{
	"id": "62bbfe96-b2c1-4205-a08b-51a53175446d",
	"created_at": "2026-04-06T00:10:57.510038Z",
	"updated_at": "2026-04-10T03:21:11.269863Z",
	"deleted_at": null,
	"sha1_hash": "40e95651736db6b95860804ae74c59a0a0a9a5bf",
	"title": "FIREBALL – The Chinese Malware of 250 Million Computers Infected",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 73469,
	"plain_text": "FIREBALL – The Chinese Malware of 250 Million Computers\r\nInfected\r\nBy bferrite\r\nPublished: 2017-06-01 · Archived: 2026-04-05 23:13:30 UTC\r\nCheck Point Threat Intelligence and research teams recently discovered a high volume Chinese threat operation\r\nwhich has infected over 250 million computers worldwide. The installed malware,  Fireball, takes over target\r\nbrowsers and turns them into zombies. Fireball has two main functionalities:  the ability of running any code on\r\nvictim computers–downloading any file or malware, and  hijacking and manipulating infected users’ web-traffic to\r\ngenerate ad-revenue. Currently, Fireball installs plug-ins and additional configurations to boost its advertisements,\r\nbut just as easily it can turn into a prominent distributor for any additional malware.\r\nThis operation is run by Rafotech, a large digital marketing agency based in Beijing. Rafotech uses Fireball to\r\nmanipulate the victims’ browsers and turn their default search engines and home-pages into fake search engines.\r\nThis redirects the queries to either yahoo.com or Google.com. The fake search engines include tracking pixels\r\nused to collect the users’ private information. Fireball has the ability to  spy on victims, perform efficient malware\r\ndropping, and execute any malicious code in the infected machines, this creates a massive security flaw in targeted\r\nmachines and networks.\r\nKEY FINDINGS\r\nCheck Point analysts uncovered a high volume Chinese threat operation which has infected over 250\r\nmillion computers worldwide, and 20% of corporate networks.\r\nThe malware, called Fireball, acts as a browser-hijacker but and can be turned into a full-functioning\r\nmalware downloader. Fireball is capable of executing any code on the victim machines, resulting in a wide\r\nrange of actions from stealing credentials to dropping additional malware.\r\nFireball is spread mostly via bundling i.e. installed on victim machines alongside a wanted program, often\r\nwithout the user’s consent.\r\nThe operation is run by Chinese digital marketing agency.\r\nTop infected countries are India (10.1%) and Brazil (9.6%)\r\nFigure 1: Fireball Infection Flow\r\n250 MILLIONS MACHINES AND 20% OF CORPORATE NETWORKS WORLDWIDE INFECTED\r\nThe scope of the malware distribution is alarming. According to our analysis, over 250 million computers\r\nworldwide have been  infected: specifically,  25.3 million infections in India (10.1%), 24.1 million in Brazil\r\n(9.6%), 16.1 million in Mexico (6.4%), and 13.1 million in Indonesia (5.2%). The United States has  witnessed 5.5\r\nmillion infections (2.2%).\r\nhttp://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/\r\nPage 1 of 7\n\nBased on Check Point’s global sensors,  20% of all corporate networks are affected . Hit rates in the US (10.7%)\r\nand China (4.7%) are alarming;but Indonesia (60%), India (43%) and Brazil (38%) have much more dangerous hit\r\nrates.\r\nAnother indicator of the incredibly high infection rate is the popularity of Rafotech’s fake search engines.\r\nAccording to Alexa’s web traffic data, 14 of these fake search engines are among the top 10,000 websites, with\r\nsome of them occasionally reaching the top 1,000.\r\nFigure 2: Fireball Global Infection Rates (darker pink = more infections)\r\nIronically, although Rafotech doesn’t admit it produces browser-hijackers and fake search engines, it does\r\n(proudly) declare itself a successful marketing agency, reaching 300 million users worldwide – coincidentally\r\nsimilar to our number of estimated infections.\r\nFigure 3: Rafotech’s Advertisement on the Company’s Official Website\r\nA BACKDOOR TO EVERY INFECTED NETWORK\r\nFireball and similar browser-hijackers are hybrid creatures, half seemingly legitimate software (see the GOING\r\nUNDER THE RADAR section), and half malware. Although Rafotech  uses Fireball only for advertising and\r\ninitiating traffic to its fake search engines, it  can perform any action on the victims’ machines These actions  can\r\nhave serious consequences. How severe is it? Try to imagine a pesticide armed with a nuclear bomb. Yes, it can do\r\nthe job, but it can also do much more.\r\nThese browser-hijackers are  capable on the browser level. This means that they can drive victims to malicious\r\nsites, spy on them and conduct successful malware dropping.\r\nFrom a technical perspective, Fireball displays great sophistication and quality evasion techniques, including anti-detection capabilities, multi-layer structure and a flexible C\u0026C– it is not inferior to a typical malware.\r\nMany threat actors would like to have  a fraction of Rafotech’s power, as Fireball provides a critical backdoor,\r\nwhich can be further exploited.\r\nGOING UNDER THE RADAR\r\nWhile the distribution of Fireball is both malicious and illegitimate, it actually carries digital certificates imparting\r\nthem a legitimate appearance. Confused? You should be.\r\nRafotech carefully walks along the edge of legitimacy, knowing that adware distribution is not considered a crime\r\nlike malware distribution is. How is that? Many companies provide software or services for free, and make their\r\nprofits by harvesting data or presenting advertisements. Once a client agrees to the installment of extra features or\r\nsoftware to his/her computer, it is hard to claim malicious intent on behalf of the provider.\r\nThis gray zone led to the birth of a new kind of monetizing method – bundling. Bundling is when a wanted\r\nprogram installs another program alongside it, sometimes with a user’s authorization and sometimes without.\r\nRafotech uses bundling in high volume to spread Fireball.\r\nhttp://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/\r\nPage 2 of 7\n\nFigure 4: Bundling in Action\r\nAccording to our analysis, Rafotech’s distribution methods appear to be illegitimate and don’t follow the criteria\r\nwhich would allow these actions to be considered naïve or legal. The malware and the fake search engines don’t\r\ncarry indicators connecting them to Rafotech, they cannot be uninstalled by an ordinary user, and they conceal\r\ntheir true nature.\r\nSo how do they carry digital certificates? One possibility is that issuers make their living from providing\r\ncertificates, and small issuers with flexible ethics can enjoy the lack of clarity in the adware world’s legality to\r\napprove software such as Rafotech’s browser-hijackers.\r\nTHE INFECTION MODEL\r\nAs with other types of malware, there are many ways for Fireball to spread. We suspect that two popular vectors\r\nare bundling the malware to other Rafotech products – Deal Wifi and Mustang Browser – as well as bundling via\r\nother freeware distributors: products such as “Soso Desktop”, “FVP Imageviewer” and others.\r\nIt’s important to remember that when a user installs freeware, additional malware isn’t necessarily dropped at the\r\nsame time. If you download a suspicious freeware and nothing happens on the spot, it doesn’t necessarily mean\r\nthat something isn’t happening behind the scenes.\r\nFurthermore, it is likely that Rafotech is using additional distribution methods, such as spreading freeware under\r\nfake names, spam, or even buying installs from threat actors.\r\nAs with everything in the internet, remember that there are no free lunches. When you download freeware, or use\r\ncost-free services (streaming and downloads, for example), the service provider is making profit somehow. If it’s\r\nnot from you or from advertisements, it will come from somewhere else.\r\nFigure 5: Deal Wifi Installation Screen\r\nHOW CAN I KNOW IF I AM INFECTED?\r\nTo check if you’re infected, first open your web browser. Was your home-page set by you? Are you able to modify\r\nit? Are you familiar with your default search engine and can modify that as well? Do you remember installing all\r\nof your browser extensions?\r\nIf the answer to any of these questions is “NO”, this is a sign that you’re infected with adware. You can also use a\r\nrecommended adware scanner, just to be extra cautious.\r\nFigure 6: trotux.com; a Fake Search Engine Run by Rafotech\r\nTHE RED BUTTON IN THE WRONG HANDS\r\nIt doesn’t take much to imagine a scenario in which Rafotech decides to harvest sensitive information from all of\r\nits infected machines, and sell this data to threat groups or business rivals. Banking and credit card credentials,\r\nmedical files, patents and business plans can all be widely exposed and abused by threat actors for various\r\npurposes. Based on our estimated infection rate, in such a scenario, one out of five corporations worldwide will be\r\nsusceptible to a major breach. Severe damage can be caused to key organizations, from major service providers to\r\nhttp://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/\r\nPage 3 of 7\n\ncritical infrastructure operators to medical institutions. The potential loss is indescribable, and repairing the\r\ndamage caused by such massive data leakage (if even possible) could take years.\r\nRafotech holds the power to initiate a global catastrophe and it is not alone. During our research we’ve tracked\r\ndown additional browser-hijackers that, to our understanding, were developed by other companies. One such\r\ncompany is ELEX Technology, an Internet Services company also based in Beijing  produces products similar to\r\nthose of Rafotech. Several findings lead us to suspect that the two companies are related, and may be collaborating\r\nin the distribution of browser-hijackers or in trading customers’ traffic. For example, an adware developed by\r\nELEX, named YAC (“Yet Another Cleaner”) is suspected to be connected to Rafotech’s operation, dropping its\r\nbrowser-hijackers.\r\nCONCLUSION\r\nIn this research we’ve described Rafotech’s browser-hijackers operation – possibly the largest infection operation\r\nin history. We believe that although this is not a typical malware attack campaign, it has the potential to cause\r\nirreversible damage to its victims as well as worldwide internet users, and therefore it must be blocked by security\r\ncompanies.\r\nThe full distribution of Fireball is not yet known, but it is clear that it presents a great threat to the global cyber\r\necosystem. With a quarter billion infected machines and a grip in one of every five corporate networks, Rafotech’s\r\nactivities make it an immense threat.\r\nHOW DO I REMOVE THE MALWARE, ONCE INFECTED?\r\nTo remove almost any adware, follow these simple steps:\r\n1. Uninstall the adware by removing the application from the Programs and Features list in the Windows\r\nControl Panel.\r\nFor Mac OS users:\r\n1. Use the Finder to locate the Applications\r\n2. Drag the suspicious file to the Trash.\r\n3. Empty the Trash.\r\nNote – A usable program is not always installed on the machine and therefore may not be found on the program\r\nlist.\r\n2. Scan and clean your machine, using:\r\nAnti-Malware software\r\nAdware cleaner software\r\n3. Remove malicious Add-ons, extensions or plug-ins from your browser:\r\nOn Google Chrome:\r\na.       Click the Chrome menu icon and select Tools \u003e Extensions.\r\nhttp://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/\r\nPage 4 of 7\n\nb.      Locate and select any suspicious Add-ons.\r\nc.       Click the trash can icon to delete.\r\nOn Internet Explorer:\r\na.       Click the Setting icon and select Manage Add-ons.\r\nb.      Locate and remove any malicious Add-ons.\r\nOn Mozilla Firefox:\r\na.       Click the Firefox menu icon and go to the Tools tab.\r\nb.      Select Add-ons \u003e Extensions.\r\nA new window opens.\r\nc.       Remove any suspicious Add-ons.\r\nd.      Go to the Add-ons manager \u003e Plugins.\r\ne.      Locate and disable any malicious plugins.\r\nOn Safari:\r\na.       Make sure the browser is active.\r\nb.      Click the Safari tab and select preferences.\r\nA new window opens.\r\nc.       Select the Extensions tab.\r\nd.      Locate and uninstall any suspicious extensions.\r\n4. Restore your internet browser to its default settings:\r\nOn Google Chrome:\r\na.       Click the Chrome menu icon, and select Settings.\r\nb.      In the On startup section, click Set Pages.\r\nc.       Delete the malicious pages from the Startup pages list.\r\nd.      Find the Show Home button option and select Change.\r\ne.      In the Open this page field, delete the malicious search engine page.\r\nf.        In the Search section, select Manage search engines.\r\nhttp://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/\r\nPage 5 of 7\n\ng.       Select the malicious search engine page and remove from the list.\r\nOn Internet Explorer:\r\na.       Select the Tools tab and then select Internet Options.\r\nA new window opens.\r\nb.      In the Advanced tab, select Reset.\r\nc.       Check the Delete personal settings box.\r\nd.      Click the Reset button.\r\nOn Mozilla Firefox:\r\na.       Enable the browser Menu Bar by clicking the blank space near the page tabs.\r\nb.      Click the Help tab, and go to Troubleshooting information.\r\nA new window opens.\r\nc.       Select Reset Firefox.\r\nOn Safari:\r\na.       Select the Safari tab and then select Preferences.\r\nA new window opens.\r\nb.      In the Privacy tab, the Manage Website Data… button.\r\nA new window opens.\r\nc.       Click the Remove All button.\r\nINDICATORS OF COMPROMISE\r\nC\u0026C addresses\r\nattirerpage[.]com\r\ns2s[.]rafotech[.]com\r\ntrotux[.]com\r\nstartpageing123[.]com\r\nfuncionapage[.]com\r\nuniversalsearches[.]com\r\nthewebanswers[.]com\r\nnicesearches[.]com\r\nyoundoo[.]com\r\ngiqepofa[.]com\r\nhttp://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/\r\nPage 6 of 7\n\nmustang-browser[.]com\r\nforestbrowser[.]com\r\nluckysearch123[.]com\r\nooxxsearch[.]com\r\nsearch2000s[.]com\r\nwalasearch[.]com\r\nhohosearch[.]com\r\nyessearches[.]com\r\nd3l4qa0kmel7is[.]cloudfront[.]net\r\nd5ou3dytze6uf[.]cloudfront[.]net\r\nd1vh0xkmncek4z[.]cloudfront[.]net\r\nd26r15y2ken1t9[.]cloudfront[.]net\r\nd11eq81k50lwgi[.]cloudfront[.]net\r\nddyv8sl7ewq1w[.]cloudfront[.]net\r\nd3i1asoswufp5k[.]cloudfront[.]net\r\ndc44qjwal3p07[.]cloudfront[.]net\r\ndv2m1uumnsgtu[.]cloudfront[.]net\r\nd1mxvenloqrqmu[.]cloudfront[.]net\r\ndfrs12kz9qye2[.]cloudfront[.]net\r\ndgkytklfjrqkb[.]cloudfront[.]net\r\ndgkytklfjrqkb[.]cloudfront[.]net/main/trmz[.]exe\r\nFile Hashes\r\nFAB40A7BDE5250A6BC8644F4D6B9C28F\r\n69FFDF99149D19BE7DC1C52F33AAA651\r\nB56D1D35D46630335E03AF9ADD84B488\r\n8C61A6937963507DC87D8BF00385C0BC\r\n7ADB7F56E81456F3B421C01AB19B1900\r\n84DCB96BDD84389D4449F13EAC75098\r\n2B307E28CE531157611825EB0854C15F\r\n7B2868FAA915A7FC6E2D7CC5A965B1E\r\nSource: http://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/\r\nhttp://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/"
	],
	"report_names": [
		"fireball-chinese-malware-250-million-infection"
	],
	"threat_actors": [],
	"ts_created_at": 1775434257,
	"ts_updated_at": 1775791271,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/40e95651736db6b95860804ae74c59a0a0a9a5bf.pdf",
		"text": "https://archive.orkl.eu/40e95651736db6b95860804ae74c59a0a0a9a5bf.txt",
		"img": "https://archive.orkl.eu/40e95651736db6b95860804ae74c59a0a0a9a5bf.jpg"
	}
}