{ "id": "b09c4675-e99a-4b30-b1af-a3a44166be33", "created_at": "2026-04-06T00:21:33.619973Z", "updated_at": "2026-04-10T03:36:47.644174Z", "deleted_at": null, "sha1_hash": "c270bc8f4b130da106ebd8ee61efc24f9e742ab4", "title": "FakeUpdateRU Chrome Update Infection Spreads Trojan Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 701670, "plain_text": "FakeUpdateRU Chrome Update Infection Spreads Trojan\r\nMalware\r\nBy Ben Martin\r\nPublished: 2023-10-25 · Archived: 2026-04-05 20:28:00 UTC\r\nFake Google chrome update malware, often associated with the notorious SocGholish infection, is something that\r\nwe have been tracking for a number of years. It is one of the most common types of website malware. It tricks\r\nunsuspecting users into downloading what appears to be an update to their Chrome browser, but is actually a\r\nremote access trojan (RAT). These tend to be the entry point and beginning stages of targeted ransomware attacks,\r\ncosting untold sums of money in damages to individuals, businesses and even major corporations.\r\nWe recently noticed a rather large rash of infected websites displaying a new variant of this type of infection,\r\nnicknamed “FakeUpdateRU” by Jerome Segura from MalwareBytes. While at first glance they resemble\r\nSocGholish suggesting to download a Google Chrome update, it turns out that it seems to be a competing/parallel\r\ngroup of threat actors also trying to cash in on the ransomware gravy train. In fact, it appears that this is the most\r\nrecent in series of copycat groups that have surfaced in recent months.\r\nLuckily, Google has already blocked most of the domains used to distribute the malware, leading users to a\r\nbrowser warning page before accessing the sites in question:\r\nIn this post we will analyze this malware so website owners and readers can understand its inner workings and\r\nbetter position themselves against emerging online threats.\r\nContents:\r\nThe fake Chrome browser landing page\r\nhttps://blog.sucuri.net/2023/10/fakeupdateru-chrome-update-infection-spreads-trojan-malware.html\r\nPage 1 of 6\n\nImportant page modifications\r\nMalware network and malicious domains\r\nMalicious activity on Telegram\r\nProtecting your website from fake Chrome updates\r\nThe fake Chrome browser landing page\r\nSo far we have observed that the malware overwrites the main index.php file for the active theme on the website.\r\nThis infection does affect WordPress websites but we’ve observed it affecting other CMS platforms as well.\r\nThe bogus Chrome browser update landing page looks like this:\r\nIn one example, we found the malware had lodged itself in several dozen index.php and index.html files under\r\nthe wp-content directory. There were also some random ones in plugin directories but most importantly the main\r\nindex.php file of the theme, thereby replacing the website content with a malicious overlay indicating that the\r\nuser must update their browser.\r\nIf your first thought is that it looks exactly like the official Google Chrome download page, that’s because it is. All\r\nthe malicious files (even .php) contain only plain HTML code, revealing that it was originally saved from the UK\r\nEnglish version of Google’s website.\r\nThe \u003c!– saved from url=(0041)https://www.google.com/intl/en_uk/chrome/ –\u003e comment tells us that the page\r\nwas saved directly from a Chrome (Chromium-based) browser, where 0041 is the length of the URL of the saved\r\nhttps://blog.sucuri.net/2023/10/fakeupdateru-chrome-update-infection-spreads-trojan-malware.html\r\nPage 2 of 6\n\npage https://www.google.com/intl/en_uk/chrome/.\r\nWhile saving the page, the browser changes paths to static resources so that they can be loaded locally. Since the\r\nbad actors browser had Russian localization, this resulted in the static resource files having Russian suffixes.  E.g.\r\n/assets/analytics.js.Без названия, where “Без названия” means “No name”.\r\nAnother side-effect of using static HTML files is that visitors with other types of browsers like Firefox or Safari\r\nstill get the fake “Chrome update” pages, unlike other fake update campaigns that customize lure pages for each\r\nmajor browser.\r\nImportant page modifications\r\nTo suit their needs, the bad actors slightly modified the original page. They replaced the word Download with the\r\nword “Update” and changed wording like “To continue you need to update your browser” and “The site uses the\r\nnew chromium engine, to continue it needs to be updated”.\r\nMost importantly, at the very bottom of the source code the bad actors lodged JavaScript code which triggers the\r\nmalicious download whenever a user clicks on the “Update” button.\r\nThis script uses an intermediary chromium-themed domain to fetch the URL of the final download, which is\r\nnormally hosted on a compromised third-party site.\r\nE.g. chromiumengine[.]space/get.html -\u003e hxxps://\u003chacked-site\u003e[.]com/wp-content/enigne/EngineBrowser.zip\r\nThe names of the downloads are usually something along the lines of EngineChromium.zip,\r\nEngineBrowser.zip, EngineTools.zip, etc.\r\nOther security researchers have analysed the malicious executable file and determined that it belongs to the Zgrat\r\nand Redline Stealer malware families. These are common RATs that are closely related to ransomware attacks.\r\nThe .ZIP files themselves are hosted on other hacked websites, likely completely unknown to the website owners.\r\nSo both the fake update pages as well as the malicious payload are both hosted separately on different hacked\r\nwebsites.\r\nMalware network and malicious domains\r\nhttps://blog.sucuri.net/2023/10/fakeupdateru-chrome-update-infection-spreads-trojan-malware.html\r\nPage 3 of 6\n\nWe’ve noticed that the attackers are using a number of similarly-named domains to initiate the redirect to the\r\nmalicious .ZIP file:\r\nchromiumengine[.]space\r\nchromiumtxt[.]space\r\nbasechromium[.]space\r\nplacengine[.]site\r\nbrowserengine[.]online\r\nAll domains appear to have been registered within the last two weeks, for example:\r\nDomain Name: CHROMIUMENGINE[.]SPACE\r\nRegistry Domain ID: D403469118-CNIC\r\nRegistrar WHOIS Server: whois.reg.ru\r\nRegistrar URL: https://www.reg.ru/\r\nUpdated Date: 2023-10-20T23:48:36.0Z\r\nCreation Date: 2023-10-15T23:39:55.0Z\r\nAffected websites can be identified through the following unique Google Tag Manager script:\r\nhttps://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB\r\nIt is, of course, the same GTM script in use on the official Google Chrome download page. Since the attackers just\r\ncopied and pasted the exact source code to use in their malware campaign, it is showing up on the infected\r\nwebsites as well. A URL scan for this tag indicates that the malware campaign is quite widespread, with SiteCheck\r\ncurrently detecting anywhere from 20-30 newly infected sites per day.\r\nGoogle response to fake Chrome updates\r\nGoogle has acted quickly and blocked the offending domains that initiate the redirect, resulting in the large red\r\nwarning pictured above.\r\nThe attackers have already become wise to this: the most recent examples of this malware that we see circumvents\r\nthis entirely by linking directly to the drive-by-download residing on the other compromised websites:\r\nThis helps avoid the Google warning, which I am sure has drastically reduced their success rate. On the other\r\nhand, in order to change the download URL, now they have to reinfect every compromised site, instead of\r\nhttps://blog.sucuri.net/2023/10/fakeupdateru-chrome-update-infection-spreads-trojan-malware.html\r\nPage 4 of 6\n\nchanging it in one file on their own server.\r\nIn more recent variants, we have also noted the removal of most Russian comments and messages in the HTML\r\ncode of the fake update pages.\r\nMalicious activity on Telegram\r\nSome of the infected websites include JavaScript lodged at the bottom of the page which communicates with a\r\nthrowaway Telegram channel:\r\nWhen translated from Russian the text reads as follows:\r\nconsole.log('Notification sent to Telegram');\r\n })\r\n .catch(error =\u003e {\r\n console.error('Error sending notification:', error);\r\n });\r\n }\r\n // Call a function to send a notification\r\n sendTelegramMessage('Someone downloaded a file.');\r\nhttps://blog.sucuri.net/2023/10/fakeupdateru-chrome-update-infection-spreads-trojan-malware.html\r\nPage 5 of 6\n\nAttackers appear to be using Telegram to manage notifications of when potential victims download their payload.\r\nThe rest of the JavaScript code does the following:\r\nAdds an event listener for click named ‘downloadx’ (triggered by the update button)\r\nGrabs the user agent of the victim, indicating their browser and operating system\r\nCalls the Telegram function to relay the message to their channel\r\nInitiates the download via a .html file on the domain owned by the attackers\r\nThen, finally, the download prompt from the second hacked website prompts the user to download the\r\npayload\r\nTelegram is a popular service for attackers for a number of reasons, and it’s not the first time we have seen it\r\n(mis)used by threat actors (for example, using Telegram to exfiltrate stolen credit card details). The fact that the\r\nservice employs end-to-end encryption is great for privacy for everyday folks but also useful to protect the\r\nanonymity of attackers who are engaging in malicious activities. The service also offers automated bot APIs that\r\nare useful for exactly the sort of thing described in this post, is cross-platform, widely accessible around the world\r\nand even has file sharing capabilities.\r\nEssentially, for all the reasons it’s a great messaging service for privacy/security minded folks, it’s also great for\r\ncriminals.\r\nProtecting your website from fake Chrome browser updates\r\nThis campaign of fake Google Chrome updates, along with the other SocGholish copycat infections, are another\r\nreminder of why keeping your website secure is of the utmost importance.\r\nBe sure to regularly keep your website plugins and themes patched, and take measures to secure and harden your\r\nWordPress website and wp-admin dashboard. Keeping regular backups of your website is also crucial since this\r\nmalware may overwrite important files in your website.\r\nTo further prevent infection, we also recommend placing your website behind a firewall. But if you believe that\r\nyour website has already been affected by this fake Google Chrome update malware then we can help! Our trained\r\nsecurity analysts are available 24/7/365 to clean up malware infections and secure your website.\r\nSource: https://blog.sucuri.net/2023/10/fakeupdateru-chrome-update-infection-spreads-trojan-malware.html\r\nhttps://blog.sucuri.net/2023/10/fakeupdateru-chrome-update-infection-spreads-trojan-malware.html\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.sucuri.net/2023/10/fakeupdateru-chrome-update-infection-spreads-trojan-malware.html" ], "report_names": [ "fakeupdateru-chrome-update-infection-spreads-trojan-malware.html" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434893, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c270bc8f4b130da106ebd8ee61efc24f9e742ab4.pdf", "text": "https://archive.orkl.eu/c270bc8f4b130da106ebd8ee61efc24f9e742ab4.txt", "img": "https://archive.orkl.eu/c270bc8f4b130da106ebd8ee61efc24f9e742ab4.jpg" } }