Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

Infatica

Infatica is a proxyware agent installed in ongoing “proxyjacking” campaigns attributed to the threat actor Larva-25012. In these operations, attackers disguise malware as legitimate software installers—especially trojanized Notepad++ packages distributed through fake cracked/pirated software download sites, deceptive ads, and GitHub-hosted payloads—then silently install Infatica to monetize victims’ internet bandwidth without consent. The broader infection chain uses DLL side-loading, staged loaders referred to as DPLoader, PowerShell-based installation steps, and persistence via Windows Task Scheduler. Reported variants install additional components such as NodeJS or Python, communicate with command-and-control servers for instructions, inject payloads into legitimate Windows processes including explorer.exe, and weaken host defenses by modifying Windows Defender settings such as exclusions, notifications, and sample submission behavior. Infatica has been observed installed alongside other proxyware such as DigitalPulse, and in some cases follows prior Honeygain or DigitalPulse deployments. For persistence and camouflage, Infatica-related activity has been tied to scheduled tasks including “UNBScheduler” and a masqueraded task named “Microsoft Anti-Malware Tool,” which runs “MicrosoftAntiMalwareTool.exe” to appear legitimate. The campaign primarily affected systems in South Korea and targeted users seeking free or pirated software.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
cyber security newsNews
Jan 22, 2026
Proxyware Malware Disguised as Notepad++ Tool Leverages Windows Explorer Process to Hijack Systems

Commercial proxyware abused to hijack victim internet bandwidth (proxyjacking) and resell/relay it for attacker monetization.

Read more
security online infoNews
Jan 22, 2026
Bandwidth Bandits: Fake Notepad++ Installers Hide "Proxyjacking" Malware

Commercial/third-party proxyware agent installed without consent to monetize victim bandwidth (proxyjacking), including masquerading via a deceptive scheduled task name.

Read more
ahnlab asec blogNews
Jan 18, 2026
Proxyware Disguised as Notepad++ Tool - ASEC

Proxyware payload installed via DPLoader/PowerShell that monetizes victims by sharing their network bandwidth through a proxy service; deployed with persistence via scheduled tasks and accompanied by Defender tampering.

Read more
the hacker newsNews
Sep 1, 2025
⚡ Weekly Recap: WhatsApp 0-Day, Docker Bug, Salesforce Breach, Fake CAPTCHAs, Spyware App & More

A proxyware program installed alongside/after other proxyware to monetize victims by leveraging their network connectivity; distributed via fake YouTube downloader sites per the content.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.