Security Experts:

Connect with us

Hi, what are you looking for?



Proxyware Platforms Increasingly Targeted by Cybercriminals

Proxyware platforms are increasingly targeted in cybercrime operations aimed at distributing malware or at monetizing the internet bandwidth of victims, according to Cisco’s Talos research and intelligence unit.

Proxyware platforms are increasingly targeted in cybercrime operations aimed at distributing malware or at monetizing the internet bandwidth of victims, according to Cisco’s Talos research and intelligence unit.

With the help of proxyware platforms, users can share their unused Internet bandwidth. For that, they download and install a client application that joins their system to a network operated by the platform provider, which sells access to the network to other users who want to circumvent certain restrictions.

While users typically join proxyware networks for monetary gain, the use of such platforms comes with multiple security risks, including the possible interception of unencrypted traffic, or service degradation due to being banned on certain online services.

Despite such issues, the popularity of these platforms has increased rapidly over the past several years, with hundreds of thousands of users already joining them.

Legitimate users, however, aren’t the only ones to show increasing interest in proxyware platforms. Talos security researchers say they have seen numerous malware campaigns specifically targeting the users of these services.

The researchers observed several malware campaigns in which trojanized installers for proxyware applications are used to distribute RATs, information stealers, and other types of malware. In other campaigns, threat actors distribute proxyware applications to abuse the victims’ network bandwidth for generating revenue, or to distribute cryptominers while also monetizing the network bandwidth.

Typically, the malicious installers drop the legitimate application to avoid raising suspicion. In the background, however, they also install malware. In some cases, the cybercriminals distribute malware that installs proxyware and attempts to register devices using the attacker’s account.

In some instances, Talos’ researchers saw attempts to use multiple methods for monetizing successful infections, such as a multi-stage malware campaign delivering an information stealer, malware to mine for cryptocurrency, and a proxyware application to generate revenue.

“This is a textbook example of the varied approaches available to adversaries. Attackers are no longer content with simply deploying cryptocurrency mining to make money — they are now also stealing sensitive data and monetizing network bandwidth, all at the same time,” the researchers say.

Overall, Talos notes, proxyware should be considered potentially unwanted applications (PUA) given the various security risks they introduce, especially when it comes to enterprise environments.

“These relatively new platforms were built with a legitimate purpose, but attackers quickly found ways to abuse them. […]Due to the various risks associated with these platforms, it is recommended that organizations consider prohibiting the use of these applications on corporate assets,” Talos concludes.

Related: Success of Ransomware Attacks Shows the State of Cybersecurity

Related: Is Cryptojacking Replacing Ransomware as the Next Big Threat?

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.