{ "id": "1d961f85-837a-4b33-a5b2-fb981d306245", "created_at": "2026-04-06T00:17:55.033793Z", "updated_at": "2026-04-10T03:36:48.264722Z", "deleted_at": null, "sha1_hash": "1991e860518ff727b45dd35c9f23f894b2eedae2", "title": "Chromeloader browser hijacker – CYBER GEEKS", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3292432, "plain_text": "Chromeloader browser hijacker – CYBER GEEKS\r\nPublished: 2022-08-30 · Archived: 2026-04-05 20:09:32 UTC\r\nSummary\r\nWe analyzed a new version of ChromeLoader (also known as Choziosi Loader) that was seen in the wild in recent\r\nweeks.\r\nThis ChromeLoader campaign that appears to have started in December 2021 has become widespread and has\r\nspawned multiple versions, making atomic indicators ineffective for detections.\r\nIn our analysis we will be discussing the capabilities of this loader, as well as trying to dig a little deeper, in order\r\nto find some indicators that will be more difficult for the threat actor to alter without making significant changes to\r\nthe malware’s architecture (at least compared to extracting domains, IP and hashes as only IOCs)\r\nWe will be starting our analysis with the execution of the obfuscated powershell that ultimately downloads the\r\nmalicious extension on the host.\r\nWe have managed to extract some interesting strings from the different stages of the malware, as well as\r\ndiscovering a few modules that are not in use at the moment (or are not working properly), but could give a hint on\r\nwhat functionality will be added to the malware in the future.\r\nWe will not be talking about the dropper in this analysis, as it is already quite well documented and no significant\r\nchanges were seen for new versions of Chromeloader.\r\nFor more information on the dropper, a collection of atomic indicators and a comparison between different\r\nversions seen in the wild, we recommend you read the article put out by Unit42, as it is quite extensive:\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/#post-123828-_rk3otl9durd\r\nOk, let’s get to it.\r\nStatic Analysis\r\nWe start our analysis with a powershell command that will connect to the C2 server used for the installation\r\n(different from the C2 used for data exfil) to download the first malicious payload, as well as set the ground for the\r\nextension’s installation.\r\nWhile the initial powershell is heavily obfuscated, there are a few strings of interest that we can identify with little\r\neffort. One of them is the function that builds the URL for the installation C2 server. We can also see the Invoke-Expression  cmdlet.\r\nhttps://cybergeeks.tech/chromeloader-browser-hijacker\r\nPage 1 of 16\n\nImage 1\r\n – Installer URL visible in the initial Powershell\r\nBy changing one of the visible iex expressions to Write-Output, we were able to make good progress without\r\nbothering with decrypting the script.\r\nImage 2\r\nNOTE: this method is a lot faster than manual deobfuscation, but can miss details that could be relevant for the\r\nanalysis ( there could be multiple “invokeExpressions” that were obfuscated and we could not see for instance).\r\nJust something to keep in mind.\r\nRunning the script like this downloads a C# script from the installation server present in the command. During\r\nnormal execution it would then invoke it.\r\nThe C# script gives us some good hints about the capability of the malware.\r\nSome interesting function names:\r\ngetGoogSearchUri\r\nhookSearchNavigation\r\nrunChromeOrEdge\r\nrunFirefox\r\nrunThread\r\nSome interesting methods:\r\nhttps://cybergeeks.tech/chromeloader-browser-hijacker\r\nPage 2 of 16\n\npaneConditionChromeOrEdge\r\neditConditionChromeOrEdge\r\ntoolbarConditionFirefox\r\ncomboboxConditionFirefox\r\neditboxConditionFirefox\r\nWhile previous analysis of the malware concluded that it would only affect Chrome browsers, we can see here that\r\nit checks to see if Chrome, Edge or Firefox is installed and can hook any of these.\r\nIt seems to be mostly interested in the user’s search history, as it intercepts searches done on google and then\r\nredirects them to Bing .\r\nIt also intercepts keyboard keys to account for the users that use the keyboard to navigate the results.\r\nImage 3 – the extension is looking for Google search links\r\nhttps://cybergeeks.tech/chromeloader-browser-hijacker\r\nPage 3 of 16\n\nImage 4 – the extension can intercept keystrokes\r\nImage 5 – methods exist for both Chromium browsers and Firefox\r\nImage 6 – the C2 url is dynamic and built with variables extracted from the script and user environment\r\nIn the string from image 6 , the URL is built using the following variables:\r\nDomain\r\nTID is a hardcoded value in the script; the value was the same every time for this version of the malware so\r\nmaybe it is used for versioning\r\nhttps://cybergeeks.tech/chromeloader-browser-hijacker\r\nPage 4 of 16\n\nU is an unique identifier for the user\r\nWe could not determine what “ist” is at this time\r\nOnce the C# code finishes, it is followed by a series of additional Powershell commands that will build it, load it\r\ninto memory and run it.\r\nPowershell is used again to build the URL from which the next payload will be downloaded.\r\nImage 7 – Powershell is used to build the C# code\r\nThe commands suggest that a new archived file will be downloaded and expanded in a new folder made in the\r\nuser’s APPDATA , that is randomly generated by the script via an XOR operation.\r\nThe following function sets up the key for the encryption:\r\nImage 8 – It uses a random number and the current date to always provide a new encryption key\r\nIt looks like the script is testing multiple possible paths to see if they exist before finally settling on one and\r\ndownloading the corresponding archive:\r\nhttps://cybergeeks.tech/chromeloader-browser-hijacker\r\nPage 5 of 16\n\nImage 9 – C2 URL is built with variables extracted from the script and the host, same for the installation path\r\nDynamic Analysis\r\nIndeed, after arming the sample and detonating it , we can see a new folder in AppData called “chrome_glass”:\r\nImage 10 – a fairly simple Chrome extension\r\nBefore creating the folder, the malware verifies if one of the following paths already exists:\r\n%AppData%\\Local\\chrome_metric\r\n%AppData%\\Local\\chrome_pref\r\n%AppData%\\Local\\chrome_settings\r\n%AppData%\\Local\\chrome_tools\r\n%AppData%\\Local\\chrome_storage\r\n%AppData%\\Local\\chrome_configuration\r\n%AppData%\\Local\\chrome_bookmarks\r\n%AppData%\\Local\\chrome_flags\r\n%AppData%\\Local\\chrome_history\r\n%AppData%\\Local\\chrome_cast\r\n%AppData%\\Local\\chrome_view\r\n%AppData%\\Local\\chrome_tab\r\n%AppData%\\Local\\chrome_panel\r\n%AppData%\\Local\\chrome_window\r\n%AppData%\\Local\\chrome_control\r\nhttps://cybergeeks.tech/chromeloader-browser-hijacker\r\nPage 6 of 16\n\n%AppData%\\Local\\chrome_glass\r\n%AppData%\\Local\\chrome_nav\r\nWe can see how the script  downloaded the C# code and then built it into a .dll in the Temp folder:\r\nImage 11 – the stager is built and executed in the user’s Temp folder, and then deleted\r\n There are also some evasion mechanisms here that are worth pointing out:\r\nThe files are downloaded, ran and then deleted\r\nThe PSScript Policy test runs to ensure that the Temp folder is writable and that the files can be deleted\r\nA new directory is created with a randomly generated name, to ensure that the files cannot be retrieved by\r\ntools such as DirWatch\r\nLet`s also look at registry changes. We have caught hints from the powershell script from earlier that the installer\r\nwill also write a value in “HKCU:\\Software\\CodeSector\\”.\r\nAnd indeed, we see a new registry Key being added:\r\nhttps://cybergeeks.tech/chromeloader-browser-hijacker\r\nPage 7 of 16\n\nImage 12 – A new registry key is added\r\nIt is unclear at this time why the registry key is added, as there was no followup activity for this key. Perhaps it\r\nserves as a mutex of some sort for the attacker, to avoid infecting the same host.\r\nNow let’s look a bit at the items that were unpacked from the archive .\r\nThis is a Chrome extension; We can see that quite a few permissions are requested (manifest.json):\r\nImage 13\r\nImage 14 – the .js file is heavily obfuscated, to hinder the analysis\r\nUsing an online deobfuscator (https://deobfuscate.io/) , we get a more readable code, but still hard to follow. We\r\ndid manage however to extract an URL and an interesting base64-encoded string. We also noticed a function that\r\nseems to be modifying some Chrome settings:\r\nhttps://cybergeeks.tech/chromeloader-browser-hijacker\r\nPage 8 of 16\n\nImage 15\r\nThe Javascript contains multiple switch statements, in an attempt to make the analysis of the code as hard as\r\npossible. At this point it is possible to start decoding the code manually, but it would be quite cumbersome.\r\nSince our goal is to identify some unique indicators that we can use for detection, we will just note a few\r\ninteresting functions that will give us a hint about what the extensions is trying to do , and instead  we will attempt\r\nsome basic dynamic analysis.\r\nOnce the sample detonates, we see the request for the domain that we found in the JS file:\r\nImage 16 – DNS queries for the C2\r\nhttps://cybergeeks.tech/chromeloader-browser-hijacker\r\nPage 9 of 16\n\nImage 17 – The traffic is sent (and encrypted) via QUIC Protocol.\r\nImage 18 – Procmon shows how Chrome succesfully loads the libraries used for encryption\r\nImage 19 – Establishing connection  (notice the full URL and the base64 encrypted key that was identified in the JS –\r\n“bmpmcHdXUldDQl9cUERDWFtVSUBYX1UMTltYUEFBEltQRkZcXF9AR1kWFQUVBw4=” ; this looks to be an\r\nidentifier of sorts)\r\nhttps://cybergeeks.tech/chromeloader-browser-hijacker\r\nPage 10 of 16\n\nImage 20 – Cookies are made persistent\r\nImage 21\r\nNetwork indicators:\r\nWe know that the extension is using QUIC as a transport protocol for fast and encrypted communication. But,\r\nsince we control the execution, we can force Chrome to dump the SSL Keys so we can load them in Wireshark and\r\ndecrypt the traffic. \r\nImage 22 – Decrypted QUIC traffic\r\nSuspicious DNS Queries and responses:\r\ngoog.withyourrety[.]xyz: type A, class IN, addr 104.21.70.206\r\ngoog.withyourrety[.]xyz: type A, class IN, addr 172.67.139.75\r\nFreychang[.]fun: type A, class IN, addr 104.21.45.207\r\nFreychang[.]fun: type A, class IN, addr 172.67.218.221\r\nUsing the IPs extracted from the DNS queries, the following interesting strings were identified:\r\nhttps://cybergeeks.tech/chromeloader-browser-hijacker\r\nPage 11 of 16\n\nGREASE is the word\r\nHEX: \r\n9b8d047b7db70d45ca16cf225df6e36ce3dcb0bec41dee190f8f20c859de8861967d771e2f4d572f4f7f5dfc04d5d5\r\nThe same “GREASE” string appears in other packets and is a setting for the HTTP3 communication;\r\nSettings are a new registry used in HTTP3\r\nImage 23\r\nImage 24\r\nA 302 redirect status response code:\r\n\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e302 Found\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody\u003e\r\n\u003ccenter\u003e\u003ch1\u003e302 Found\u003c/h1\u003e\u003c/center\u003e\r\n\u003chr\u003e\u003ccenter\u003eopenresty/1.15.8.3\u003c/center\u003e\r\n\u003c/body\u003e\r\n\u003c/html\u003e\r\nWhile the page gives a code 302, it redirects back to  goog[.]withyourrety[.]xyz so this is probably a redundancy if\r\none of the IPs the domain resolves to is no longer reachable.\r\nhttps://cybergeeks.tech/chromeloader-browser-hijacker\r\nPage 12 of 16\n\nImage 25\r\nWhile the page gives a code 302, it redirects back to  goog[.]withyourrety[.]xyz so this is probably a redundancy if\r\none of the IPs the domain resolves to is no longer reachable.\r\nRunning Chrome:\r\nUsing the browser once the malicious extension was installed does indeed reflect what we have seen up to this\r\npoint :\r\nAny search made on google.com is redirected to Withyourrety[.]xyz , and then eventually to Bing (image\r\n25)\r\nThe extension messes with the Google settings and does not allow the user to view the Extensions pane.\r\nWhen trying to do so, the user is redirected to the main settings page\r\nThe extension is hidden by default and cannot be turned off, but can be removed by right clicking on it and\r\nremoving from browser\r\nWe can see the hardcoded cookies that we have encountered earlier (image 27)\r\nImage 26\r\nImage 27\r\nhttps://cybergeeks.tech/chromeloader-browser-hijacker\r\nPage 13 of 16\n\nAt this time the implant for Firefox does not seem to function. When attempting to install the extension on a host\r\nwithout any Chromium browser, the process hunged and no Firefox instance was started.\r\nIndicators of Compromise:\r\n# Files:\r\n6A84FE906EBBEED933D7776731FE7118E1E028C1 – *background.js\r\nB7CD274E9C4036DC3F27D347A8428B40437A7AFA – *manifest.json\r\nE1DCD96B5D14141E2F6EE50246E68EE7499E4D87 – %AppData%\\Local\\data.zip\r\n# Paths:\r\n%AppData%\\Local\\chrome_metric\r\n%AppData%\\Local\\chrome_pref\r\n%AppData%\\Local\\chrome_settings\r\n%AppData%\\Local\\chrome_tools\r\n%AppData%\\Local\\chrome_storage\r\n%AppData%\\Local\\chrome_configuration\r\n%AppData%\\Local\\chrome_bookmarks\r\n%AppData%\\Local\\chrome_flags\r\n%AppData%\\Local\\chrome_history\r\n%AppData%\\Local\\chrome_cast\r\n%AppData%\\Local\\chrome_view\r\n%AppData%\\Local\\chrome_tab\r\n%AppData%\\Local\\chrome_panel\r\n%AppData%\\Local\\chrome_window\r\n%AppData%\\Local\\chrome_control\r\n%AppData%\\Local\\chrome_glass\r\n%AppData%\\Local\\chrome_nav\r\n%AppData%\\Local\\Temp\\[a-zA-Z0-9]{8}\r\n%AppData%\\Local\\Temp\\[a-zA-Z0-9]{8}\\[a-zA-Z0-9]{8}.cs\r\nhttps://cybergeeks.tech/chromeloader-browser-hijacker\r\nPage 14 of 16\n\n%AppData%\\Local\\Temp\\[a-zA-Z0-9]{8}\\[a-zA-Z0-9]{8}.dll\r\n%AppData%\\Local\\Temp\\[a-zA-Z0-9]{8}\\[a-zA-Z0-9]{8}.cmdline\r\n%AppData%\\Local\\Temp\\[a-zA-Z0-9]{8}\\[a-zA-Z0-9]{8}.out\r\n# Domains:\r\nMplayeran[.]autos\r\nWithyourrety[.]xyz\r\nFreychang[.]fun\r\n# Registry:\r\nComputer\\HKEY_CURRENT_USER\\SOFTWARE\\CodeSector\\Tera Copy\r\n# IPs:\r\n104.21.70.206\r\n172.67.139.75\r\n172.67.218.221\r\n104.21.51.237\r\n172.67.191.177\r\n# Network Indicators:\r\nString: GREASE is the word\r\nHEX: \r\n9b8d047b7db70d45ca16cf225df6e36ce3dcb0bec41dee190f8f20c859de8861967d771e2f4d572f4f7f5dfc04d5d5\r\n# Scriptblock and Memory\r\ngetGoogSearchUri\r\nhookSearchNavigation\r\nrunChromeOrEdge\r\nrunFirefox\r\nrunThread\r\nhxxps://$d/e?iver=$iv\u0026u=$u\u0026is=$is\u0026ed=$di\r\nhxxps://$d/e?iver=$iv\u0026did=$dd\u0026ver=$ver\u0026ed=$di\r\nhttps://cybergeeks.tech/chromeloader-browser-hijacker\r\nPage 15 of 16\n\nhxxps://$d/err?iver=$iv\u0026did=$dd\u0026ver=$ver\r\nhxxps://$dl/err?iver=$iv\u0026u=$u\u0026is=$is\r\nhxxps://$d/x?u=$u\u0026is=$is\u0026lv=$lv\u0026rv=$v\r\nSource: https://cybergeeks.tech/chromeloader-browser-hijacker\r\nhttps://cybergeeks.tech/chromeloader-browser-hijacker\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cybergeeks.tech/chromeloader-browser-hijacker" ], "report_names": [ "chromeloader-browser-hijacker" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434675, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1991e860518ff727b45dd35c9f23f894b2eedae2.pdf", "text": "https://archive.orkl.eu/1991e860518ff727b45dd35c9f23f894b2eedae2.txt", "img": "https://archive.orkl.eu/1991e860518ff727b45dd35c9f23f894b2eedae2.jpg" } }