Cybercriminals have escalated their proxyjacking campaigns by exploiting legitimate user behavior around YouTube video downloads, according to a recent security analysis.
The attack leverages fake YouTube download sites to distribute proxyware malware, specifically targeting users seeking free video conversion services.
This sophisticated campaign represents a significant evolution in bandwidth theft attacks, where threat actors monetize stolen network resources from infected systems without user consent.
The malicious operation centers around deceptive websites mimicking legitimate YouTube-to-MP4 conversion services.
YouTube video download page (Source – ASEC)
When users attempt to download videos by clicking the “Download Now” button, they are redirected to advertising pages that prompt the installation of malicious executables.
The attack chain exploits user trust in seemingly legitimate download functionality, making it particularly effective against unsuspecting victims seeking free online services.
ASEC analysts identified that the same threat actors previously involved in DigitalPulse proxyware distribution campaigns have expanded their operations to include these YouTube download sites.
The researchers discovered multiple infection cases across South Korea, indicating a sustained and geographically focused campaign.
The operation demonstrates remarkable persistence, with threat actors continuously adapting their distribution methods while maintaining the core proxyjacking objective.
The campaign has infected an estimated 400,000 Windows systems globally, generating substantial profits for cybercriminals through unauthorized bandwidth utilization.
Unlike traditional cryptojacking attacks that exploit computational resources for cryptocurrency mining, this proxyjacking variant monetizes network bandwidth, creating a steady revenue stream from compromised systems.
The attack’s financial motivation drives its continued evolution and geographic expansion.
Infection Chain and Persistence Mechanisms
The malware deployment follows a sophisticated multi-stage infection process designed to evade detection while establishing persistent system access.
Flowchart of malware installation (Source – ASEC)
Upon execution, the malicious installer masquerades as “QuickScreenRecoder” (quick-screen-recorder.exe) but immediately launches PowerShell scripts for payload delivery.
The initial dropper performs comprehensive environment checks, scanning for sandbox environments and virtual machines before proceeding with the infection chain.
# Task registration for persistence
Task Name: Defrag DiskCleanup
Executable: “C:Program Filesnodejsnode.exe”
Arguments: “C:f888a3fc-f6dd-427d-8667-b81ea3946b76-90.5.44709.2197c8c4ffcf-4b46-432f-b1d4-3383bf3fecf6.js” 9762
The persistence mechanism relies on Windows Task Scheduler registration under the deceptive name “Defrag DiskCleanup,” mimicking legitimate system maintenance tasks.
This scheduled task executes malicious JavaScript through NodeJS, establishing communication with command-and-control servers to receive additional payload instructions.
For Honeygain variant infections, the malware deploys “FastCleanPlus.exe” as a launcher, which calls the hgsdk_start() function within “hgsdk.dll” using the threat actor’s API credentials, demonstrating the campaign’s technical sophistication and adaptability across multiple proxyware platforms.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source: cybersecuritynews.com
