The National Cyber Security Centre (NCSC) of the Netherlands has uncovered a global malware campaign that hides behind everyday utilities, such as PDF editors and manual finder applications, to compromise systems.
According to NCSC, attackers are promoting these malicious tools through paid advertisements designed to lure unsuspecting users into downloading what appear to be legitimate software applications. Once installed, the tools secretly deliver malware that turns victim devices into what cybercriminals call “residential proxies.”
How Cybercriminals Exploit Residential Proxies
The infected systems are misused to disguise attacker traffic. By routing their operations through residential proxies, criminals gain IP addresses that match the geographic region of their intended targets.
This tactic makes their activities look like they are originating from regular users instead of malicious actors. It also complicates efforts by security researchers and law enforcement to trace the source of the attacks.
Technical Behavior of the Malicious Software
Once installed, the malware triggers a JavaScript file that communicates with multiple command-and-control (C2) servers. These communications allow attackers to maintain remote access and further exploit the compromised system.
In a public statement, the NCSC explained:
“Researchers have also observed that in some cases, the software interacts with data in the browser. The extent of this interaction and possible access to other aspects of the browser is currently being investigated.”
This behavior raises concerns that the malware could be exfiltrating sensitive information or injecting additional malicious payloads through the browser.
Connection to OneStart Browser and Potentially Unwanted Applications
The investigation has revealed possible links between the malware campaign and the OneStart Browser, a tool that often comes bundled with other software.
Several antivirus vendors classify OneStart Browser as a Potentially Unwanted Application (PUA). The program has been associated with adware and spyware distribution in past campaigns, raising the likelihood that it is part of the same malicious ecosystem.
Scale of Infections and Current Status of the Campaign
The NCSC has not yet determined the number of infected devices. However, because the software installation process was straightforward and distributed through popular advertising channels, the agency suspects that many systems may already be compromised.
While the malicious advertising campaign seems to have slowed, with minimal new activity observed recently, the threat remains active. Devices that have already been infected continue to pose risks to corporate and personal networks.
NCSC Guidance for Enterprise Defenders
To mitigate risks, the NCSC recommends organizations take proactive defensive measures. Suggested steps include:
- Blocking domains linked to attacker infrastructure
- Checking networks for known indicators of compromise (IoC)
- Monitoring for unusual browser-based activities connected to suspicious applications
Enterprises are urged to stay alert as the malware’s ability to create residential proxies gives cybercriminals a powerful method to conceal their operations while extending the infection’s impact.
