Date:
April 14, 2025
An ongoing trojan malware campaign has been caught by researchers infecting thousands of Google Chrome and Microsoft Edge browsers.
Cybersecurity researchers have found an ongoing trojan malware campaign that is hijacking web browsers to steal confidential information. This sophisticated campaign targets Google Chrome and Microsoft Edge browsers masked as free popular software like Roblox FPS Unlocker, VLC media player, KeePass, Steam, and YouTube.
The single malicious campaign has hit over 300,000 Google Chrome and Microsoft Edge users globally. The victims fell for the impressively lookalike websites of mainstream tech giants like YouTube to install trojan malware that has been around since 2021. This malware has the power to take over control of the installation and task execution of multiple browser extensions and add-ons.
"The trojan malware contains different deliverables ranging from simple adware extensions that hijack searches to more sophisticated malicious scripts that deliver local extensions to steal private data and execute various commands"
- Spokesperson (ReasonLabs research team)
The malware also changes the default search engine to the user's preferred one, which keeps bouncing back even when users change it back to their original one. These search engines serve as a convenient playground for running ads or deploying more dangerous malware. Earlier, this malware was hidden in cracked versions of paid softwares that many websites offered for free.
The most dangerous part about these malware is that they cannot be removed from the system without a tough fight. Major antivirus software leaves the malware unnoticed or cannot be removed from the system, even though it has existed for over three years by now. The extensions enabled by the malware cannot be disabled even in Developer mode. Newer versions of the malware have scripts that can easily remove browser updates that identify or delete the extensions.
One way to remove this malware from browsers is to eliminate it from the system folders themselves. This effort includes deleting scheduled tasks that reactivate the malware and removing registry entries and their associated files and folders as named below:
- C:\Windows\system32\Privacyblockerwindows.ps1
- C:\Windows\system32\Windowsupdater1.ps1
- C:\Windows\system32\WindowsUpdater1Script.ps1
- C:\Windows\system32\Optimizerwindows.ps1
- C:\Windows\system32\Printworkflowservice.ps1
- C:\Windows\system32\NvWinSearchOptimizer.ps1 - 2024 version
- C:\Windows\system32\kondserp_optimizer.ps1 - May 2024 version
- C:\Windows\InternalKernelGrid
- C:\Windows\InternalKernelGrid3
- C:\Windows\InternalKernelGrid4
- C:\Windows\ShellServiceLog
- C:\windows\privacyprotectorlog
- C:\Windows\NvOptimizerLog
Users who find these folders in their system can also check if their sensitive data was pawned online. To safeguard themselves against monetary losses, these systems must remove all confidential data, including passwords, financial credentials, and other personal documents.
