A large-scale malware campaign has been discovered, targeting Google Chrome and Microsoft Edge users by installing malicious extensions through fake websites. These sites imitate popular software download pages, tricking users into installing a trojan.
Key Points:
- Trojan Origins: The malware, active since 2021, originates from fake download sites promoting software like Roblox FPS Unlocker, YouTube, VLC media player, Steam, and KeePass.
- Malicious Impact: Over 300,000 users have been affected by this campaign, which hijacks search queries and redirects them through attacker-controlled servers.
- Stealth Techniques: The trojan installs browser extensions that cannot be disabled, even with Developer Mode enabled. It also prevents browser updates.
- Advanced Capabilities: These extensions can intercept web requests, inject scripts into web pages, and steal private data.
Removal Instructions:
If you suspect your system is compromised, take these steps:
- Delete the scheduled task that reactivates the malware daily.
- Remove specific Registry keys.
- Delete the following files and folders:
- Files:
- Privacyblockerwindows.ps1
- Windowsupdater1.ps1
- WindowsUpdater1Script.ps1
- Optimizerwindows.ps1
- Printworkflowservice.ps1
- NvWinSearchOptimizer.ps1 (2024 version)
- kondserp_optimizer.ps1 (May 2024 version)
- Folders:
- C:\Windows\InternalKernelGrid
- C:\Windows\ShellServiceLog
- C:\windows\privacyprotectorlog
- C:\Windows\NvOptimizerLog
- Files:
Previous Incidents: In December 2023, similar attacks were observed, where trojans delivered through torrents installed malicious web extensions disguised as VPN apps.
Disclaimer
NextNews strives for accurate tech news, but use it with caution - content changes often, external links may be iffy, and technical glitches happen. See full disclaimer for details.