FluxerBot: Nginx Powered Proxy Malware

What first appeared last week to be yet another malspam campaign solely spread to infect victims with Andromeda, also downloaded some interesting second stage payloads; including several keyloggers and what was later discovered to be labeled as the Fluxer proxybot. The initial malspam lures contained Italian language informing its victims that he or she has received an invoice as the message attachment. The message attachment is a ZIP archive which contained the Andromeda malware installer. More information about this campaign can be found by ThreatHQ customers in Threat ID 5316.