Proxyware Disguised as Notepad++ Tool

AhnLab ASEC documents an active Proxyjacking campaign by threat actor Larva‑25012 distributing Proxyware (DigitalPulse, Infatica, Honeygain and others) via malicious Notepad++ installers and ad-driven download pages; attackers employ DPLoader (JavaScript and Python variants), DLL side‑loading, Task Scheduler persistence, and process injection (AggregatorHost.exe, explorer.exe) to install proxy clients, evade detection (disabling Defender, exclusions), and monetize victim network bandwidth. The report provides technical analysis of Setup.msi and Setup.zip variants, infection chains, TTPs, and actionable IoCs (MD5 hashes, URLs, domains), and recommends avoiding suspicious downloads and using endpoint security solutions.