{
	"id": "2e51b16f-d7c5-4a97-ba05-0f85f74f311e",
	"created_at": "2026-04-06T00:08:45.293363Z",
	"updated_at": "2026-04-10T03:28:20.650763Z",
	"deleted_at": null,
	"sha1_hash": "038ca2517e97af0283b7253b7f687bcffc7e01fb",
	"title": "ChromeLoader: a pushy malvertiser",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 101088,
	"plain_text": "ChromeLoader: a pushy malvertiser\r\nBy susannah.matt@redcanary.com\r\nArchived: 2026-04-05 19:08:59 UTC\r\nChromeLoader is a pervasive and persistent browser hijacker that modifies its victims’ browser settings and\r\nredirects user traffic to advertisement websites. This malware is introduced via an ISO file that baits users into\r\nexecuting it by posing as a cracked video game or pirated movie or TV show. It eventually manifests as a browser\r\nextension.\r\nLike most suspicious browser extensions, ChromeLoader is a relatively benign threat that hijacks user search\r\nqueries and redirects traffic to an advertising site. However, ChromeLoader uses PowerShell to inject itself into\r\nthe browser and add a malicious extension to it, a technique we don’t see very often (and one that often goes\r\nundetected by other security tools). If applied to a higher-impact threat—such as a credential harvester or spyware\r\n—this PowerShell behavior could help malware gain an initial foothold and go undetected before performing\r\nmore overtly malicious activity, like exfiltrating data from a user’s browser sessions.\r\nWe first encountered this threat after detecting encoded PowerShell commands referencing a scheduled task called\r\n“ChromeLoader”—and only later learned that we were catching ChromeLoader in the middle stage of its\r\ndeployment.\r\nA note on existing research\r\nIn the process of writing this blog, we found two related articles that warrant a mention—and that are definitely\r\nworth reading:\r\nChoziosi Loader: The folks at G-Data wrote a great article on a threat they call “Choziosi Loader” that validates\r\na lot of our own ChromeLoader findings.\r\nThe macOS variant: Once we knew about G-Data’s Choziosi naming convention, we discovered another\r\nexcellent write-up by Colin Cowie analyzing a macOS variant of ChromeLoader.\r\nIn this article, we share important elements of the ChromeLoader infection chain and security guidance that you\r\ncan apply to detect and hunt for ChromeLoader activity in your environment. While some of the information in\r\nthis blog overlaps with existing research published by G-Data and Colin Cowie, we’re sharing new insights and\r\nguidance that security teams can use to develop behavioral analytics to detect ChromeLoader.\r\nInitial access\r\nChromeLoader is delivered by an ISO file, typically masquerading as a torrent or cracked video game. It appears\r\nto spread through pay-per-install sites and social media platforms such as Twitter.\r\nhttps://redcanary.com/blog/chromeloader/\r\nPage 1 of 10\n\nFigure 1: Redacted screenshot of a Twitter post with scannable QR code leading to ChromeLoader’s initial\r\ndownload site\r\nOnce downloaded and executed, the .ISO file is extracted and mounted as a drive on the victim’s machine. Within\r\nthis ISO is an executable used to install ChromeLoader, along with what appears to be a .NET wrapper for the\r\nhttps://redcanary.com/blog/chromeloader/\r\nPage 2 of 10\n\nWindows Task Scheduler. This is how ChromeLoader maintains its persistence on the victim’s machine later in the\r\nintrusion chain.\r\nFigure 2: VirusTotal analysis on files dropped by malicious ISO\r\nExecution and persistence\r\nExecuting CS_Installer.exe creates persistence through a scheduled task using the Service Host Process\r\n( svchost.exe ). Notably, ChromeLoader does not call the Windows Task Scheduler ( schtasks.exe ) to add this\r\nscheduled task, as one might expect. Instead, we saw the installer executable load the Task Scheduler COM API,\r\nalong with a cross-process injection into svchost.exe (which is used to launch ChromeLoader’s scheduled task).\r\nFigure 3: Carbon Black console crossprocs and modloads of  CS_Installer.exe\r\nFigure 3 depicts the cross-process injection into svchost.exe . Cross-process injection is frequently used by\r\nlegitimate applications but may be suspicious if the originating process is located on a virtual drive (like those that\r\nhttps://redcanary.com/blog/chromeloader/\r\nPage 3 of 10\n\nyou’d expect an ISO file to mount on). It’s a good idea to keep an eye out for processes executing from file paths\r\nthat don’t reference the default C:\\drive and that initiate a cross-process handle into a process that is on the\r\nC:\\drive. This will not only offer visibility into ChromeLoader activity, but also into the many worms that\r\noriginate from removable drives and inject into C:\\drive processes, like explorer.exe , to propagate on a\r\nvictim’s machine.\r\nAfter the cross-process injection is complete, ChromeLoader’s scheduled task will execute through svchost,\r\ncalling the Command Interpreter ( cmd.exe ), which executes a Base64-encoded PowerShell command containing\r\nmultiple declared variables. ChromeLoader uses the shortened -encodedcommand flag to encode its PowerShell\r\ncommand:\r\nFigure 4: Encoded PowerShell content spawned by ChromeLoader’s scheduled task\r\nOnce decoded and beautified, the command looks like this:\r\nhttps://redcanary.com/blog/chromeloader/\r\nPage 4 of 10\n\nhttps://redcanary.com/blog/chromeloader/\r\nPage 5 of 10\n\nFigure 5: PowerShell CLI decoded and beautified by reddit user “Russianh4ck3r”\r\nIn this command, PowerShell checks if the ChromeLoader extension is installed. If the specific file path is not\r\nfound, it will pull down an archive file from a remote location using wget and load the contents as a Chrome\r\nextension. Once the extension is found, this PowerShell command will silently remove the ChromeLoader\r\nscheduled task using the Unregister-ScheduledTask function.\r\nChromeLoader then loads its extension into Chrome by using PowerShell to spawn Chrome with the --load-extension flag and references the file path of the downloaded extension.\r\nFigure 6: PowerShell spawning Chrome\r\nOnce loaded in Chrome, the malicious extension can execute its true objective: redirecting victim search results\r\nthrough malvertising domains and redirecting away from the Chrome extensions page if the user attempts to\r\nremove the extension.\r\nmacOS Variation\r\nIn late April, Colin Cowie published an analysis of the macOS version of ChromeLoader, which is capable of\r\nloading malicious extensions into both the Chrome and Safari web browsers. After reading Colin’s blog, we\r\nretroactively analyzed some Red Canary threat detections that seemed to constitute partial execution of this\r\nvariation from a published detection in late February. As illustrated below, ChromeLoader redirects an encoded\r\ncommand from a Bourne shell ( sh ) into a Bourne-again SHell ( bash ). The command itself searches for\r\nGoogle Chrome process using grep, then loads the malicious extension from /private/var/tmp/ if the process\r\nis found.\r\nhttps://redcanary.com/blog/chromeloader/\r\nPage 6 of 10\n\nFigure 7: Decoded Bash command loading malicious extension into Chrome\r\nThe macOS variation has the same initial access technique as the Windows variant, namely that it uses baited\r\nsocial media posts with QR codes or links that direct users to malicious pay-per-install download sites. Instead of\r\noriginating as an ISO, the macOS variation originates in an Apple Disk Image ( DMG ) file format. And unlike the\r\nWindows variation, the DMG file contains an installer script that drops payloads for either Chrome or Safari, not a\r\nportable executable file. When executed by the end user, the installer script then initiates cURL to retrieve a ZIP\r\nfile containing the malicious browser extension and unzips it within the private/var/tmp directory, finally\r\nexecuting Chrome with command-line options to load the malicious extension.\r\nhttps://redcanary.com/blog/chromeloader/\r\nPage 7 of 10\n\nFigure 8: Bash script downloading and decompressing the ChromeLoader browser extension. Image courtesy of\r\nColin Cowie.\r\nTo maintain persistence, the macOS variation of ChromeLoader will append a preference ( plist ) file to the\r\n/Library/LaunchAgents directory. This ensures that every time a user logs into a graphical session,\r\nChromeLoader’s Bash script can continually run. Once installed, ChromeLoader performs the same activity as it\r\ndoes on Windows machines: redirecting web traffic through advertising sites.\r\nDetection\r\nDetection opportunity 1: PowerShell containing a shortened version of the encodedCommand flag\r\nin its command line\r\nThis pseudo detection logic looks for the execution of encoded PowerShell commands. Not all encoded\r\nPowerShell is malicious, but encoded commands are worth keeping an eye on.\r\nprocess_name == powershell.exe\r\n\u0026\u0026\r\ncommand_line_includes (-e, -en, -enc, [going on sequentially until the full flag, -encodedcommand ])\r\nNote: Many applications will legitimately encode PowerShell and make use of these shortened flags. Some tuning\r\nmay be required, depending on your environment. To refine this detection analytic, consider looking for multiple\r\nvariables in the decoded PowerShell block paired with the use of a shortened encodedCommand flag stated above.\r\nVariables are declared in PowerShell using $ .\r\nhttps://redcanary.com/blog/chromeloader/\r\nPage 8 of 10\n\ndecoded_command_line_includes == $\r\nDetection opportunity 2: PowerShell spawning chrome.exe containing load-extension and\r\nAppData\\Local within the command line\r\nThe detection analytic looks for instances of the Chrome browser executable spawning from PowerShell with a\r\ncorresponding command line that includes appdata\\local as a parameter.\r\nparent_process_name == powershell.exe\r\n\u0026\u0026\r\nprocess_name == chrome.exe\r\n\u0026\u0026\r\ncommand_line_includes ( AppData\\Local , load-extension )\r\nDetection opportunity 3: Shell process spawning process loading a Chrome extension within the\r\ncommand line\r\nThis analytic looks for sh or bash scripts running in macOS environments with command lines associated with\r\nthe macOS variant of ChromeLoader.\r\nparent_process_equals_any (sh || bash)\r\n\u0026\u0026\r\nprocess_name_is_osx?\r\n\u0026\u0026\r\ncommand_line_includes ( /tmp/ || load-extension || chrome )\r\nDetection opportunity 4: Redirected Base64 encoded commands into a shell process\r\nLike the encoded PowerShell detection analytics idea above, this detector looks for the execution of encoded sh ,\r\nbash , or zsh commands on macOS endpoints.\r\ncommand_line_includes ( echo , base64 )\r\n\u0026\u0026\r\nchildproc_equals_any (sh,bash,zsh)\r\nNote: As is the case with PowerShell, there are many legitimate uses for encoding shell commands. Some tuning\r\nmay be required, depending on your environment.\r\nConclusion\r\nWe hope this blog helps you improve your defense-in-depth against ChromeLoader specifically—but also for any\r\nvariety of other threats that leverage suspicious ISO/DMG files and PowerShell/Bash execution. As always, each\r\nenvironment is different and certain administrative or user workflows may trigger your new detection analytics.\r\nPlease be sure to tune accordingly. Happy hunting!\r\nhttps://redcanary.com/blog/chromeloader/\r\nPage 9 of 10\n\nSource: https://redcanary.com/blog/chromeloader/\r\nhttps://redcanary.com/blog/chromeloader/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://redcanary.com/blog/chromeloader/"
	],
	"report_names": [
		"chromeloader"
	],
	"threat_actors": [
		{
			"id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7",
			"created_at": "2022-10-25T16:07:23.704358Z",
			"updated_at": "2026-04-10T02:00:04.718034Z",
			"deleted_at": null,
			"main_name": "Harvester",
			"aliases": [],
			"source_name": "ETDA:Harvester",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"Graphon",
				"Metasploit",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434125,
	"ts_updated_at": 1775791700,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/038ca2517e97af0283b7253b7f687bcffc7e01fb.pdf",
		"text": "https://archive.orkl.eu/038ca2517e97af0283b7253b7f687bcffc7e01fb.txt",
		"img": "https://archive.orkl.eu/038ca2517e97af0283b7253b7f687bcffc7e01fb.jpg"
	}
}