216.73.216.197

Stories from the SOC: Mystery of the postponed proxyware install

· Published 24/11/2025 21:10 · Modified 21/12/2025 18:00

Export JSON

Essential information

Published
24/11/2025 21:10
Modified
21/12/2025 18:00
Tags
2025-11-24 c2 server disk-cleaning utility download cradle in-memory execution node.js powershell proxyware unauthorized software
Related entities
5 observables, 10 techniques (mitre), 6 others

Description

A suspicious alert led to the discovery of an attack chain aimed at installing on a compromised system. The infection originated from a installed three days prior, which included malicious scripts and established a connection to a . The attack utilized a and techniques to evade detection. The SOC team successfully intercepted the attack before the installation could complete. The incident highlights the risks associated with installations and the importance of restricting access in corporate environments.

External references