A malicious campaign called Twin Flower is found jacking up network traffic, downloading files and stealing data. The files are believed to be downloaded unknowingly by users when visiting malicious sites or dropped into the system by another malware. The files are either a component or the main executable itself of a music downloader that automatically downloads music files without user consent. It drops several files and adds the following processes to the system: The application connects to different links to retrieve MP3 file details, download MP3 files, and retrieve related images, and saves them in the user’s My Music folder. It also communicates with other potentially malicious URLs besides the ones used for MP3-related downloading. The malicious files, Trojan.JS.TWINFLOWER.A and TrojanSpy.JS.TWINFLOWER.A, try to connect to URLs that are related to increasing simulated clicks towards certain video websites. This is done to jack up the sites’ network traffic, thus boosting search engine rankings and advertising revenue from mainstream video sites. Besides these, the malicious files could potentially do more damage since the malware can download code and inject it into systems.