Thousands of Google Chrome browsers are at risk from this damaging attack

News
By
published

Malicious websites are presenting trojans as useful and free software

Google Chrome dark mode
Image Credit: TechRadar (Image credit: Future)

Cybersecurity researchers have spotted a new malicious campaign that hijacks web browsers to steal sensitive data.

A report from ReasonLabs outlined how the campaign has so far hit around 300,000 Google Chrome and Microsoft Edge users by creating websites offering fake software for free, including the likes of Roblox FPS Unlocker, YouTube, VLC media player, Steam, or KeePass. 

Victims who navigate to these websites and download the fake software instead get a trojan malware that’s been around since 2021. The malware installs add-ons and extensions that hijack search engines, and more.

Feature Flighting

"The trojan malware contains different deliverables ranging from simple adware extensions that hijack searches to more sophisticated malicious scripts that deliver local extensions to steal private data and execute various commands," the researchers explained. "This trojan malware, existing since 2021, originates from imitations of download websites with add-ons to online games and videos."

In some cases, the extensions change the browser’s default search engine to a different one, likely where the threat actors can benefit from ad serving, or through which they can deploy more damaging malware. The researchers also added that removing the add-ons is a bit challenging.

"The extension cannot be disabled by the user, even with Developer Mode 'ON,'" ReasonLabs said. "Newer versions of the script remove browser updates."

To remove the malware, users should delete the scheduled tasks that reactivate the malware, remove Registry entries, and delete these files and folders, The Hacker News reports:

C:\Windows\system32\Privacyblockerwindows.ps1
C:\Windows\system32\Windowsupdater1.ps1
C:\Windows\system32\WindowsUpdater1Script.ps1
C:\Windows\system32\Optimizerwindows.ps1
C:\Windows\system32\Printworkflowservice.ps1
C:\Windows\system32\NvWinSearchOptimizer.ps1 - 2024 version
C:\Windows\system32\kondserp_optimizer.ps1 - May 2024 version
C:\Windows\InternalKernelGrid
C:\Windows\InternalKernelGrid3
C:\Windows\InternalKernelGrid4
C:\Windows\ShellServiceLog
C:\windows\privacyprotectorlog
C:\Windows\NvOptimizerLog

More from TechRadar Pro

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A finger touching the google chrome icon in the Windows 10 start menu
A new Chrome browser highjacking attack could affect billions of users - here's how to fight it
chrome firefox extensions
Google Chrome extensions hit in major attack - dozens of developers affected, so be on your guard
Chrome icon on Android
Google Chrome extensions hack may have started much earlier than expected
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Mac users targeted with new malware, so be on your guard
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Over 10,000 WordPress sites found showing fake Google browser update pages to spread malware
A white padlock on a dark digital background.
Developers targeted by malicious Microsoft VSCode extensions
Latest in Security
China
Chinese hackers who targeted key US infrastructure charged by Justice Department
linkedin
Watch out - that LinkedIn email could be a fake, laden with malware
An American flag flying outside the US Capitol building against a blue sky
Mass federal layoffs will have “devastating impact on cybersecurity, former NSA cybersecurity director warns
A hand reaching out to touch a futuristic rendering of an AI processor.
North Korean fake job hackers are going the extra mile to make sure their scams seem legit
A hand reaching out to touch a futuristic rendering of an AI processor.
Google Cloud unveils new AI Protection security tools, no matter which model you use
A TV remote pointing at YouTube logo
YouTube warns of phishing video using its CEO as bait
Latest in News
Apple MacBook Air M3
The M3 MacBook Air is officially discontinued, but the M2 MacBook Air will live on elsewhere and that's good news
Stock photographs of people smiling and looking at laptops in a small business environment.
This web hosting platform elevates your online presence
The Samsung Galaxy S25 Edge on display at Galaxy Unpacked
Exclusive: the Samsung Galaxy S25 Edge will have durability to match its ‘sexy’ form
Metaphor: ReFantazio
Sega was Metacritic's highest-rated publisher of 2024 thanks to the critically acclaimed Metaphor: ReFantazio and Like a Dragon: Infinite Wealth
AirPods Pro Review
Apple has quietly updated its guidance on how to clean your AirPods, and suggests you buy a kit… from Belkin
China
Chinese hackers who targeted key US infrastructure charged by Justice Department
More about security
linkedin

Watch out - that LinkedIn email could be a fake, laden with malware
China

Chinese hackers who targeted key US infrastructure charged by Justice Department
Apple MacBook Air M3

The M3 MacBook Air is officially discontinued, but the M2 MacBook Air will live on elsewhere and that's good news
See more latest
Most Popular
Apple MacBook Air M3
The M3 MacBook Air is officially discontinued, but the M2 MacBook Air will live on elsewhere and that's good news
Micron PCIe 6.x SSD
Micron just demoed the world's fastest SSD with PCIe 6.x tech, a sequential read speed of 27GB/s, and yes, it's just a prototype for now
Xiaomi SU7
Xiaomi's EV is racing ahead of Tesla in China – and it's planning a global Model Y rival next
Macrodock M1 docking station
This cute docking station has LCD macro keys and can even power an 8K monitor - but what nailed it are the rotary knobs
linkedin
Watch out - that LinkedIn email could be a fake, laden with malware
The Mound: Omen of Cthulhu
Ace Team announces The Mound: Omen of Cthulhu, a new first-person horror co-op coming to PS5, Xbox Series X, and PC this year
Styx: Blades of Greed
Styx the goblin returns in Styx: Blades of Greed later this year
Robocop: Rogue City
RoboCop: Rogue City's new standalone expansion Unfinished Business announced at Nacon Connect 2025
Cthulhu: The Cosmic Abyss
Cthulhu: The Cosmic Abyss is a new first-person thriller from the studio behind Vampire: The Masquerade - Swansong
RISC-V
Startup formed by former Intel engineers and backed by AMD legendary chip designer wants to become the Arm of RISC-V