New Variants of ChromeLoader Browser Hijacking Malware Discovered in a Campaign

Researchers Warn of New Variants of ChromeLoader Browser in the Wild

ChromeLoader malware is spread through pirated games, malicious QR codes, and cracked software that hijacks the victim’s web browser and inserts ads into webpages.

Palo Alto Networks’ Unit 42 researchers have uncovered new variants of the notorious ChromeLoader info-stealer malware, codenamed Choziosi Loader and ChromeBack. The discovery indicates that the malware is still evolving. Researchers identified the Windows variant of this malware in January 2022 and a macOS version in March 2022.

“In a short time period, the authors of ChromeLoader released multiple different code versions, used multiple programming frameworks, enhanced features, advanced obfuscators, fixed issues, and even adding cross-OS support targeting both Windows and macOS.”

Nadav Barak – IT Security Researcher at Unit 42

About ChromeLoader

ChromeLoader is a multi-stage malware. Every variant has several stages throughout its infection chain. However, the infection chain appears similar among different variants, such as all variants used malicious browser extensions to spread infection.

The malware is used primarily to hijack users’ browser searches and display ads. Although it first surfaced in January 2022, Unit 42 researchers stated in their blog post that it was first used in an attack in December 2021 via an AutoHotKey-compiled executable and dropped version 1.0 of the browser hijacker.

The malware is distributed as a fake Chrome extension version 6.0 in ISO or DMG file downloads. The image file contains a benign Windows shortcut that launched a hidden file to deploy the malware.

Alternately, as reported by in May 2022, the malware is also marketed through QR codes on free gaming sites and Twitter. So basically, it is adware. However, it is notorious because it is designed as a browser extension and not a Dynamic Link Library/.dll or a Windows executable/.exe file.

New Variants of ChromeLoader Browser Hijacking Malware Discovered in a Campaign

Infection Chain

The victim is lured to download movie torrents or cracked video games via malvertising campaigns. They may also find it on social media and pay-per-install websites. Once downloaded and installed on the system, ChromeLoader requests invasive permissions for accessing browser data and web requests.

Furthermore, the malware can also capture the victim’s search engine queries on Yahoo, Google, and Bing, through which the attackers can quickly determine the user’s online activities.

New Variants of ChromeLoader Browser Hijacking Malware Discovered in a Campaign

How to Remove ChromeLoader Malware?

Whether you are an Android user, on Windows or a Mac device, it is important to be aware of the ChromeLoader malware and take steps to protect yourself from it.

As discussed above, ChromeLoader hijacks the user’s web browser and inserts ads into webpages. It is often spread through compromised websites and can be very difficult to remove. Therefore, watch out and refrain from downloading pirated content including games, videos, movies, or songs.

However, if your browser is infected with ChromeLoader malware follow these steps to remove it -> First, open the Windows Task Manager by pressing Ctrl+Alt+Delete on your keyboard. In the Processes tab, locate “chrome.exe” and click on it. Then, click End Process.

Next, open your web browser and navigate to chrome://extensions/. Scroll down until you find “ChromeLoader” and click the trashcan icon next to it.

Finally, run a full system scan with your antivirus software to ensure that the malware has been removed.

More Chrome Browser Security News

  1. Chrome on Android will alert, fix your compromised password
  2. New malware lures fake Chrome update to attack Windows PCs
  3. Latest Update for Google Chrome Fixes Actively Exploited 0-day Flaw
  4. Ad-blocker Chrome extension AllBlock injected ads in Google searches
  5. Malvertising attack distributes malicious Chrome extensions, backdoors

Related Posts