Proxyware Malware Research
Notes and research related to proxyware malware campaigns, including fake utility installers, suspicious distribution paths, App Store abuse, network indicators, and infrastructure overlaps.
To the best of my knowledge, I am the first to publicly post on a campaign with Microsoft App Store hosting Backconnect Proxyware
with applications loading a client.dll that performs the proxy connection. First post on X
Additionally, on my blog, I discuss updates on this campaign possibly originating much earlier using App Store and possibly other download lures.
I had found monitor.dll, with submissions several months old on VirusTotal that were completely undetected.
On my blog, and Github pages, I outline the relationship of monitor.dll to GhostSocks network IPs and how it works on the host.
Now this dll has several detections.
Research Focus
-
Fake utility installers
Research into installers posing as legitimate tools or productivity utilities while delivering proxyware or related unwanted components.
-
GhostSocks-related findings
Tracking observations, indicators, and infrastructure overlaps associated with GhostSocks and proxyware-style monetization behavior.
-
Detection opportunities
Useful detection angles include installer metadata, command-line behavior, scheduled tasks, persistence, network endpoints, and shared infrastructure.
-
Related blog posts
Recent posts tagged with Proxyware, GhostSocks, or Microsoft Store malware are linked from the main homepage and blog feed.