DPLoader

DPLoader is downloader malware used in a “proxyjacking” campaign attributed by AhnLab Security Intelligence Center (ASEC) to the threat actor Larva-25012. The campaign masquerades as legitimate software installers—most notably trojanized Notepad++ bundles—distributed via deceptive ads and fake/cracked-software download portals (with initial payloads hosted on GitHub). Victims typically receive either an MSI (Setup.msi) or ZIP (Setup.zip) package containing legitimate Notepad++ components alongside malicious DLLs executed via DLL side-loading.

Execution and staging vary by distribution chain:

• Setup.msi chain: installs a C++-based DLL, creates persistence via a Task Scheduler entry named “Notepad Update Scheduler,” launches via rundll32.exe, injects shellcode into AggregatorHost.exe, and generates PowerShell that installs NodeJS and drops obfuscated JavaScript-based DPLoader components. The PowerShell also weakens defenses by modifying Windows Defender settings (adding exclusion paths, disabling security notifications, and preventing malware sample submissions). JavaScript DPLoader persistence tasks include “UNBScheduler” and “UNPScheduler.”
• Setup.zip chain: includes Setup.exe (legitimate installer) and a malicious loader DLL TextShaping.dll. TextShaping.dll decrypts embedded shellcode to run an in-memory dropper, installs Python from official sources, deploys a Python-based DPLoader variant, and persists via a GUID-named VBS launcher registered in Task Scheduler (also described as “Notepad Update Scheduler”).

Core functionality: DPLoader communicates with a command-and-control (C2) server to retrieve instructions/commands, can execute received commands, and reports host information (ASEC notes OS details, hostname, architecture, machine_id, agent_version, session_id, and publisher_id for the JavaScript variant; the Python variant uses “/d” for communications and “/e” for error reporting and reports agent_version “1.0.0-py” and publisher_id “8101”).

Primary objective and payloads: rather than ransomware or data theft, the operation monetizes victims by installing proxyware to resell their internet bandwidth. Reported proxyware payloads include Infatica and DigitalPulse (and Larva-25012 has also been associated with Honeygain). ASEC describes process injection techniques including injecting into explorer.exe; DigitalPulse is described as running as an obfuscated Go-based program injected into explorer.exe. Related scheduled-task masquerading includes Infatica registered as “Microsoft Anti-Malware Tool” (MicrosoftAntiMalwareTool.exe), DigitalPulse installed via “UNPScheduler” with a task “SyncTaskUpdatescheduler” running syncupdates.dll via rundll32.exe, and (in the Python chain) a DLL placed under %LOCALAPPDATA%\Microsoft\Microsoft Windows Pluton[GUID]\MicrosoftWindowsPlutonTaskScheduler.dll with a scheduled task “MicrosoftWindowsPlutonTaskScheduler.”

Targeting: ASEC reports the activity primarily affecting South Korea and notes Larva-25012 has been active since at least 2024 and has evolved from .NET malware to C++ and Python variants with more advanced injection techniques.