skip to Main Content

Cybercrime, ChromeLoader has at least four variants

ChromeLoader has at least four variants. Palo Alto Network Unit 42 cybersecurity experts: Malware authors used a browser extension as their final payload. It serves as adware and an infostealer

ChromeLoader (aka Choziosi Loader and ChromeBack) has at least four variants. They have been discovered by Palo Alto Networks Unit 42 cybersecurity experts. Instead of more traditional cybercrime malicious codes like a Windows executable (.exe) or Dynamic Link Library (.dll), the malware authors used a browser extension as their final payload. It serves as adware and an infostealer, leaking all of the user’s search engine queries. Since January 2022, researchers detected four evolutions:

  • Variant 0: It used AutoHotKey (AHK)-compiled executables and version 1.0 of the Chrome extension. Its first known attack occurred in December. In this article, this variant is discussed fourth (in the section titled “The Real First Windows Variant”).
  • Variant 1: It used versions 2.0-4.4 of the Chrome extension as its payload and a DotNet executable that launches obfuscated PowerShell as its dropper. It was mainly active in January.
  • Variant 2: It uses the 6.0 version of the Chrome extension and uses an obfuscated executable as its initial dropper. It has been active since March.
  • MacOS Variant: It focuses on MacOS computers (while other variants target Windows users only). Uses the 6.0 version of the extension. Active since March.
Back To Top