Active Proxyjacking Campaign Leveraging Trojanized Notepad++ Installers
January 27th, 2026
High
Our Cyber Threat Intelligence Unit is monitoring an active proxyjacking malware campaign that uses trojanized Notepad++ installers from unofficial and cracked software portals. Security researchers publicly reported this activity in January 2026, confirming that deceptive installer bundles are designed to appear legitimate while deploying hidden proxyware during installation. The campaign exploits user trust in popular developer tools by bundling malicious payloads with legitimate software. Once installed, affected systems are covertly added to commercial proxy networks that monetize bandwidth without user knowledge or consent. This activity poses operational, security, and reputational risks to organizations that permit uncontrolled software installation from unverified sources. The continued spread of these installers represents a persistent threat to both individual users and enterprise environments.
Technical Details
Severity: High
Threat Classification: Proxyware / Proxyjacking malware
Primary Malware Components:
Proxyware payloads that route third-party traffic through victim systems
DPLoader JavaScript-based downloader and dropper modules
Malicious DLLs (e.g., TextShaping.dll) used for side-loading
Distribution Vector:
Trojanized Notepad++ installer packages distributed via unofficial, cracked, or third-party download portals
Observed delivery formats include both Setup.msi and Setup.zip bundles
Infection Chain:
Installer Abuse: Malicious installer packages include either:
A modified MSI that executes a malicious DLL, or
A ZIP archive containing the legitimate Notepad++ Setup.exe bundled with a malicious DLL
DLL Side-Loading: When Setup.exe is launched, the malicious TextShaping.dll is loaded from the local directory, decrypting and executing shellcode in memory
Payload Deployment: Shellcode injects into legitimate Windows processes such as AggregatorHost.exe to execute the proxyware loader
Persistence: Malware establishes scheduled tasks to ensure execution across reboots, including:
Notepad Update Scheduler
UNBScheduler
UNPScheduler
Defense Evasion: PowerShell routines modify Windows Defender configuration, including exclusion paths and security settings, to reduce detection
Proxyjacking Activity: Compromised systems are enrolled into proxy networks (e.g., Infatica, DigitalPulse), routing external traffic through the victim’s internet connection
Impact
Resource Misuse: Infected endpoints may function as proxy nodes, consuming bandwidth and exposing organizations to indirect abuse of network resources
Performance Degradation: Persistent background services and scheduled tasks may degrade system responsiveness and stability
Security Exposure: Weakened or modified endpoint defenses increase susceptibility to secondary malware, credential theft, or lateral movement
Operational Risk: Unmonitored proxy traffic may bypass perimeter controls and complicate incident response, attribution, and compliance efforts
Detection Method
Organizations should monitor for the following indicators and behaviors consistent with proxyware activity:
Endpoint & Host Indicators:
Presence of suspicious scheduled tasks, including:
Notepad Update Scheduler
UNBScheduler
UNPScheduler
Unexpected DLL side-loading activity involving TextShaping.dll or similar libraries executed in the context of installer processes
Evidence of PowerShell execution modifying Windows Defender exclusions or security preferences
Suspicious process injection or child processes originating from installer binaries into:
AggregatorHost.exe
explorer.exe
Network Indicators (Behavioral):
Unusual or persistent outbound connections consistent with proxy usage patterns
Sustained HTTP/S traffic volumes inconsistent with typical endpoint behavior
Indicators of Compromise
Type | Indicator |
Hash MD5 | 01f6153a34ab6974314cf96cced9939f |
Hash MD5 | 05e27d1d0d1e24a93fc72c8cf88924f8 |
Hash MD5 | 0fe7854726d18bbc48a5370514c58bea |
Hash MD5 | 171e48e5eeae673c41c82292e984bac9 |
Hash MD5 | 18c1e128dbfe598335edb2ce3e772dd1 |
URL | https[:]//armortra[.]xyz/8101[.]py |
URL | https[:]//d37k0r4olv9brc[.]cloudfront[.]net/93845[.]ps1 |
URL | https[:]//d37k0r4olv9brc[.]cloudfront[.]net/MicrosoftAntiMalwareTool[.]exe |
URL | https[:]//d37k0r4olv9brc[.]cloudfront[.]net/infatica_agent[.]dll |
URL | https[:]//github[.]com/JamilahZakiyya/note/raw/main/Setup[.]msi |
Domain | armortra[.]xyz |
Domain | easy-horizon[.]com |
Domain | furtheret[.]com |
Domain | trustv[.]xyz |
Recommendations
Source Control: Install Notepad++ and other software only from official project repositories (e.g., notepad-plus-plus.org) or trusted package managers
Application Control: Enforce allow-listing policies to block unsigned or unverified installer execution
Endpoint Hardening: Restrict unauthorized PowerShell execution and prevent Defender configuration changes by non-administrative processes
Scheduled Task Audits: Regularly review task scheduler entries and remove any unrecognized or suspicious tasks
Network Monitoring: Implement alerting for anomalous outbound traffic patterns indicative of proxyware activity
Conclusion
This proxyware campaign demonstrates ongoing abuse of trusted software brands to covertly monetize victim infrastructure. By using trojanized Notepad++ installer packages, attackers can maintain persistence, weaken endpoint security, and silently enroll systems into commercial proxy networks. We urge organizations to treat uncontrolled software installation as a significant security risk and prioritize software source verification, endpoint visibility, and behavioral monitoring to reduce exposure and mitigate ongoing risks.