Stories from the SOC: Mystery of the postponed proxyware install

A SOC investigation uncovered a multi-stage infection: a bundled disk-cleaner installer dropped a persistent Node.js-based JavaScript backdoor scheduled to run as SYSTEM and check in with a C2; days later the C2 returned a PowerShell command that used an in-memory download-cradle to execute a fetched PowerShell script which attempted to install proxyware as a scheduled service. The team detected the suspicious PowerShell activity, isolated the host, and prevented the final payload installation; the report includes IoCs, persistence details, and mitigation recommendations.