DigitalPulse
DigitalPulse is proxyware abused in proxyjacking campaigns to monetize victims’ internet bandwidth without consent. Reporting from AhnLab ASEC and related summaries describes it being installed by downloader malware such as DPLoader in campaigns attributed to Larva-25012, including malvertising and fake software download chains targeting users seeking freeware, cracked, or pirated software, with notable activity affecting Windows systems in South Korea. Delivery has included disguised installers such as fake AutoClicker and trojanized Notepad++ packages hosted on GitHub, using DLL side-loading, PowerShell staging, NodeJS- or Python-based DPLoader components, and Windows Task Scheduler persistence. In one campaign, ASEC assessed proxyware signed with the certificate name "Netlink Connect" to be identical to previously observed DigitalPulse. DigitalPulse has been described as an obfuscated Go-based program, and in some cases an injector DLL injects the payload into explorer.exe. Observed persistence and execution artifacts associated with DigitalPulse installation include DPLoader task "UNPScheduler," scheduled tasks such as "SyncTaskUpdatescheduler" running "syncupdates.dll" via Rundll32.exe, and a Python-chain variant that downloads a DLL to %LOCALAPPDATA%\Microsoft\Microsoft Windows Pluton[GUID]\MicrosoftWindowsPlutonTaskScheduler.dll and registers the task "MicrosoftWindowsPlutonTaskScheduler." LevelBlue reportedly linked a 2023 campaign installing DigitalPulse to at least 400,000 infected Windows systems. DigitalPulse is also mentioned alongside other abused proxyware families including Honeygain and Infatica.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
IOCs tracked for this family
13 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Proxyware payload used to monetize compromised hosts by routing third-party traffic through victim networks; described as an obfuscated Go-based program injected into explorer.exe.
Proxyware agent deployed to hijack and resell victim internet bandwidth as part of a proxyjacking scheme.
Proxyware payload (noted as an obfuscated Go implementation) delivered by DPLoader and injected into explorer.exe via an intermediate DLL injector, then used to monetize victim bandwidth by enabling proxy-sharing functionality.
A proxyware program used to monetize infected hosts by reselling their network bandwidth/resources; mentioned in the context of fake YouTube downloader sites distributing proxyware.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.