Fake Streaming Site Spreading Proxyware

Adversaries Abusing Proxyware Platforms

Cyble Research and Intelligence Labs discovered a fake site spreading Proxyware. Proxyware, also known as Internet-bandwidth sharing application, allows users to earn money by sharing a certain percentage of their internet bandwidth with the organizations that developed these applications. This site is disguised as an online streaming site and claims to provide free access to over 1500 channels worldwide through its desktop application. The Threat Actors are targeting windows users using this campaign. The figure below shows the fake streaming site.

Figure 1 – Fake Streaming Site

During further investigation, we found that the application hosted on this fake streaming site which silently drops and installs Proxyware malware named “CoinSurf”. However, this application does not provide any streaming service. The dropper file installs the Proxyware using Squirrel, a framework for installing and updating desktop applications.

Detection Evasion technique:

After installation, the Proxyware further executes a PowerShell command “Add-MpPreference -ExclusionPath”, to disable Windows Defender scheduled and real-time scanning for the following folders:

  • AppData\Local\CoinSurf\app-1.0.13
  • AppData\Roaming\CoinSurf

The image below shows the process tree of the infection.

Figure 2 – Process Tree


The Proxyware now creates persistence by adding its path in the following registry key to automatically start itself whenever the user logs in:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Figure 3 – Persistence

Network Communication:

Our investigation indicates that the Proxyware installed on the victim’s machine is not an original CoinSurf application. Nonetheless, it connects to original CoinSurf site for its authentication, indicating that this proxyware binary is customized by the TA. This authentication request is performed using TA’s login credentials, which will enable all the infected devices to be linked under the same TAs profile. This technique allows TA to share huge internet bandwidth from multiple devices and easily earn a mint. The below image shows the Proxyware authentication using POST request.

Figure 4 – Authenticate Using POST Requests

After authentication, This Proxyware receives the configuration from the server as shown in the figure below. The configuration contains the details of client settings to perform Proxyware operation.

Figure 5 – Configuration file

The figure below shows the TA’s CoinSurf profile, which was created recently, indicating that the campaign is at the initial stage.

Figure 6 – TA’s CoinSurf Profile

The figure below shows the network activity done by the Proxyware.

Figure 7 – Network Activity


Adversaries are actively abusing Proxyware for monetary gains. We have also witnessed in this campaign how TAs are trying to infect many users using fake sites. There have been certain incidents found in the past where TAs infected victim’s with Proxyware as well as with CoinMiners. The Usage of Proxyware on corporate networks might result in a bad IP reputation.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:       

How to prevent malware infection?   

  • Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., contains such malware.   
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.   
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.    
  • Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.   
  • Identify the applications with auto execute permission, by going through System settings > Startup Apps
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.   
  • Monitor the beacon on the network level to block unnecessary internet connections.   

MITRE ATT&CK® Techniques  

Tactic   Technique ID   Technique Name   
Initial AccessT1189Drive-by Compromise
Execution    T1204   User Execution   
Persistence T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Discovery   T1012
Query Registry
System Information Discovery

Indicators of Compromise (IOCs)

Indicators  Indicator type   Description   
streamtvbox[.]netDomainFake Site
http[:]//streamtvbox[.]net/StreamTVBox[.]exeURIMalicious URI

Scroll to Top