A malicious campaign is targeting users through fake YouTube video download sites, distributing Proxyware malware. The attack involves a downloader disguised as WinMemoryCleaner, which installs NodeJS and runs malicious JavaScript. This script then installs various Proxyware programs, including DigitalPulse, HoneyGain, and recently, Infatica. The malware uses Task Scheduler for persistence and sends system information to a C&C server. The Proxyware exploits the infected system's network bandwidth for the attacker's profit. Users in South Korea have been particularly targeted. To prevent infection, users should avoid installing executables from suspicious websites and use antivirus software.