September 22, 2023

Security researchers are raising the alarm on the malware tool dubbed ChromeLoader.

Initially it’s seen as a consumer-focused, browser-hijacking credential stealer but now prevailing as a widely threat to organizations across multiple industries.


Researchers from VMware’s Carbon Black MDR team recently observed the malware being used to also drop ransomware, in hundreds of attack to steal sensitive data, and deploy so-called decompression bombs to crash systems.

Microsoft’s Security Intelligence team also echoed about a threat actor they are tracking as DEV-0796, which is using ChromeLoader in an extensive and ongoing click-fraud campaign.

ChromeLoader came in to limelight in January when researchers observed malware operators using it to drop a malicious browser extension as a payload on user systems. The malware targeted users who visited sites touting cracked video games and pirated torrents. 

Since then, Multiple versions with different malicious capabilities evolved One of them is a variant called Bloom.exe that made its initial appearance in March and has since infected at least 50 VMware Carbon Black customers. Another versions are Opensubtitles-uploaded.exe and Flbmusic.exe


In August, the operators of the appropriately named CrashLoader variant have been using the malware to distribute a ransomware family called Enigma.

This is considered as a emerging threat due to its potential for delivering more nefarious malware.

Leave a Reply

%d bloggers like this: