{ "id": "221a18f9-b0e4-42f4-9ead-fba671e29d2a", "created_at": "2026-04-06T00:16:24.342434Z", "updated_at": "2026-04-10T03:36:48.145753Z", "deleted_at": null, "sha1_hash": "09fb27afd13ff404702e6d841396beb50e2addc8", "title": "The Evolution of the Chromeloader Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1494622, "plain_text": "The Evolution of the Chromeloader Malware\r\nBy Abe Schneider, Bethany Hardin, Lavine Oluoch\r\nPublished: 2022-09-19 · Archived: 2026-04-05 15:03:57 UTC\r\nExecutive Summary\r\nChromeLoader proves to be an extremely prevalent and persistent malware. It initially drops as an .iso and can be\r\nused to leak users’ browser credentials, harvest recent online activity and hijack the browser searches to display\r\nads. The VMware Carbon Black Managed Detection and Response (MDR) team observed the first Windows\r\nvariants of ChromeLoader in the wild in January 2022 and the macOS version in March 2022.\r\nThere are some variants known to ChromeLoader, including ChromeBack and Choziosi Loader. Unit 42\r\nresearchers have found evidence of The Real First Windows Variant using the AHK(AutoHotKey) tool to compile\r\na malicious executable and drop version 1.0 of the malware.\r\nAlthough this sort of malware is created with an intent to feed adware to the user, ChromeLoader also increases\r\nthe attack surface of an infected system. This can eventually lead to much more devastating attacks such as\r\nransomware. In this article, the VMware Carbon Black MDR team will show evidence of such attacks happening.\r\nHistory\r\nAt the beginning of January 2022, the malware CS_installer was seen in the wild targeting Chrome browsers.\r\nCS_installer used ISO image file downloads and relied on user execution to initiate infection. The malware\r\nultimately aimed to install a Chrome extension that acted as a browser hijacker, gathering personal information\r\nand tracking the user’s browsing activity.  CS_installer was also known as ChromeLoader as that was one of the\r\nnames of the scheduled task the malware created. CS_Installer used a .NET executable by the same name to kick\r\noff the infection chain and install the malicious chrome extension.\r\nhttps://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html\r\nPage 1 of 11\n\nCS_Installer activity died down for a bit and soon after a similar malware emerged. While this was also delivered\r\nvia ISO files, there were differences in execution. This recent malware relies on a batch script in the mounted\r\ndrive to install the second stage payload also delivered within the same ISO and start infection. This payload\r\nwhich would be the main malware file moving forward has varying names, some of the most common ones are\r\nmentioned below.\r\nWhile the initial infection techniques and the contents of these two malware types are different, the objective is\r\nthe same: to gather user data and track browsing activity while feeding adware. The naming convention of the\r\nscheduled tasks used by both samples to gain persistence was also very similar to Chromeloader. In addition, the\r\ncoincidental timing of this second malware emerging right after CS_Installer/ChromeLoader died down would\r\nlead us to hypothesize that they are the same malware, the second variant being an evolution of the first.\r\nOther security professionals at Palo Alto Networks and Red Canary have alluded to the similarity and possible\r\nconnection between these two malware. We will therefore also reference the second variant as ChromeLoader as\r\nwe analyze the incidents MDR has responded to in this article.\r\nChromeLoader Delivery\r\nIn a ChromeLoader infection, malware authors offer pirated or cracked versions of games or software. They\r\ntypically distribute this software on social media platforms, through torrents, on pirating sites, or bundled with\r\nlegitimate games and software. When the victim installs this malicious file, they unknowingly download an ISO\r\nfile that contains Chromeloader and oftentimes other malware. This Optimal Disk Image file is unable to do any\r\nharm to the machine until the victim double-clicks on the ISO and runs the Install shortcut. The user is likely to\r\nopen this file, thinking it’s a legitimate game download.\r\nAttack Chain\r\nThe disk image is mounted as a virtual CD-ROM disk, with contents similar to the graphic below:\r\nOnce the Install shortcut is double-clicked, resources.bat executes the command: tar -xvf “app.zip” -C, extracting\r\nthe contents of app.zip into “C:\\Users\\UserName\\AppData\\Roaming”.\r\nhttps://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html\r\nPage 2 of 11\n\nAn executable is then dropped onto the user’s device. In this case bloom.exe is the executable.\r\nOther variants are listed below:\r\nCash.exe\r\nFlbmusic.exe\r\nOpensubtitles-uploader.exe\r\nDiet.exe\r\nHealthy.exe\r\nStrength.exe\r\nShape.exe\r\nEnergy.exe\r\nBloom.exe\r\nTone.exe\r\nEmbedded within the bloom.exe binary is nw.exe – a software component of nw.js.  The script nw.js allows\r\ndevelopers to write native applications in HTML and JavaScript, and further allows Node.js modules to be called\r\ndirectly from the Document Object Model (DOM).  Its name stands for Node-Webkit and was built upon\r\nhttps://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html\r\nPage 3 of 11\n\nChromium/node.js which provides application runtime to allow the executable to make successful external\r\nnetwork connections to malicious websites.\r\nInstances of this malware also use scheduled tasks for persistence.  A list of task names used include:\r\n$tsn = @( “chrome window”,”chrome panel”, “chrome tab”, “chrome view”, “chrome cast”, “chrome history”,\r\n“chrome flags”, “chrome bookmarks”, “chrome conf”, “chrome storage”, “chrome tools”, “chrome settings”,\r\n“chrome support”, “chrome tele”)\r\nThe dropped archive bat files (resources.bat, configuration.bat, properties.bat) creates a RUN key to persist the\r\nmalware.  It does this by unzipping various .DLL’s that are then extracted into the \\AppData\\Roaming folder and\r\nadding registry keys as seen below:\r\nreg add “HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run” /v Bloom /t\r\nREG_SZ /d “C:\\Users\\*\\AppData\\Roaming\\Bloom\\Bloom.exe –qyS7” /f\r\nThese dropped executable files were also seen attempting to harvest browser credentials.\r\nThe adware eventually executes a base64 encoded powershell script that creates and writes encoded text in the\r\nregistry.  Some examples of the registry keys we’ve seen being created are:\r\nHKCU:\\Software\\LogiShdr\\\r\nHKCU:\\Software\\Martin Prikyrl\\\r\nHKCU:\\Software\\SiberSystems\\\r\nHKCU:\\Software\\aignes\\\r\nHKCU:\\Software\\BinaryFortressSoftware\\\r\nHKCU:\\Software\\AeroTechnologies\\\r\nHKCU:\\Software\\LightScribe\\\r\nHKCU:\\Software\\ZabaraKatranemiaPlc\\\r\nhttps://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html\r\nPage 4 of 11\n\nThe encoded script written to this location is executed at set intervals, making network connection to suspect\r\ndomains such as:\r\noughsheukwa[.]autos\r\nukizeiasnin[.]com\r\nlyrecomemu[.]xyz\r\ntooblycars[.]com\r\ntexceededon[.]autos\r\nymenthejuiasq[.]xyz\r\nkoooblycar[.]com\r\nrooblimyooki[.]com\r\nYooblygoobnku[.]com\r\nringhereny.autos\r\nSoon after this powershell command is ran, the malware attempts to load the chrome extension chrome_zoom as\r\nseen in the screenshot below:\r\nWe have also seen evidence of the executables (prime.exe, bloom.exe, etc) then spawn outlook.exe to be used for\r\ndata exfiltration as seen in the example below.\r\nEvolution Timeline\r\nTone.exe was first seen in the wild at the end of January 2022.  This was one of the first evolutions of\r\nChromeLoader and is mentioned in an article from Palo Alto Networks Unit 42 as Variant 2.\r\nhttps://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html\r\nPage 5 of 11\n\nFollowing the spread of Tone.exe the VMware Carbon Black MDR team saw bloom.exe make an appearance in\r\ncustomer environments, beginning March 2022.  The .iso file the user downloads contains the batch script,\r\nresources.bat, which unzips the file bloom.exe.  This executable is seen making external network connections\r\nand exfiltrating sensitive data.\r\nSince the release of the Bloom variant there have been numerous new Chromeloader renditions that follow the\r\nsame attack chain and use different process names and hashes to avoid detection.  Below is a chart showing the\r\ndate each variant was first detected in our customers’ environments and some of the naming conventions that were\r\nused with each variant.\r\nNotable Variants\r\nOpensubtitles-uploader.exe\r\nhttps://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html\r\nPage 6 of 11\n\nThis variant drops properties.bat instead of the previously seen resources.bat.  In the ISO archive, there is an\r\nexecutable named opensubtitles-uploader.exe.  OpenSubtitles is a legitimate program that helps users find\r\nsubtitles for popular movies and TV shows, however, in this case, the malware author is impersonating the\r\nsoftware by using the same name.  This executable is used in conjunction with this adware program and redirects\r\nweb traffic, steals credentials, and recommends other malicious downloads posed as legitimate updates.\r\nSimilar to previous variants, tar is used to unzip the archive files.zip to the AppData\\Roaming directory, followed\r\nby properties.bat adding run keys to the registry for persistence.  OpenSubtitles is also masquerading as the file\r\nnw.exe which is used in order to run JavaScript and HTML programs.\r\nThe most recent Chromeloader variants are commonly unknown and don’t appear to be malicious at a glance.  The\r\nVMware CarbonBlack MDR team has become accustomed to identifying the new chromeloader IOC’s and can\r\nstop the attack quickly.\r\nFlbmusic.exe\r\nThis variant is typically dropped on Windows systems.  This configurations.bat file unzips the folder named\r\nfiles.zip which contains the executable flbmusic.exe and other various libraries and files.  Soon after,\r\nflbmusic.exe is then added to the \\CurrentVersion\\Run for persistence, followed by the executable being started.\r\nhttps://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html\r\nPage 7 of 11\n\nFLB Music\r\nFlbmusic.exe is a legitimate program for cross platform music playing.  However, the malware author is\r\nimpersonating this software.  This program contains electron.exe.pdb which is a portable database used in\r\ndebugging configurations for Electron.\r\nVery similar to Chromeloaders previous versions using NW.js, Electron is a runtime that allows you to create\r\ndesktop applications with HTML5, CSS, and JavaScript.  By embedding Chromium and Node.js into its binary,\r\nElectron allows attackers to load in modules that allow these applications to listen on specified ports and\r\ncommunicate over the network.\r\nElectron requires you to package your app before distributing, which contains the applications’ unprotected source\r\ncode. This makes it possible for application X to extract application Y and inject vulnerable scripts, without the\r\nvictim knowing it. \r\nEvidence of Attack Escalation and Module Loading\r\nWhile thought to be just a credential stealing browser hijacker, ChromeLoader has been seen in its newest variants\r\nto be delivering more malicious malware and used for other nefarious purposes.\r\nAs recent as late August, ZipBombs have been seen being dropped onto infected systems.  The ZipBomb is\r\ndropped with the initial infection in the archive the user downloads.  The user must double-click for the ZipBomb\r\nto run. Once run, the malware destroys the user’s system by overloading it with data. The ZipBomb, seen in\r\nChromeLoader archives, is the classic and sophisticated – 42.zip, which is 42 kilobytes in size when compressed\r\nbut over 40 petabytes when decompressed.  This file has been seen under the names vir.exe, very_fun_game.zip,\r\npasswords.zip, AzizGame (1).zip, nudes.zip, unreleased_songs.zip, FreeNitro.zip, jaws2018crack.zip.\r\nAnother malware included in the archive the user downloads is Enigma Ransomware.  This attack has also been\r\nseen as recent as late August 2022.  It is distributed in HTML attachments found in the archive.  When the\r\nattachment is opened, it will launch the default browser, execute its embedded javascript, and then follow its\r\nstandard chain.  Names that have been seen in this attack include REG-archive.zip and KeyFILE-Generator_protected.exe.  The malware will typically drop its ransom note as readme.txt.\r\nhttps://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html\r\nPage 8 of 11\n\nAnother part of the infection seen is that in some cases, the attacker uses their installation servers to download and\r\ninstall unsecured versions of Windows.  The URLs seen include:\r\nhXXp://ctldl[.]windowsupdate[.]com/msdownload/update/v3/static/trustedr/en/disallowedcertstl[.]cab\r\nhXXp://ctldl[.]windowsupdate[.]com/msdownload/update/v3/static/trustedr/en/authrootstl[.]cab\r\nMore information on this can be found at Microsoft’s website.\r\nAnother software seen in the .bat downloaded by the user is Utorrent.  It is often named after cracks, movies,\r\nvideo games, or wallpapers.\r\nSome names seen include:\r\nwild.eight.v0.6.19.multi.8.cracked3dm.torrent\r\nneed for speed rivals crack v3 updated december zip\r\nmechanic.simulator.2018.update.v1.0.4bat.torrent\r\nVector magic desktop edition 1.15 product key\r\nNeed for speed most wanted (2005 video game) download\r\nevangile.w.happiness.steam.edition.rar\r\ncreed.originsfull.unlocked.part03.rar\r\nWhile Utorrent itself is just a BitTorrent client for Windows, it often comes bundled with other malware that the\r\nuser chooses to accept to install when asked if they accept the EULA.  Utorrent will also install the unsecured\r\nversions of Windows that have been mentioned previously.\r\nCarbon Black Detection\r\nOur skilled MDR analysts continuously hunt for prevalent and active threats in our customers’ environments. \r\nThus far we have found 50+ infected organizations that use our services.  VMware Carbon Black products prove\r\nto be very reliable when detecting and alerting on malicious behavior generated by chromeloader, our sensors pick\r\nup behaviors that many other other security vendors can’t.\r\nSince the behaviors and tactics of this malware have changed so frequently, the majority of current IOC’s such as\r\nfile hashes and C2 IPs become unreliable indicators of infection.  Our MDR analysts are highly trained to pick out\r\nmalicious behavior.  Using data generated from recent attacks seen in other organizations the team is able to\r\nquickly confirm malicious behaviors and contain the threat.  MDR continues to prove that human expertise is\r\nextremely valuable to contain threats and respond in a timely manner.\r\nhttps://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html\r\nPage 9 of 11\n\nSummary\r\nIt’s no surprise that this pesky adware has been one of our most frequent attacks.  This campaign has gone through\r\nmany changes over the past few months, and we don’t expect it to stop.\r\nThe VMware Carbon Black MDR team is highly efficient at detecting this threat and has found that of over 50+\r\ncustomers, the majority of the infected are with the business services industry, seconded by government.\r\nIn the picture above we have broken down the attack prevalence across industries and how each industry is\r\nimpacted by the different executables of ChromeLoader. The majority of cases we are seeing are linked to\r\nBloom.exe, followed by Energy.exe. It is imperative that these industries take note of the prevalence of this attack\r\nand prepare to respond to it, because as seen above ChromeLoader can lead to nastier infections.\r\nAs we’ve seen in previous Chromeloader infections, this campaign widely leverages powershell.exe and is likely\r\nto lead to more sophisticated attacks.  The Carbon Black MDR team believes this is an emerging threat that needs\r\nto be tracked and taken seriously due to its potential for delivering more nefarious malware.  It has been seen\r\nbefore that adware is waved off as just being a nuisance malware, however because of this, malware authors are\r\nable to take advantage and use it for wider attacks like Enigma ransomware.\r\nIt’s important to track all threats in an environment.  VMware’s Carbon Black MDR team makes this possible by\r\ntracking and responding to the threats for you and your environment.\r\nhttps://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html\r\nPage 10 of 11\n\nSource: https://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html\r\nhttps://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html" ], "report_names": [ "the-evolution-of-the-chromeloader-malware.html" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434584, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/09fb27afd13ff404702e6d841396beb50e2addc8.pdf", "text": "https://archive.orkl.eu/09fb27afd13ff404702e6d841396beb50e2addc8.txt", "img": "https://archive.orkl.eu/09fb27afd13ff404702e6d841396beb50e2addc8.jpg" } }