Date: 02/16/2026
Severity: High
Summary
A malicious campaign is distributing proxyware disguised as a legitimate Notepad++ or cracked software installer through deceptive download sites and ads. In this proxyjacking attack, the malware secretly installs proxyware on victims’ systems to hijack their network bandwidth for profit. Infections typically begin when users download trojanized installers such as Setup.msi or Setup.zip from unofficial sources. Once executed, the installer creates persistence mechanisms like scheduled tasks (e.g., “Notepad Update Scheduler”) and deploys additional payloads. Loaders such as DPLoader then install proxyware modules including Infatica and DigitalPulse using PowerShell, NodeJS, and obfuscated scripts. Compromised systems may show unusual bandwidth usage, connect to attacker-controlled C2 servers, and face further malware deployment risks.
Indicators of Compromise (IOC) List
Domains\URLs: | https://armortra.xyz/8101.py https://d37k0r4olv9brc.cloudfront.net/93845.ps1 https://d37k0r4olv9brc.cloudfront.net/MicrosoftAntiMalwareTool.exe https://d37k0r4olv9brc.cloudfront.net/infatica_agent.dll https://github.com/JamilahZakiyya/note/raw/main/Setup.msi armortra.xyz easy-horizon.com furtheret.com trustv.xyz |
Hash : | 01f6153a34ab6974314cf96cced9939f
05e27d1d0d1e24a93fc72c8cf88924f8
0fe7854726d18bbc48a5370514c58bea
171e48e5eeae673c41c82292e984bac9
18c1e128dbfe598335edb2ce3e772dd1
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "https://armortra.xyz/8101.py" or url like "https://armortra.xyz/8101.py" or siteurl like "https://armortra.xyz/8101.py" or domainname like "easy-horizon.com" or url like "easy-horizon.com" or siteurl like "easy-horizon.com" or domainname like "trustv.xyz" or url like "trustv.xyz" or siteurl like "trustv.xyz" or domainname like "https://d37k0r4olv9brc.cloudfront.net/infatica_agent.dll" or url like "https://d37k0r4olv9brc.cloudfront.net/infatica_agent.dll" or siteurl like "https://d37k0r4olv9brc.cloudfront.net/infatica_agent.dll" or domainname like "https://d37k0r4olv9brc.cloudfront.net/MicrosoftAntiMalwareTool.exe" or url like "https://d37k0r4olv9brc.cloudfront.net/MicrosoftAntiMalwareTool.exe" or siteurl like "https://d37k0r4olv9brc.cloudfront.net/MicrosoftAntiMalwareTool.exe" or domainname like "armortra.xyz" or url like "armortra.xyz" or siteurl like "armortra.xyz" or domainname like "https://d37k0r4olv9brc.cloudfront.net/93845.ps1" or url like "https://d37k0r4olv9brc.cloudfront.net/93845.ps1" or siteurl like "https://d37k0r4olv9brc.cloudfront.net/93845.ps1" or domainname like "https://github.com/JamilahZakiyya/note/raw/main/Setup.msi" or url like "https://github.com/JamilahZakiyya/note/raw/main/Setup.msi" or siteurl like "https://github.com/JamilahZakiyya/note/raw/main/Setup.msi" or domainname like "furtheret.com" or url like "furtheret.com" or siteurl like "furtheret.com" |
Detection Query 2 : | md5hash IN ("0fe7854726d18bbc48a5370514c58bea","171e48e5eeae673c41c82292e984bac9","18c1e128dbfe598335edb2ce3e772dd1","01f6153a34ab6974314cf96cced9939f","05e27d1d0d1e24a93fc72c8cf88924f8")
|
Reference:
https://www.csk.gov.in/alerts/Proxyware-malware.html