BTC $55865.7639
ETH $3222.4858
BNB $400.6682
SOL $110.6842
XRP $0.5548
ADA $0.6230
AVAX $39.2767
DOGE $0.0896
TRX $0.1404
wstETH $3751.1765
LINK $19.0474
DOT $8.0594
WETH $3236.9354
MATIC $1.0625
UNI $10.5983
WBTC $55965.3668
IMX $3.3901
ICP $13.0143
BCH $300.6764
LTC $74.8911
CAKE $3.2355
FIL $8.1517
ETC $28.1561
RNDR $7.4096
KAS $0.1718
DAI $0.9979
HBAR $0.1117
ATOM $11.3293
VET $0.0491
INJ $36.5642
TON $2.1072
OKB $51.3395
LDO $3.5443
FDUSD $1.0015
STX $3.0723
ARB $1.9162
NEAR $4.0168
XMR $131.7677
TIA $17.0755
XLM $0.1186
GRT $0.2823
ENS $22.2643
THETA $2.1117
MKR $2155.4331
WEMIX $2.1023
APEX $2.4575
BEAM $0.0357
BTC $55865.7639
ETH $3222.4858
BNB $400.6682
SOL $110.6842
XRP $0.5548
ADA $0.6230
AVAX $39.2767
DOGE $0.0896
TRX $0.1404
wstETH $3751.1765
LINK $19.0474
DOT $8.0594
WETH $3236.9354
MATIC $1.0625
UNI $10.5983
WBTC $55965.3668
IMX $3.3901
ICP $13.0143
BCH $300.6764
LTC $74.8911
CAKE $3.2355
FIL $8.1517
ETC $28.1561
RNDR $7.4096
KAS $0.1718
DAI $0.9979
HBAR $0.1117
ATOM $11.3293
VET $0.0491
INJ $36.5642
TON $2.1072
OKB $51.3395
LDO $3.5443
FDUSD $1.0015
STX $3.0723
ARB $1.9162
NEAR $4.0168
XMR $131.7677
TIA $17.0755
XLM $0.1186
GRT $0.2823
ENS $22.2643
THETA $2.1117
MKR $2155.4331
WEMIX $2.1023
APEX $2.4575
BEAM $0.0357
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • ChromeLoader adware is delivered to target systems via fake installers of hacked games

    Fans of pirated gaming are punished by hackers by forced viewing of ads in the browser.

    Security researchers at Ahnlab Security (ASEC) recently discovered that operators of the ChromeLoader malware ad campaign are now using ".vhd" files named after popular games to distribute. Previously, such campaigns were based on the distribution of similar ".iso" images.

    Malicious files were discovered by one of the ASEC specialists through the results of a Google search for free downloads of popular games.


    Among the games used to distribute the above software are: Elden Ring, ROBLOX, Dark Souls 3, Red Dead Redemption 2, Need for Speed, Call of Duty, Portal 2, Minecraft, Legend of Zelda, Pokemon, Mario Kart, Animal Crossing and others.

    A network of malicious sites distributes virtual disk images that look like legitimate game installation packages. However, when they try to launch, they install a malicious ChromeLoader extension in the Chromium-based browser. This extension intercepts browser search requests to display ads, and also changes its settings to collect a range of user data.

    According to Red Canary, this malware spread widely in May 2022. And in September, VMware announced new iterations of malware that perform more complex network actions. In some cases, attackers distributed Enigma ransomware in this way.

    In 100% of the cases seen last year, ChromeLoader was delivered to the target system as a virtual disk file with the ".iso" extension. Recently, however, for some reason, operators prefer files with the “.vhd” extension. Both options for virtual disks, starting with Windows 10, can be mounted in the system without installing additional software.

    Such images usually contain a number of files, but most of them are hidden from the user's eyes. As a rule, only a shortcut called "Install.lnk" is visible. Running the shortcut starts a batch script that unpacks the contents of the ZIP archive inside the image. The payload is loaded from a remote resource.


    According to ASEC, once installed, ChromeLoader starts redirecting users to advertising sites, thereby generating revenue for its operators. Actions are far from the most malicious, but pleasant is still not enough.

    The researchers note that the addresses hosting the ChromeLoader payload are not currently available. However, this does not mean that cybercriminals are no longer distributing a new version of adware with other sources to download the payload.

    Users are advised to avoid downloading hacked games and software from unofficial sources. And it's better to stay away from "cracked" products in principle, since it is in them that attackers usually embed malware.

    Author DeepWeb
    Nearly 50% of cybersecurity leaders will change jobs by 2025
    Meet the first UEFI bootkit that bypasses Secure Boot in Windows 11

    Comments 0

    Add comment