software exclusively from official websites and maintaining proactive, multi-layered security solutions that can disrupt these complex chains before they reach the clipboard.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
