Larva-25012

Larva-25012 is a threat actor identified by AhnLab Security Intelligence Center (ASEC) as operating a malware campaign that primarily targets users in South Korea seeking cracked/pirated software via deceptive ads and fake download portals. The actor distributes trojanized Notepad++ installer bundles (and also lures with fake installers for tools such as AutoClicker and SteamCleaner), commonly hosted on GitHub and delivered as MSI installers (e.g., Setup.msi) or ZIP archives (e.g., Setup.zip) containing legitimate Notepad++ components alongside hidden malicious DLLs. Execution is achieved via DLL side-loading (e.g., a malicious TextShaping.dll loaded by a legitimate Setup.exe), with payloads decrypted and staged in memory. The campaign establishes persistence through Windows Task Scheduler (including task names such as “Notepad Update Scheduler” and a disguised “Microsoft Anti-Malware Tool”), and uses loaders (DPLoader) that communicate with command-and-control servers to retrieve instructions and additional components. ASEC reports the actor has evolved from .NET-based malware to C++ and Python variants, including PowerShell-based staging that installs NodeJS or Python, creates multiple obfuscated loader components (including JavaScript-based DPLoader variants), and employs process injection/shellcode injection into legitimate Windows processes (including explorer.exe, AggregatorHost.exe, and Windows Explorer) to run proxyware. The operation’s monetization is “proxyjacking” (bandwidth hijacking) rather than ransomware or data theft, installing proxyware such as Infatica and DigitalPulse (including an obfuscated Go-based DigitalPulse component). The malware also degrades host defenses by modifying Windows Defender settings (adding exclusion paths, disabling security notifications, and preventing malware sample submissions).