Security researchers have noticed that the operators of the ChromeLoader browser hijacking and adware campaign are now using VHD files named after popular games. Previously, such campaigns relied on ISO-based distribution.
The malicious files were discovered by member of the Ahnlab Security Emergency Response Center (
ASEC) through Google search results to queries for popular games
Among the game titles abused for adware distribution purposes are Elden Ring, ROBLOX, Dark Souls 3, Red Dead Redemption 2, Need for Speed, Call of Duty, Portal 2, Minecraft, Legend of Zelda, Pokemon, Mario Kart, Animal Crossing, and more.
A network of malvertising sites distributes the malicious files, which appear as legitimate game-related packages, that install the ChromeLoader extension.
ChromeLoader hijacks the browser searches to show advertisements. Itt also modifies the browser settings, and collects credentials and browser data.
According to
Red Canary data, the malware bacame more prevalent in May 2022. In September 2022,
VMware reported new variants carying out more sophisticated network activities. In some cases the actor even delivered the Enigma ransomware.
In all cases seen throughout 2022, ChromeLoader arrived on the target system as an ISO file. Lately, the operators appear to prefer the VHD packaging.
VHD files can be easily mounted on on a Windows system and are supported by multiple virtualization software.
