September 21, 2023

Researchers have uncovered a malware campaign distributing the ChromeLoader using VHD files as a source.

ChromeLoader is a malicious Chrome browser extension, it is classified as a pervasive browser hijacker that modifies browser settings to redirect user traffic.

These VHD files are disguised as applications and hacks or cracks for popular Nintendo and Steam games,

  • Dark Souls 3
  • Red Dead Redemption 2
  • Call of Duty Deluxe Edition
  • Minecraft
  • The Legend of Zelda
  • Pokemon Ultra Moon
  • Animal Crossing New Horizons
  • Mario Kart 8 Deluxe

These files are discovered by querying Google for popular games and programs that they were distributed through multiple websites

Once upon installing the malicious files, they will install the ChromeLoader extension and redirect users to an advertisement website, and collect browsing data and credentials.

The malware is able to redirect the user’s traffic and hijack user search queries to popular search engines, including Google, Yahoo, and Bing. The malicious code is also able to use PowerShell to inject itself into the browser and add the extension to the browser.

The analysis of the VHD files revealed multiple hidden files except for the Install.lnk file. Upon clicking on the Install.lnk, the properties.bat file and the properties.bat file are executed.

These batch files execute “data.ini,” a VBScript, and a JavaScript, videos.exe that fetches the last-stage payload from a remote server

The videos.exe file has nw.exe inside of it and refers to the package.json to run the script designated by the main property. The script designated by the main property is the file start.html, which contains a malicious JS that has been obfuscated.


The videos.exe file executes the malicious JS within start.html, which connects to the below addresses and attempts to download ChromeLoader

  • Lesexwrecko[.]xyz
  • Alnormatic[.]xyz

Disguising malware as game hacks and crack programs is usual. Users must be particularly cautious about executing files downloaded from unknown sources, and it is advised that users download programs from their official websites.

Indicators of Compromise

  • bdcb5c80a664d82a28469f9fce0fbb12
  • ae8ae62aa04f06d32c548c2ef493a39f
  • 82024e7af52481e71760c9d119eb903f
  • 3515115d7efa1ac42bd56bc9348cd4f8

Leave a Reply

%d bloggers like this: