ChromeLoader malware is spread through pirated games, malicious QR codes and pirated software that hijacks victim’s web browser and inserts advertisements into web pages.

Palo Alto Networks Unit 42 researchers have discovered new variants of the notorious information-stealing ChromeLoader malware, named Choziosi Loader and ChromeBack. The discovery indicates that the malware is still evolving. Researchers identified the Windows variant of this malware in January 2022 and a macOS version in March 2022.

“In a short time, the authors of ChromeLoader released several different code versions, used multiple programming frameworks, improved features, advanced obfuscators, fixed issues, and even added cross-OS support targeting both Windows and macOS.”

Nadav Barak – Computer Security Researcher at Unit 42

About ChromeLoader

ChromeLoader is a multi-stage malware. Each variant has several steps along its chain of infection. However, the infection chain seems similar between different variants, such as all variants used malicious browser extensions to spread the infection.

The malware is mainly used to hijack users’ browser searches and display advertisements. Although it first surfaced in January 2022, Unit 42 researchers said in their blog post that it was first used in an attack in December 2021 via an executable compiled by AutoHotKey and had abandoned browser hijacker version 1.0.

The malware is distributed as a fake Chrome version 6.0 extension in ISO or DMG file downloads. The image file contains a benign Windows shortcut that launched a hidden file to deploy the malware.

Alternatively, as Hackread.com reported in May 2022, the malware is also marketed via QR codes on free game sites and Twitter. So basically it is adware. However, it is notorious because it is designed as a browser extension and not a dynamic link library/.dll or Windows executable file/.exe.

Chain of infection

The victim is tricked into downloading pirated movie torrents or video games via malicious advertising campaigns. They can also find it on social media and pay-per-install websites. Once downloaded and installed on the system, ChromeLoader asks for invasive permissions to access browser data and web requests.

Additionally, the malware can also capture victim’s search engine queries on Yahoo, Google, and Bing, through which attackers can quickly determine user’s online activities.

How to remove ChromeLoader malware?

Whether you are an Android user, on Windows or on a Mac device, it is important to be aware of ChromeLoader malware and take steps to protect yourself from it.

As stated above, ChromeLoader hijacks user’s web browser and inserts advertisements into web pages. It often spreads via compromised websites and can be very difficult to remove. Therefore, be careful and avoid downloading pirated content including games, videos, movies or songs.

However, if your browser is infected with ChromeLoader malware, follow these steps to remove it -> First, open Windows Task Manager by pressing Ctrl+Alt+Delete on your keyboard. In the Processes tab, locate “chrome.exe” and click on it. Then click End Process.

Next, open your web browser and navigate to chrome://extensions/. Scroll down until you find “ChromeLoader” and click the trash can icon next to it.

Finally, run a full system scan with your antivirus software to make sure the malware has been removed.

More Chrome Browser Security News

1. Chrome on Android will alert, fix your compromised password
2. New malware lures fake Chrome update to attack Windows PCs
3. Latest Update for Google Chrome Fixes Actively Exploited 0-Day Flaw
4. AllBlock ad blocker Chrome extension injected ads into Google searches
5. Malicious Advertising Attack Distributes Malicious Chrome Extensions and Backdoors