{ "id": "f0816224-acbe-4244-9942-37fb979adc20", "created_at": "2026-04-06T00:17:52.390798Z", "updated_at": "2026-04-10T03:36:47.92901Z", "deleted_at": null, "sha1_hash": "ce8680bd4d2648914f083a7cf2ef03469aa58c7e", "title": "ChromeLoader: New Stubborn Malware Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4174181, "plain_text": "ChromeLoader: New Stubborn Malware Campaign\r\nBy Nadav Barak\r\nPublished: 2022-07-12 · Archived: 2026-04-05 19:59:09 UTC\r\nExecutive Summary\r\nIn January 2022, a new browser hijacker/adware campaign named ChromeLoader (also known as Choziosi Loader\r\nand ChromeBack) was discovered. Despite using simple malicious advertisements, the malware became\r\nwidespread, potentially leaking data from thousands of users and organizations.\r\nInstead of more traditional malware like a Windows executable (.exe) or Dynamic Link Library (.dll), the malware\r\nauthors used a browser extension as their final payload. The browser extension serves as adware and an\r\ninfostealer, leaking all of the user’s search engine queries. We discovered significant changes and additions of\r\ncapabilities throughout this campaign's evolution, and we predict further changes as this campaign continues.\r\nIn this article, we examine the technical details of this malware, focus on the evolution between its different\r\nversions and describe changes in its infection process. This article also reviews new variants that have not yet\r\nbeen publicly reported.\r\nPalo Alto Networks customers using Cortex XDR and WildFire receive protections against this newly discovered\r\nmalware out of the box.\r\nNames for malware discussed ChromeLoader, Choziosi Loader, ChromeBack\r\nIntroduction to ChromeLoader Malware\r\nChromeLoader is a multi-stage malware family. Each variant contains different stages throughout its infection\r\nchain, but the infection chain often looks quite similar among the different variants, including malicious browser\r\nextensions used in all variants.\r\nThe different payload extensions we tracked had a hardcoded version added by the attacker. This labeling routine\r\ncontributed to the research process, linking the different versions to the same campaign – and by their correct\r\nchronological order.\r\nThe various extension versions are related to different variants of this malware. We differentiate the variants not\r\nonly by the related extension version but also by the techniques used throughout their infection chain and the\r\ntargeted operating systems.\r\nThe different variants are mentioned in this article by their detection order and referenced throughout this\r\ndocument as follows:\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 1 of 33\n\nVariant 0: Named that way since it was active before Variant 1 (the first variant that was discovered in the wild).\r\nIt used AutoHotKey (AHK)-compiled executables and version 1.0 of the Chrome extension. Its first known attack\r\noccurred in December. In this article, this variant is discussed fourth (in the section titled “The Real First\r\nWindows Variant”).\r\nVariant 1: Mentioned first (beginning in the “Infection Vector” section). It used versions 2.0-4.4 of the Chrome\r\nextension as its payload and a DotNet executable that launches obfuscated PowerShell as its dropper. It was\r\nmainly active in January.\r\nVariant 2: Mentioned third (see the section “Second Windows Variant”). It uses the 6.0 version of the Chrome\r\nextension and uses an obfuscated executable as its initial dropper. It has been active since March.\r\nMacOS Variant: Mentioned second (see the section “MacOS Variant”). This variant focuses on MacOS\r\ncomputers (while other variants target Windows users only). Uses the 6.0 version of the extension. Active since\r\nMarch.\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 2 of 33\n\nFigure 1. The infection chain of the different variants.\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 3 of 33\n\nInfection Vector (Variant 1)\r\nThe first variant of ChromeLoader Malware (referred to in the Introduction as Variant 1) was first seen in January\r\n2022.\r\nThe chain of events starts when a user is enticed to download a torrent or a cracked video game through\r\nmalvertising campaigns on ad sites and social media platforms. The user scans a QR code on these web pages and\r\nis redirected to a compromised website that presents an ISO image (an optical disc image file, typically used with\r\nCD/DVD). The user downloads the ISO image, mounts it by double-clicking and executes content contained in\r\nthe mounted ISO image.\r\nFigure 2. An example of a QR code posted on Twitter.\r\nFigure 3. An example of a download link to the malicious ISO image from the QR code.\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 4 of 33\n\nDeployment\r\nThe downloaded ISO image contains the following:\r\nMicrosoft.Win32.TaskScheduler.dll: a legitimate .NET DLL signed by Microsoft, used by other .NET\r\nprograms for integrating with the scheduled tasks mechanism.\r\nLanguage folders: contains a resource file used by the mentioned DLL.\r\nCS_installer.exe and its config file: malicious executable written by the malware authors (note that the\r\nname might change from one version to another). In some versions, the authors (probably accidentally) left\r\nits PDB file, containing its debug data, inside this folder as well\r\n_meta.txt: a text file found in advanced versions of this malware, containing scrambled ASCII letters.\r\nMost files in this directory are hidden, and the ordinary user will not notice them when opening this directory\r\nusing Windows File Explorer. The only non-hidden file is CS_installer.exe, which tempts the victim to double-click it to complete the software installation download.\r\nFigure 4. An example of a mounted malicious ISO image (after selecting “show hidden files”).\r\nThe victim launches CS_installer.exe by double-clicking it. In most cases, the executable presents the message\r\nshown below in Figure 5, indicating that the program failed to execute. However, this is an attempt by the authors\r\nto mislead their targets.\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 5 of 33\n\nFigure 5. Message box presented by the dropper, designed to deceive the user.\r\nThe executable is a non-obfuscated program written in .NET, so .NET reflectors can decompile it to read the\r\nsource code. The code shown in Figure 6 is revealed when the executable is loaded into a reflector. This code\r\ncreates a scheduled task configured to execute a malicious base64 encoded PowerShell command every ten\r\nminutes. The task name is constructed from the Chrome string concatenated with a random suffix from the\r\nnamesDict array.\r\nFigure 6. An example of decompiled CS_installer.exe source code.\r\nThe script content derives from the _meta.txt file, unscrambled by the following predefined function below in\r\nFigure 7, which applies simple character replacement.\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 6 of 33\n\nFigure 7. An example of the unscramble function.\r\nSome of the features mentioned were missing in earlier versions of this variant of the malware. For instance, in the\r\nversion shown in Figure 8, which was discovered only one week before the version mentioned in Figures 6 and 7,\r\nthe authors did not use a descramble function but simply hardcoded the encoded PowerShell script in the .NET\r\nexecutable and used the predefined ChromeLoader name for their task instead of generating a more randomized\r\nsuffix.\r\nFigure 8. An example of source code from an older version of Variant 1.\r\nThe attacker uses the encoded PowerShell script for downloading and loading a malicious browser extension into\r\nthe user’s Chrome browser.\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 7 of 33\n\nFigure 9. An example of variable definition in the PowerShell dropper.\r\nFigure 10. An example of a payload download attempt.\r\nFigure 11. An attempt to load the payload into the user’s browser.\r\nFigure 11. An attempt to load the payload into the user’s browser.\r\nThe evolution from early versions of this malware to later ones is also seen in the encoded PowerShell script.\r\nFigure 12 shows PowerShell script executed by an earlier version of this variant, which is significantly shorter and\r\ncontains less complicated code.\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 8 of 33\n\nFigure 12. An example of an older version of this PowerShell dropper.\r\nDropper Statistics\r\nChromeLoader attacks on Palo Alto Networks Cortex XDR customers were blocked by our Behavioral Threat\r\nProtection module starting from the first day of this campaign. However, we were curious about the following\r\nstages of this attack. Consequently, we decided to continue our research, tracking down the attacker’s footprints\r\nand intentions.\r\nThe scheduled task is using the malware to download a malicious Chrome extension and installing it to the\r\nvictim’s browser. The URL hosting the Chrome extension is hardcoded in the obfuscated PowerShell command\r\nand changes between the different versions.\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 9 of 33\n\nFigure 13. First infection attempt for installation servers.\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 10 of 33\n\nFigure 14. Installation server connection attempts distribution.\r\nFigure 15. Blocked infections per region.\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 11 of 33\n\nFigure 16. Infection attempts per day per installation server during the Variant 1’s most active time.\r\nPayload\r\nThe payload of the malware is a Chrome extension – every downloadable extension has the same format:\r\nFigure 17. An example of the downloaded extension files.\r\nUsing some definitions in the manifest file, and using a known legitimate picture, the extension claims to be\r\nlegitimate and harmless. However, the extension asks for elevated privileges. Requested privileges include\r\naccessing browser data, manipulating web requests and accessing every possible URL address, which legitimate\r\nbrowser extensions would not do.\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 12 of 33\n\nFigure 18. An example of a downloaded extension’s manifest file.\r\nThe Javascript file conf.js declares constant variables, which will use the main script background.js later. The C2\r\ndomain is stored in _ExtDomNoSchema.\r\nFigure 19. An example of a downloaded extension’s conf.js file.\r\nbackground.js is a one-line JavaScript file containing all of the extension’s functionality; it is heavily obfuscated\r\nbut can be converted to readable JavaScript code in a short series of steps. However, any attempt to deobfuscate\r\nthis code using known public JavaScript deobfuscation tools will fail due to reasons which will be detailed later.\r\nFigure 20. An example of a downloaded extension’s obfuscated background.js file.\r\nThis script uses various obfuscation techniques to hide its purpose and malicious code. One of the first functions\r\nexecuted is responsible for copying standard JavaScript functions and objects into new objects with scrambled\r\nnames, which will later use the script for decoding the final payload, located in this script's last instructions.\r\nFigure 21. An example of the renaming mechanism. For instance, in this case, the String object is\r\nstored as b4VV.\r\nDuring the entire execution of this script, the authors use switch-case-oriented programming to make their\r\nprogram harder for malware analysts to read and understand.\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 13 of 33\n\nFigure 22. An example of switch-case-oriented programming.\r\nThe program loops using the E3 variable shown above in Figure 22 and acts differently for each value. When the\r\nrelevant flow in the switch case has ended, the program changes the value of E3 to its next instruction. The\r\nprogram also uses the obfuscated object names mentioned previously. In Figure 22, we added the original object\r\nname in a comment below the relevant code line.\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 14 of 33\n\nAfter understanding the obfuscated names and switch-case-oriented programming, we can better analyze the\r\npurpose of this code section. It uses a hardcoded four-sized array of integers, translating it to the associated ASCII\r\ncharacters and sorting it by randomized order. Later, this array will be joined to a string, and the program will\r\nsearch for a defined function in that name. The execution flow will start over if the function isn’t found.\r\nThis stage reveals another obfuscation technique in the script. One of the key features used by standard\r\ndeobfuscation tools is dropping unreferenced functions and objects. Often, it helps to shorten the code, leaving out\r\ncomplicated parts which will never actually run – removing functions whose whole purpose is to mislead a\r\nmalware analyst. However, in this case, using deobfuscation tools drops an essential function, and the script will\r\nbe stuck in an endless loop without it.\r\nThe function h0QQ is not directly referenced even once during the script execution. Yet, the previously mentioned\r\ncode section using a randomized sort algorithm will eventually attempt to execute it, since h0QQ is a permutation\r\nof the 0hQQ string. If h0QQ does not exist, the code simply tries to sort the characters and repeatedly looks for a\r\nfunction name.\r\nFigure 23. An example of the unreferenced crucial function.\r\nThis function returns a long scrambled string, XORed by a hardcoded key, and then splits into an array of strings.\r\nFigure 24. An example of a deXORed array containing strings used by the malware.\r\nThe malware eventually uses these strings to decode its malicious code. It references the string at the relevant\r\nindex in this array instead of hardcoding the string name in the code.\r\nFigure 25. An example of the malware usage of the deXORed array to decode its final payload. You\r\ncan also see that the malware doesn’t use integers as the array’s indexes but strings combined with\r\narithmetic operations.\r\nWe exported the mentioned list members after utilizing a debugger to execute the initialization code. Then we\r\nused a Python script to deobfuscate the remaining sections of the JavaScript code.\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 15 of 33\n\nFigure 26. A script used for deobfuscating background.js.\r\nInfostealer and Adware\r\nFor communicating with the malicious extension, the authors used command and control servers (C2s), which are\r\ndifferent from the installation server used for installing the extension previously. The malware uses various\r\nextension features, giving it a strong foothold in the user’s browser.\r\nFigure 27. An example of alerts installed by the malware.\r\nWhen the extension is installed, it adds two Chrome alarms (alarms allow the developer to install a callback /\r\nscheduled task that will be triggered periodically). When these alarms are triggered, two corresponding functions\r\nare being called:\r\nWhen the ad alarm is triggered, the extension asks the C2 for an advertisement and presents it in a new tab.\r\nThe hb callback is triggering functions that communicate with the C2, informing it of the current state of\r\nthe execution.\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 16 of 33\n\nFigure 28. An example of the malware’s reaction when its alerts are triggered.\r\nAnother interesting activity can be seen in the code shown in Figure 29. The extension installs a listener, which\r\nallows it to intercept every outgoing request, and uses it to check whether the request was sent to a search engine –\r\nGoogle, Yahoo or Bing. If it does, the extension will send the search details to the C2, leaking the victim’s\r\nthoughts and interests.\r\nFigure 29. An example of browser hijacker capability.\r\nIn addition, the extension uses different mechanisms to verify that it executes properly. For example:\r\nA hard-coded header named dd for each outgoing packet to the C2. This could be used by the C2 to\r\nidentify the different distribution channels/affiliates.\r\nFigure 30. An example of the added dd header.\r\nCancelling search suggestions, probably in order to make sure that the search queries were intended by the\r\nuser.\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 17 of 33\n\nUninstalling existing Chrome extensions from the browser. It also sends the names of the extensions to the\r\nC2 and gets back an allowlist json, in order to exclude chosen extensions from being removed.\r\nDisabling every attempt to access chrome://extensions and open chrome://settings instead to prevent the\r\nuser from uninstalling this malicious extension.\r\nVersion Control\r\nMost malicious extensions contained a file named conf.js alongside the main Javascript code stored at\r\nbackground.json. This conf.js (or manifest.json, or background.js file if conf.json is missing) file stores relevant\r\nconfiguration for the extension: the C2’s hostname (e.g., krestinaful[.]com and tobepartou[.]com), the verification\r\nheader’s value of dd, the extension name, and its version. It seems like the version information is accurate – there\r\nare several differences between the versions we saw (2.0, 3.0, and 4(.0,.3,.4)). (For our observations on the\r\nrelationship between variants and versions, please see the “Introduction” section.)\r\nVersion 2.0 (First seen Jan. 4, 2022):\r\nMissing functionality:\r\nNo advertisements for victims.\r\nSearch engine query gathering from Google only.\r\nNo deletion of existing browser extensions.\r\nVersion 3.0 (Jan. 6, 2022):\r\nAdded functionality:\r\nSearch engine queries are now gathered from Yahoo and Bing as well.\r\nSetWithExpiry() and GetWithExpiry() functions added and used for storing variables (i.e., query URL) and\r\ndeleting existing extensions, respectively.\r\nExisting extensions deletion mechanism.\r\n4.* versions (Jan. 7, 2022):\r\nAdded functionality:\r\nMore obfuscations throughout the script.\r\nChrome advertising mechanism added.\r\nChanged the hardcoded C2 URL.\r\nChrome alert mechanism.\r\nMacOS variant\r\nIn March 2022, a new variant emerged targeting MacOS users. This variant remains active and uses similar\r\ntechniques to install its payload and hide its actions. It uses the same infection method of directing victims to\r\ncompromised pay-per-download websites to install its dropper.\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 18 of 33\n\nIn this case, the dropper is a disk image (DMG) file – the MacOS implementation for ISO files – containing\r\nseveral files, including one bash script. The bash script resembles the scheduled PowerShell script in multiple\r\nmanners:\r\nDownloads the payload – a browser extension from a remote installation server.\r\nLoads the payload into the target’s browsers – Google Chrome and the built-in Safari browser.\r\nFigure 31. An example of an early version of the MacOS installation script.\r\nIn more advanced cases, instead of hardcoding the download execute portion in the bash script, the authors\r\nencoded these commands in a separate file, then decoded and executed by the bash script using OpenSSL.\r\nFigure 32. An example of a later MacOS installation script.\r\nThe downloaded extension functions were similar to those used in the Windows OS versions. The MacOS variant\r\nuses the same obfuscation method to execute the same vital components – gather search engine queries and\r\npresent advertisements. In addition, new C2 addresses were used in this version.\r\nBased on the version number of the malicious extensions delivered by this variant, the attackers reference the\r\nMacOS variant as later than the Windows variants, which fits the timeline of infections in this campaign. In our\r\nresearch, the extensions found with this variant were labeled as the 6.0 version of this malware.\r\nSecond Windows Variant (Variant 2)\r\nIn March 2022, several weeks after the last known infection of Variant 1, we identified a new campaign with\r\nmultiple similarities to the first one, which makes us believe that we are actually facing another variant of the\r\nsame ChromeLoader malware, referred to in this blog as Variant 2.\r\nThe infection vector for this Variant 2 is identical to Variant 1. Users are enticed to download a torrent or cracked\r\nvideo game through malvertising campaigns on pay-per-install sites and social media.\r\nISO images used for Variant 2 contain new executables. Victims would only see a Windows shortcut, which they\r\nwould double-click to install the desired software or watch the movie.\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 19 of 33\n\nFigure 33. An example of a malicious mounted ISO.\r\nHowever, the ISO image contains other hidden files executed when the victim launches the Windows shortcut\r\n(.lnk file). The .lnk file simply runs a batch script named resources.bat. The script, in turn, extracts the contents of\r\napp.zip into %APPDATA%. The zip archive contains an executable named Tone.exe, which is eventually stored\r\ninto a registry run key by the batch script, making the infection persistent.\r\nFigure 34. An example of the LNK file configuration.\r\nFigure 35. An example of resources.bat content.\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 20 of 33\n\nLike Variant 1, Variant 2 installed the same type of Chrome extension. The malware launched a cmd.exe process,\r\nwhich in turn executed powershell.exe. The PowerShell process executed WMI queries, used for installing a new\r\nscheduled task named chrome *, launching another encoded PowerShell command.\r\nFigure 36. An example of a causality chain when the malware installs a scheduled task.\r\nWhen analyzing the above-mentioned obfuscated PowerShell script, we were faced with a script used as a\r\ndropper. This script doesn’t directly install a new Chrome extension, so it does not exactly match Variant 1’s\r\nPowerShell script pattern. However, the structure and use of variables resembles the behavior of Variant 1.\r\nFigure 37. An example of the installed schedule task script content after decoding.\r\nUsing XQL queries, when the installation server is available, the PowerShell script creates and loads the familiar\r\nmalicious Chrome extension (the 6.0 version, used in the latest MacOS variant).\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 21 of 33\n\nFigure 38. An example of the files downloaded by the encoded PowerShell.\r\nThe Real First Windows Variant – December 2021 (Variant 0)\r\nDue to its multiple infection incidents, this malware family has drawn worldwide attention in the cybersecurity\r\ncommunity.\r\nAs mentioned earlier, we detected different versions of this malware during our investigation. Each version was\r\nlabeled not only by us but also by the malware authors themselves. The earliest labeled version we detected was\r\n2.0. Therefore, we were confident that this wasn’t the first time these attackers struck, and we were determined to\r\nexpose the actual first version of this malware.\r\nDue to the attackers’ history of frequent payload updates, we were convinced that the first infection case occurred\r\nrelatively close to the currently reported infection case in January 2022.\r\nPivoting over the installation server domains used for the Variant 1 PowerShell dropper revealed that another\r\npiece of malware used some of these domains as its installation servers in December 2021.\r\nThis malware was an executable file written using AutoHotKey (AHK) - a framework used for scripting\r\nautomation.\r\nUsing this tool, the programmer can write short, easy-to-understand scripts using the AHK syntax. Then, by the\r\nprogrammer’s definitions, the framework creates matching hooks that will cause the execution of these scripts.\r\nWhen transforming AHK scripts into Windows executables, the original script source code is pasted into the end\r\nof the executable, making the investigation process for the researcher much more effortless compared to the other\r\nvariants, which used heavy obfuscation. In this case, the hardcoded script contained the following source code,\r\nwhich looks quite similar to the PowerShell droppers we already analyzed:\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 22 of 33\n\nFigure 39. An example of the AutoHotKey script content.\r\nIn short, this dropper downloads a payload from its installation server. We can assume that this payload is another\r\nbrowser extension by the variable name used for the downloaded payload (Extension_Name).\r\nAfter a more thorough investigation, we found the downloaded extension. Unsurprisingly, it also contained\r\nfeatures related to the ChromeLoader malware family – but more importantly, it was labeled version 1.0 (!)\r\nThese extensions were quite similar to the rest of the extensions related to this family, with one main difference –\r\nthis time, the extension was not obfuscated. It even contained some of the author’s comments regarding different\r\ncode sections.\r\nFigure 40. An example of the extension downloaded by this variant, without any changes from our\r\nside.\r\nConclusion\r\nThis blog documents different examples of a new malware family, ChromeLoader, spread using malicious\r\nadvertisements. This malware demonstrates how determined cybercriminals and malware authors can be: In a\r\nshort time period, the authors of ChromeLoader released multiple different code versions, used multiple\r\nprogramming frameworks, enhanced features, advanced obfuscators, fixed issues, and even adding cross-OS\r\nsupport targeting both Windows and MacOS.\r\nThis malware is used for hijacking victims’ browser searches and presenting advertisements – two actions that do\r\nnot cause serious damage or leak highly sensitive data. However, based on the wide distribution the attackers\r\ngained in such a short time, they were able to inflict heavier damage than the damage inflicted by the two primary\r\nfunctions of the Chrome Extension.\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 23 of 33\n\nAdditionally, the authors were quite organized, labeling their different malware versions and using similar\r\ntechniques throughout their attack routines. This probably made their lives easier while developing their attack\r\nframework and maintaining their attack chains, but unintentionally, this also made the investigation process\r\nsignificantly easier. In fact, it improved the research ability so much that we were able to detect two new versions\r\nof this malware – the first one and the latest, which have never been linked to this malware family before.\r\nFinally, this attack chain demonstrates two rising trends among malware authors that security products and even\r\ncommon users should be aware of – the use of ISO (and DMG) files and the use of browser extensions.\r\nProduct Coverage\r\nPalo Alto Networks customers using Cortex XDR Prevent or and Pro receive protections from such campaigns in\r\ndifferent layers, including the Local Analysis Machine Learning module, Behavioral Threat Protection, BIOC and\r\nAnalytics BIOCs rules that identify the tactics and techniques that ChromeLoader uses at different stages of its\r\nexecution.\r\nMost rules are not customized for ChromeLoader and are based on unusual, rare behaviors – and therefore provide\r\nprotection against many additional malware families and campaigns that use the same methods.\r\nThe following rules provide behavioral detections and preventions that block this malware at different stages for\r\nCortex XDR customers:\r\nRule Name Description\r\nPower Empire - 2280642765 Power Empire post-exploitation framework\r\nPowerShell Activity - 83290630 Suspicious PowerShell activity\r\nPowerShell Activity - 1683698903 Suspicious PowerShell activity\r\nPowerShell Activity - 1038764491 Suspicious PowerShell activity\r\nPowerShell Activity - 2677692363 Suspicious PowerShell activity\r\nSuspicious Scheduled Task Installed -\r\n161058768\r\nPotential malware granted persistency via scheduled task\r\nSuspicious File Dropped - 1664970582 Potential malware dropped a suspicious payload executable\r\nSuspicious File Dropped - 1833473256 Potential malware dropped a suspicious payload executable\r\nSuspicious Chromium Extension -\r\n4043645859\r\nPotential malware tries to load malicious extension to victim's\r\nbrowser\r\nStaged Malware Activity - 2903131508 Activity similar to ChromeLoader malware\r\nStaged Malware Activity - 4059467241 Activity similar to ChromeLoader malware\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 24 of 33\n\nIn addition, you can use the following XQL queries to detect ChromeLoader variants during their different\r\nexecution stages.\r\nVariant 1 (January) – Installer\r\ndataset = xdr_data\r\n| filter event_type = ENUM.RPC_CALL\r\n| filter actor_process_signature_status = ENUM.UNSIGNED\r\n| filter action_rpc_interface_uuid = \"{86D35949-83C9-4044-B424-DB363231FD0C}\" and\r\naction_rpc_func_opnum = 1\r\n| filter lowercase(action_rpc_func_str_call_fields) contains \"chrome\"\r\nVariant 2 (March) – Scheduled Task Installer\r\ndataset = xdr_data\r\n| filter event_type = ENUM.RPC_CALL\r\n| filter actor_process_image_name = \"powershell.exe\"\r\n| filter action_rpc_interface_uuid = \"{9556DC99-828C-11CF-A37E-00AA003240C7}\" and\r\naction_rpc_func_opnum = 25\r\n| filter lowercase(action_rpc_func_str_call_fields) contains \"powershell -windowstyle hidden -e\" and\r\naction_rpc_func_str_call_fields contains \"PS_ScheduledTask\"\r\nVariant 2 (March) – Tone.exe Extraction\r\ndataset = xdr_data\r\n| filter action_process_image_name = \"tar.exe\"\r\n| filter action_process_image_command_line contains \"-xvf\" and action_process_image_command_line\r\ncontains \"-C\" and action_process_image_command_line contains \"AppData\\Roaming\"\r\nMacOS Variant – Extension Download Encrypted\r\ndataset = xdr_data\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 25 of 33\n\n| filter agent_os_type = ENUM.AGENT_OS_MAC\r\n| filter event_type = ENUM.PROCESS\r\n| filter action_process_image_command_line contains \"sh -c echo* | base64 --decode | bash\"\r\n| dedup agent_hostname , action_process_image_command_line\r\n| fields _time , agent_hostname , action_process_image_command_line , actor_process_command_line\r\nSuspicious Browser Extension Loaded\r\ndataset = xdr_data\r\n| filter action_process_image_name in (\"chrome.exe\", \"safari\", \"chrome\")\r\n| filter action_process_image_command_line contains \"-load-extension=\"\r\n| filter actor_process_image_name in (\"powershell.exe\", \"bash\", \"sh\")\r\nPalo Alto Networks customers using WildFire also receive protections from this threat.\r\nIndicators of Compromise\r\nVariant 1 ISO hashes\r\nfa52844b5b7fcc0192d0822d0099ea52ed1497134a45a2f06670751ef5b33cd3\r\ne1f9968481083fc826401f775a3fe2b5aa40644b797211f235f2adbeb0a0782f\r\n860c1f6f3393014fd84bd29359b4200027274eb6d97ee1a49b61e038d3336372\r\n0ecbe333ec31a169e3bce6e9f68b310e505dedfed50fe681cfd6a6a26d1f7f41\r\n614e2c3540cc6b410445c316d2e35f20759dd091f2f878ddf09eda6ab449f7aa\r\n2e006a8e9f697d8075ba68ab5c793670145ea56028c488f1a00b29738593edfb\r\nbcc6cfc82a1dc277be84f28a3b3bb037aa9ef8be4d5695fcbfb24a1033174947\r\n6d89c1cd593c2df03cdbd7cf3f58e2106ff210eeb6f60d5a4bf3b970989dee2e\r\nedeec82c65adf5c44b52fbdc4b7ff754c6bd391653bba1e0844f0cab906a5baf\r\n6c54e1ea9c54e4d8ada1d15fcdbf53e4ee7e4a677d33c0ea91f6203e02140788\r\na9670d746610c3be342728ff3ba8d8e0680b5ac40f4ae6e292a9a616a1b643c8\r\nfb9cce7a3fed63c0722f8171e8167a5e7220d6f8d89456854c239976ce7bb5d6\r\n1717de403bb77e49be41edfc398864cfa3e351d9843afc3d41a47e5d0172ca79\r\n1b4786ecc9b34f30359b28f0f89c0af029c7efc04e52832ae8c1334ddd2b631e\r\n486c966b6e2d24dd8373181faf565d85abfd39559d334765f5135e20af55542c\r\n03b2f267de27dae24de14e2c258a18e6c6d11581e6caee3a6df2b7f42947d898\r\ndd2da35d1b94513f124e8b27caff10a98e6318c553da7f50206b0bfded3b52c9\r\n3927e4832dcbfae7ea9e2622af2a37284ceaf93b86434f35878e0077aeb29e7e\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 26 of 33\n\ne449eeade197cab542b6a11a3bcb972675a1066a88cfb07f09e7f7cbd1d32f6d\r\n8840f385340fad9dd452e243ad1a57fb44acfd6764d4bce98a936e14a7d0bfa6\r\n26977d22d9675deddfde231e89a77c013062b8820aa117c8c39fd0a0b6ab0a23\r\nVariant 1 executable hashes (aka CS_Installer.exe)\r\nded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd\r\n1dbe5c2feca1706fafc6f767cc16427a2237ab05d95f94b84c287421ec97c224\r\n9eca0cd45c00182736467ae18da21162d0715bd3d53b8df8d92a74a76a89c4a0\r\nc56139ea4ccc766687b743ca7e2baa27b9c4c14940f63c7568fc064959214307\r\n3b5a18d45ab6fcf85df51703ef6fac8226fc274ecd0a21c0a1f15f15f7d39e01\r\n44464fb09d7b4242249bb159446b4cf4c884d3dd7a433a72184cdbdc2a83f5e5\r\n2d4454d610ae48bf9ffbb7bafcf80140a286898a7ffda39113da1820575a892f\r\n53347d3121764469e186d2fb243f5c33b1d768bf612cc923174cd54979314dd3\r\nafc8a5f5f8016a5ce30e1d447c156bc9af5f438b7126203cd59d6b1621756d90\r\n564e913a22cf90ede114c94db8a62457a86bc408bc834fa0e12e85146110c89b\r\nVariant 2 ISO hashes\r\ne72a42ad27c06ba0a9951705423a3650a0c4a1f8c18c5782ab98e2e72021bbb8\r\n26bce62ea1456b3de70d7ac328f4ccc57fe213babce9e604d8919adf09342876\r\n44f9680710ba7635bb3bfe025b087e85d51857d9618c5ffa5c247ccdc8bca3c3\r\n5ee2b7ea46cc3f34b796ab4992e778938c057490695e9109f016fc7a1b308395\r\na0ff3b427c77594fa48d79ed52d372bd2a8baae54ee85b243d86d9dd493ffbc6\r\nf3176bcd28b89e4ae7a4426c82c8b73ca22c62ecbc363296193c8f5becef973c\r\n424347b6f5caca8174d1b0ac2e32867a4201a41176fed1af7b3e1a0716fc7e46\r\nc67b87cb7420500e4b0bb6500f1875bc77a7d96997ed2850d8142dfd9636da29\r\n8f2da6c721251edd251addb795552ed54d89fb53d2a470d8a7f807e77aac402c\r\ne0d57152524e79a07e5b7d7b37831cb7596cd3afe651b4eecaf4123b1af1ffa6\r\n606d49ae054e13461bad3e405cc5996462c14bd48e94fe8a63f923fbb7c14b71\r\n7ef7bdf8ea2f8751f45482453bf7441d2b2f92d743324afdf1afc11ea248c56d\r\n84c93f1f7bdc44e8e92be10bf5e566f3116c9962c35262643fe2084c3b8d1bb5\r\n4673c1f8d307b70c4be837e842cfdf5cce60c6bf793ae85a1bce07c9c15fe14d\r\n0257dccfdeb1bc9683334d0d964c72ea0eeedbfda33cba1f60a395cca8e516da\r\n0d510dbcf8ed5c7b81206598886a7fbd86f11d36871612ba066d6ec85723fada\r\ne920dbc4741114f747a631928e398ef671fe9133b6aab33991d18150b4fcd745\r\n3d65f5a060f8ecc92de9f5e0754b8f6c129cb9a243bf1504a92143ac3bc5a197\r\n11174dbaca376288fd59c66d1c00255ad6c034beff96a075e833897ef3a113cc\r\n44e77ac27a8b7d9227d95feb87bad1cc2a4ed2172c85f5e16d335a4d62d385f4\r\nVariant 2 executable hashes (aka Tone.exe)\r\n00c07e354014c3fb21d932627c2d7f77bf9b4aeb9be6efb026afdbd0368c4b29\r\n3c7acdce8a37e40672eb4fba092804f9e783f284e7d52cbcf8a9f9f3cf306af7\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 27 of 33\n\n5fbf4d8d44b2e26450c1dd927c92b93f77550cebfbc267c80ff9d224c5318b88\r\n1bb6f2a9498a220ade34b64f3208287fca6699847a5fd61e0e5ed4ee56b19316\r\n4e5001c698f9f1758874067c5fb6fb2911e1f948db2cc0f289d42c61f2e2fec1\r\n747ba8be14e4d465f79a8211a26204230719ce19293725ca139f4386e57a7dff\r\nfcc92f1736b5b4bd9fe503e7d6debeb7e69858fc582783c3f35e7cdece9d4feb\r\n0b00a215a42739809a55f05b6028399843e305fb285028de6efc5544b949a1ef\r\n66ababb8bd9f8b19193f56678568197350be6306f448ee9a01eeee21a487f765\r\nce129e2e14fb0de7bd0af27a8303686bde1c330c05449c1ff95591f364189e33\r\n1a01be5f08943ce03811f398f7b77aba26313dc0d0681cfad89f37db59819bc2\r\nc93fbf63d82b816cd32dfc7bb0eaf7053fb27cfb78433638248010e83636ae20\r\n7f9d31d382cef81bf858b8e848897b41397c033ad5aa5c416277cf843d7218f5\r\n6c87e496ba0595ac161be8abb4e6da359d5d44c7e5afbe7de8fd689e4bb88249\r\nd3212f79f33c8ccf6ba27984ed18acc86ec2297fe9c3df8fad5a00878986f2e2\r\n329e7494d516652e64c1181979fdf53b507b4a3ab23b4821823f0aef96abc6a4\r\nb73becdb7ad8b130072622ac7b2f03d450d7d0f9aae28e67dcb6724e5727f96c\r\n10bd1b5144d9a2582aaecd28eb0b80366a2675d0fd8a2f62407f8c108d367ec7\r\n11ad9d3e25bee2275f4930818bd737df1e1d79b334f990970c61763078c532d0\r\n061408f4e1f37feb0b89db3cafc496194941fade412c96ee03fc46e492df3d29\r\n8bdaf2a1e5400df06ce4d47b5b302b20cfb62e662e778a657485c6599865e393\r\nVariant 0 executable hashes\r\n0bc3516e327fea0b5f65299366182d1e7577c9998d0cbd07891709f51fb0ac47\r\n0e1c5477ea71fdc1271e63989107b2d855c685c6c2303f297a610eb875520ec0\r\n140162b2c314e603234f2b107a4c69eb24aece3a3b6bd305101df7c26aee5f8e\r\n1dbc8aa73b64a1a607bcbe448347314d9a456d4d31a6cf846e25277b575bbb5b\r\n32aa2f66b96a95a00b032758232fc09e18439395466660b995a7d82905ef0637\r\n3ff8e17ee3c130e327a614400f594fec404c42188c0e7df0ce3b2bb3a3c1aff6\r\n57c0f3d24452b68d756577af78e809e2da12694691e62448bb132c12311360ec\r\n8ef4026b254dd0918bf3ace7741b26ff52a52ef024c721d8129c5ccfa4ccde24\r\nd2b1b9642884a6839f09204135944c02c7437f7e692d07bb0d0269c4ff8316bb\r\nd8d18baa934a4f1ad6777f2ca862be8d3b3a59a1fedb8d2a8e50f0a419793a15\r\ne4ab0e5ecbd6c87432f08398b7f7424a248f98ff780e0adb710edd0698bf5434\r\n45510bf70bc9063392ac0514f4e26431b9c38631ed0e61b6847fe9385f5eb17c\r\ne4ab0e5ecbd6c87432f08398b7f7424a248f98ff780e0adb710edd0698bf5434\r\nf3727e372949d12ce9f214b0615c9d896dcf2ac0e09fcd40f4a85ff601ef01f0\r\nMacOS DMG hashes\r\n965a6729b89f432f61b65a7addbe376317e8fd4a188c05c6aae7f9e4a1a88fbb\r\n6f105daec2336658629042afa4f334f4949fc189404f66c09400fd2ca260eb0c\r\n267ab450a5965a525bda34deccd64bf22b5fb6cc04d811a3eec1d9289e28bc73\r\na6c8cbbe502df8407861590b97e634f51b85e4fe176bf68f86f6088ce81baaac\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 28 of 33\n\n6845a4b37e51fbf01a9573330c81483d5a438dbb1c87cbe069f72896927b4dab\r\nfad5e680c181fd7415e8c03ee20735411d1259f4ae19ead0100f0929d48f3f53\r\n40232e0ffdb8fe925f9d4a1f10d5aeda208bb58d82390ac7d1952f9219770103\r\nfd9a89dc83d26994708a1d9661322df12d107693d4b483a89bf9b03c974f418c\r\nb65dc44a3288b1718657d2197b1e0b22aa97d0e33b05e2877320e838da0ccb26\r\n2b24417ea8cb3271636e1747be0cc205af4bdc0d31686f024693259afdca259e\r\ndffdad0ced320b9934019a75658b16cf8f6abb2e4af48cb73f66a761dfe72392\r\n0c1700551ca47143590722ae60204f1a597040d5fa6afa966d4fc3c42d82d517\r\n060c0b17a2d6fc7fb3a7a866c2013891527f1cf4602c420bc186d55b1802e382\r\n1286ff043574dffb0c0a677b102272d7ea858030dc48d6c50534dba19d95adb6\r\n1adc521a448a3588c892c98e00c9e58ba30a453b0795286b79ff2f0eaf821d25\r\n90acb46c7964404cf22b7faad5910dfa97ae8d49b45808bd9f98bb61b7bc878f\r\nf0da9bf1fc8da212ae1bcb10339539f5127e62aae0ad5809c2ae855921d2ab96\r\nc0e50646addd20136befa520380e4d0f8915c0e0808fd8d393a386f5af87e623\r\n2612ee5c099d6115dcbed7247cc56838fdeeb2654ba365b1b00d6294e6981f22\r\n8ea53e242e05e5da560ac9a4c286f707e888784d9c64c43ae307d78b296d258a\r\na660f95f4649f7c1c4a48e1da45a622f3751ee826511167f3de726e2a03df05c\r\nZipped extension hashes\r\n6c1f93e3e7d0af854a5da797273cb77c0121223485543c609c908052455f045d\r\n92dc59664ab3427fb4b0d2d4108f1729abb506a2567770f7c4406e64db9aafae\r\n79114e6392bb8ffee76738e71f47131b0a2c843efe3e14f1b5e6a6d2a94c1046\r\n667f5bb50318fe13ea11227f5e099ab4e21889d53478a8ee1677b0f105bdc70a\r\n34d21f3a543a69f34973c25bbaaedb5c8bc797d63da493cbac97bfbbedbe7206\r\na950e93ab9b2c4d1771a52fbeb62a9f2f47dc20e9921b9d23d829b949ba187b5\r\n48efaa1fdb9810705945c15e80939b0f8fe3e5646b4d4ebcace0c049d1a67789\r\n6c1af2e5cf6d6ea68c7e017d279b432d5259358b81ea1c444dc20625805b95b9\r\n0f5fb924eb5eb646ba6789db665545a08c0438e99e5a24f27c37bc0279b1a8a6\r\na1005c22c2305781fbbce5552dcc095f9ef0237023d7041eace005542fcd3d81\r\n7f2cd9ad91ddab408619d3c80eef614b91a727c35285ebd813bcd1636b2cb030\r\n7e3d97c3802cc8bc9524480170d78aa68a9de28e3a7f4ce35d103f77843a3d0c\r\nf940e948586d3148e28df3e35e5671e87bc7c49525606068ac6f00783409d7aa\r\n63c97409bb2a8b5026b459ff6c6dcc93dd12fdd8c0a4915e9298bd96dfdedb5c\r\n3b4c3c598b87a3c3b9590940b4e67861c6541316bac1e1c07a139b1892307c04\r\na113128466145973de141c4e5c5199e5474050edd4d9225463d0527d68935ef0\r\nef633a38fb49a81a30fe8977dff378bb9e89f849ceceb709cbcf76272f92c402\r\ncc01324cbefb6d79e3a7ea1031edb6256fb3d40832ea621913aadda70e08a3b9\r\n3271eac4d9d20044a5fc27be6d0feece31791f3889dce2788f7ef4e201ffff4e\r\n8e74b6d667d7ddb7859687fd5c599f67b62b491087d1d926037effc7f7890b43\r\n4556d3c5e6a3322fcb39da3ef5b36d541bab70fa2f68a12e52c3de41bef092a6\r\n181a15d583d1ba4ad42b09ab62f3ef401c8cc2103e7ea2717d0571864f5440fd\r\na950e93ab9b2c4d1771a52fbeb62a9f2f47dc20e9921b9d23d829b949ba187b5\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 29 of 33\n\n308071d4e8298b4eba9f82ca7269ac58f8e39f64da515c0761406aacd110b731\r\nddb1793220d75c7126eb8af9f0d35f22e7be6998bf8ede8199c2019119b26592\r\n5b7dedcf0802547c8e18d46fbfe1a5daa91e77a6cf464c4b5f0cfc48fa235c1d\r\nb8b8f57edbd70345e2134abd8917371a29e04aa37210b553879710f717b69ddd\r\n6b1db4f891aa9033b615978a3fcfef02f1904f4eba984ba756ff5cd755d6f0b4\r\n099c2d8c3c34a24f6ed3cbf5c4ff6b22312546f2c3881281b7cc66ebff899136\r\n70f1d1b35ee085768aa75f171c4d24b65d16099b2b147f667c891f31d594311b\r\n3da0189884e07adfe946ef8f214fa9ec1c01bf093d69418563368f39fdc98e12\r\n216f9f9c3e69c6723203afb79ee91917eff7707312058d7e9858d70bfb6acf92\r\nf85e706123bedf3b98eb23e2fb4781e2845b2b438aa0f6789c2b496bfb36d580\r\n18b8ab327177cbde47867694d3d7acb93c83237d2418271f1020fe943760c026\r\n23f30fa4e9fe3580898be54f8762f85d5098fd526a51183c457b44822446c25a\r\n276f4008ce6dcf867f3325c6b002950cbd0fdb5bf12dc3d3afb1374622820a4e\r\n309c87b34966daecd05c48b787c3094eeed85b5f23ec93b20fc9cdbf8ff9b586\r\n47c65ef4d6b0ffe7109c588e04575dcf05fdf3afe5796078b4f335cb94c438b7\r\n502a8d1e95c21b5dc283ef4877ca2fe2ba41570bd813c47527fca2fb224d5380\r\n5e6b5a9c0849db8ca0696a16c882d6945a62e419bd646f23d4d00533bbe9bca5\r\n6e0cb7518874437bac717ba1888991cee48dfaca4c80a4cbbbe013a5fe7b01a6\r\n83cf9d2244fa1fa2a35aee07093419ecc4c484bb398482eec061bcbfbf1f7fea\r\n87f0416410ac5da6fd865c3398c3d9012e5488583b39edacd37f89bc9469d6a9\r\nc6a68fac895c0b15d5cbbba63f208e5b0a6f3c1d2382b9465375d1794f447ac5\r\nc7aedc8895e0b306c3a287995e071d7ff2aa09b6dac42b1f8e23a8f93eee8c7a\r\nd374ef30aa17f8bad0fb88d0da47f4038669c340d4c7fc2ff6505b07c17fdf65\r\ndfc90f64139b050cf3c72d833e1a7915af1bd689ece7222b9ac2c8426a0bfd0a\r\n9a5be852afef127b5cbe3af23ef49055677b07bcaca1735cf4ad0ff1e8295ccb\r\n7ba5e623ad2e09896f0e1d1167758bcf22a9092e4a65856f825a2b8740e748f6\r\nedb21b3f6f52ab0d0e17aca7e658a6e3f9ce98002433810612562b8e6ab41920\r\n0cf40fbce8a48bfc5068ac24ec1dd1f828af31fe3cff0342003d12b0ea561dcf\r\n4a0ababa34024691dc1a9e6b050fe1e5629220af09875998917b1a79af4e2244\r\n52c7bb3efafdd8f16af3f75ca7e6308b96e19ef462d5d4083297da1717db8b07\r\nbcac3fee6182a64764e88b4ed4f78cc071f297c501746df6473b0e9e679b3b43\r\naa9b742267bba71507a644ea4ee52a0f118ee6d595bd7eac816a8e8ee0246427\r\n55f240467cf2c0891484d97ded9e0c53b259a88814b6f1c78a8961bda58c9377\r\n49006f7529453966d6796040bb1c0ab2d53a1337c039afe32aaa14a8cce4bf0e\r\n08de8a1103ccd7980a9900e2ceccdef0fe4db6bd06184eb628bfbcf76a7ff997\r\n2eb1056cc176747c1be4b115be90cc7ee26da11a597cff6631da54c517d1a15c\r\n436dde0fb44f95371832a55e56ed9ee9cb22f5323ce0d2a4cdcd61cbab713503\r\nc05dbec1aaa11703195c743433a4319d49180c7fbd9a962e162cacd6b605ddd9\r\nb919fbd354654a7bf99db7206adf6a5fba9ce73ee3fedb6d08ed932ee527f301\r\nbfead4ccc3c16dee5f205b78e12aaaa2b33bdedbc57e22a4dbc48724f13f6277\r\neddd3ce6d39909be6fd5a093c2798a0c9113769b8f0f24a038449b409232472a\r\n22f4a87053769ae21efa8945a83e46df2f56e8f01a66f156cacf5ef6b6a8262a\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 30 of 33\n\na3631d6012b72a63b0f1b4a013d0971ea8505ee3db32d4a0b7b31cb9ba8dd309\r\n1ad535854fe536fd17aa56ae82f74872d6fad18545e19950afa3863bcbcf34eb\r\n9d46a0509291bf3365771f6ad53e213ffb58e4926f11365687f4a11fd0f03855\r\nC2 and Installation Servers\r\nInstallation Servers\r\nbrokenna[.]work\r\netterismype[.]co\r\nidwhitdoe[.]work\r\nithconsukultin[.]com\r\nlearnataloukt[.]xyz\r\nrsonalrecom[.]co\r\nyflexibilituky[.]co\r\nyeconnected[.]com\r\nableawid[.]com\r\nairplanegoobly[.]com\r\nbaganmalan[.]com\r\nballjoobly[.]com\r\nbalokyalokd[.]com\r\nboogilooki[.]com\r\nbookimooki[.]com\r\ncarfunusme[.]com\r\ncarmoobly[.]com\r\nchairtookli[.]com\r\nchookiebooki[.]com\r\nchoopinookie[.]com\r\nckgrounda[.]com\r\ncomputermookili[.]com\r\ndubifunme[.]com\r\ndudesurfbeachfun[.]com\r\nexkcellent[.]com\r\nfunbeachdude[.]com\r\nketobepar[.]com\r\nkooblniplay[.]com\r\nletfunhapeme[.]com\r\nlookiroobi[.]com\r\nlookitoogi[.]com\r\nmadorjabl[.]com\r\nmalanbagam[.]com\r\nmokkilooki[.]com\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 31 of 33\n\nmyeducatio[.]com\r\nnakasulba[.]com\r\nndinterper[.]com\r\nndworldwi[.]com\r\nnookiespooti[.]com\r\noempafnyfi[.]com\r\nsaveifmad[.]com\r\nsiwoulukdli[.]com\r\nslootni[.]com\r\nsonalskills[.]com\r\ntabletoobly[.]com\r\ntoogimoogi[.]com\r\ntoukfarep[.]com\r\nuiremukent[.]com\r\nukrawinrusyes[.]com\r\nutfeablea[.]com\r\nvoobmijump[.]com\r\nxoomitsleep[.]com\r\nyalfnbagan[.]com\r\nyalokmalos2[.]com\r\nyescoolservmate[.]com\r\nyourretyeq[.]com\r\ntcaukthw[.]com\r\ntooblycars[.]com\r\nkoooblycar[.]com\r\nrooblimyooki[.]com\r\nyooblygoobnku[.]com\r\nplaykooblni[.]com\r\nrockslootni[.]com\r\nmuendakere[.]xyz\r\nmployeesihigh[.]xyz\r\nadiingsinsp[.]xyz\r\najorinryeso[.]xyz\r\nktyouexpec[.]xyz\r\nlearnataloukt[.]xyz\r\nngwitheaam[.]xyz\r\nptonnervent[.]xyz\r\nukmlasttyye[.]xyz\r\nukseseem[.]xyz\r\nwithyourret[.]xyz\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 32 of 33\n\nC2s\r\nbetasymbolic[.]com\r\nkrestinaful[.]com\r\ntobepartou[.]com\r\ntobedirectuke[.]com\r\neandworldw[.]com\r\netobepartou[.]com\r\nkfareputfeabl[.]com\r\nblesasmetot[.]com\r\nsiwoulukdlik[.]com\r\nsforourcompa[.]com\r\nSource: https://unit42.paloaltonetworks.com/chromeloader-malware/\r\nhttps://unit42.paloaltonetworks.com/chromeloader-malware/\r\nPage 33 of 33", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/chromeloader-malware/" ], "report_names": [ "chromeloader-malware" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434672, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ce8680bd4d2648914f083a7cf2ef03469aa58c7e.pdf", "text": "https://archive.orkl.eu/ce8680bd4d2648914f083a7cf2ef03469aa58c7e.txt", "img": "https://archive.orkl.eu/ce8680bd4d2648914f083a7cf2ef03469aa58c7e.jpg" } }