Threat Watch

Experts Warn of Rise in ChromeLoader Malware Hijacking Users’ Browsers

A Google Chrome-based browser hijacker that was discovered earlier this year has seen a surge of activity in recent days, according to a recently released report. This browser hijacker’s ultimate purpose is to redirect user traffic to advertisement websites, but it uses interesting techniques during installation.

This browser hijacker, dubbed ChromeLoader, is initially delivered via an ISO file typically masquerading as a cracked video game or pirated movie. This ISO contains an executable file that, when executed, will inject itself into an svchost.exe process and create a scheduled task using the Task Scheduler API. This scheduled task is then executed, which runs a cmd.exe process that executes a Base64-encoded PowerShell command. This PowerShell command checks to see if the malicious browser extension is already installed and, if not, runs a wget.exe process to download and unpack the extension from a remote location. Upon successful unpacking, the scheduled task is silently removed and then a new Google Chrome process is executed using the “—load-extension” flag to load the downloaded extension. At this point, the extension performs its purpose of redirecting search results through malvertising domains.

A macOS variant of the ChromeLoader browser hijacker was also discovered that uses similar techniques to execute the malicious extension, using bash instead of PowerShell, making this a cross-platform threat. This variant is also capable of loading malicious extensions in both Chrome and Safari web browsers.


Cracked software and pirated content is a common infection vector that threat actors use to install malware. It is recommended to avoid cracked software and pirated content, not only from a legal perspective, but from a malware perspective as well. Multiple behaviors performed by this browser hijacker would be considered abnormal, allowing for good detection capabilities. Activity like PowerShell spawning a Chrome process with the “—load-extension” flag, PowerShell spawning a wget process to a remote location, and a process executing from a non-system drive injecting into a process located on the system drive are all behaviors that would be considered abnormal and can be alerted upon. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs. Finally, it is recommended to treat all endpoints similarly in regards to preventative and detective measures regardless of operating system, as malware can be cross-platform. While Windows is generally the largest target for threat actors, that does not mean that other operating systems are safe from attacks or malware and should be treated as such.