YouTube Downloader Sites Are Now Hiding Proxyware to Hijack Your Bandwidth

Cybercriminals are once again exploiting popular online habits—this time leveraging YouTube video download sites as bait for distributing Proxyware malware. AhnLab SEcurity intelligence Center (ASEC) has published fresh research exposing how these attacks continue to evolve, affecting unsuspecting users who believe they are simply downloading videos.

The lure is simple: users searching for a way to download YouTube videos land on a fraudulent site. They enter the video’s URL and click the “Download Video” button—only to unknowingly start an infection chain.

“When the user clicks the ‘Download’ button, the downloaded executable file is disguised as WinMemoryCleaner and contains a feature to install Proxyware.”

The installer, Setup.exe, drops WinMemoryCleaner.exe into the system’s Program Files directory and launches it with an “/update” argument through a batch file. Behind the scenes, the malware executes checks to avoid sandboxes and then leverages PowerShell scripts to install NodeJS, download malicious JavaScript, and persist via Task Scheduler.

Once persistence is achieved, the malicious JavaScript periodically communicates with a command-and-control (C&C) server. From there, it can execute further PowerShell commands, download new scripts, and install Proxyware applications.

Proxyware is typically marketed as a way for users to earn passive income by sharing unused internet bandwidth. But in this case, the software is installed without consent, meaning victims lose bandwidth while attackers profit.

ASEC noted:

“If Proxyware is installed by an attacker without the user’s consent, the infected system loses network bandwidth involuntarily, and the profit goes to the attacker.”

Initially, campaigns focused on DigitalPulse Proxyware and Honeygain Proxyware, but ASEC reports the threat actors have now shifted to deploying Infatica Proxyware through a malicious program named CleanZiloApp.

“The final executable, ‘CleanZilo.exe,’ loads and runs ‘infatica_agent.dll’ located in the same directory when executed, causing users to lose network bandwidth.”

These attacks highlight the growing abuse of monetization software in the same way cybercriminals exploit cryptominers. Instead of CPU or GPU power, Proxyware malware hijacks network bandwidth, degrading system performance and introducing privacy risks.

What makes this campaign especially effective is the social engineering lure—posing as a helpful YouTube downloader, a service millions of users search for daily. The consistent use of GitHub for hosting malware samples further illustrates how attackers exploit trusted platforms to distribute harmful code.

Related Posts:

• 400,000+ Systems Infected: DigitalPulse Proxyware Returns with New Tricks
• Mimo Returns: CVE-2025-32432 Exploited in Cryptomining and Proxyware Campaigns
• Cryptocurrency Malware: The Hidden Threat Lurking on YouTube
• LegionLoader Malware Downloader Resurfaces with 2,000+ New Samples

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.