Proxyware Disguised as Notepad++ Tool

MITRE Techniques

• [T1053 ] Scheduled Task/Job – Used to achieve persistence by registering tasks such as “Notepad Update Scheduler”, “UNBScheduler”, and “UNPScheduler” (‘registers itself in the Windows Task Scheduler under the name “Notepad Update Scheduler”‘).
• [T1055.001 ] Dynamic-link Library Injection – Malware injects shellcode and droppers into processes like AggregatorHost.exe and explorer.exe to execute payloads in target processes (‘injects shellcode into the AggregatorHost.exe process’).
• [T1574.001 ] DLL Side-Loading – The ZIP variant executes malicious code via a loader DLL placed alongside a legitimate Setup.exe, enabling side-loading (‘When the user launches Setup.exe, the malware is executed through DLL side-loading’).
• [T1218.011 ] Rundll32 – Rundll32.exe is used to execute exported functions in malicious DLLs and run injected components (‘launched via Rundll32.exe’).
• [T1059.001 ] PowerShell – Attackers generate and run PowerShell scripts to install runtimes, create obfuscated JavaScript files, modify Defender policy, and download/install Proxyware (‘The PowerShell script performs actions consistent with prior attacks. It installs NodeJS… and registers them in the Task Scheduler’).
• [T1059.006 ] Python – The dropper installs Python and deploys a Python-based DPLoader variant; Python is also used as an execution environment for launchers (‘retrieves the official Python installer from the Python website and installs Python, then deploys a Python-based variant of DPLoader’).
• [T1204.001 ] User Execution: Malicious File – Victims are tricked into executing supplied installers (MSI/EXE/ZIP) via fake download pages and advertisements (‘files delivered through these malicious ad pages are ultimately hosted on GitHub’ and users launch Setup.exe).
• [T1105 ] Ingress Tool Transfer – Payloads and tool components are hosted and retrieved from public repositories and CDN services such as GitHub and CloudFront (‘files delivered through these malicious ad pages are ultimately hosted on GitHub’).
• [T1071.001 ] Application Layer Protocol: Web Protocols – DPLoader communicates with C2 via HTTP(S) endpoints (e.g., ‘/d’ and ‘/e’) to send system info and retrieve commands (‘communicates via the “/d” URL endpoint, while the “/e” endpoint is used exclusively for error reporting’).
• [T1027 ] Obfuscated Files or Information – The attackers use obfuscated JavaScript and an obfuscated Go-built DigitalPulse binary and perform runtime decryption of shellcode and droppers (‘an obfuscated version of DigitalPulse Proxyware’ and ‘encrypted shellcode is stored and decrypted at runtime’).
• [T1082 ] System Information Discovery – Malware collects and transmits host system information (os_type, os_name, machine_id, agent_version, etc.) to C2 for profiling and command targeting (‘The obfuscated JavaScript malware communicates with the C&C server by transmitting the following system information’).
• [T1562 ] Impair Defenses – The PowerShell installer modifies Windows Defender policies by adding exclusions, disabling notifications, and preventing sample submissions to evade detection (‘the script also modifies Windows Defender policies by adding exclusion paths, disabling security notifications, and preventing malware sample submissions’).
• [T1036 ] Masquerading – Installers and scheduled tasks impersonate legitimate applications and system tools (e.g., Notepad++, Microsoft Anti-Malware Tool) to hide malicious activity (‘impersonating legitimate applications such as AutoClicker, FastCleanPlus, WinMemoryCleaner, and SteamCleaner’).