ChromeLoader
ChromeLoader is a pervasive and persistent browser hijacker that modifies browser settings and redirects victim traffic and search results to advertisement or attacker-controlled pages. It is described as capable of redirecting searches from Google, Bing, and Yahoo, harvesting search data, sending that data to command-and-control infrastructure, and installing a malicious browser extension that users are prevented from easily uninstalling. The extension can redirect users away from the Chrome extensions page when removal is attempted.
The malware has been associated with the Charcoal Stork activity cluster, which researchers describe as a suspected pay-per-install provider first observed delivering ChromeLoader in 2022. Charcoal Stork used lures themed as cracked software, cracked games, wallpapers, pirated movies, TV shows, fonts, and other popular downloads, with distribution via SEO poisoning, malvertising, pay-per-install sites, and social media. ChromeLoader campaigns were specifically described as disguising themselves as cracked software downloads.
On Windows, ChromeLoader has been delivered through ISO images and later through VBS, EXE, and MSI installers. Early chains included Visual Basic Scripts leading to PowerShell execution. EXE installers were often NSIS-based, while MSI installers were often built with Advanced Installer. One documented Windows chain used an ISO containing CS_Installer.exe and a .NET wrapper for Task Scheduler; the installer created persistence via the Task Scheduler COM API with cross-process injection into svchost.exe rather than schtasks.exe. A scheduled task then launched cmd.exe, which executed a Base64-encoded PowerShell command. That PowerShell checked for the malicious extension, downloaded an archive from a remote location when absent, and launched Chrome with the --load-extension flag. If the extension was already present, the task could remove itself with Unregister-ScheduledTask.
Researchers also observed ChromeLoader increasingly using obfuscated NW.js/NodeJS applications installed under C:\Users<username>\AppData\Roaming. These applications established persistence via a Startup-folder LNK or an HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry entry. The NW.js package commonly referenced malicious code through package.json, often with index.html as the main file; newer variants executed compiled JavaScript via win.evalNWbin. Earlier variants often renamed the NW.js runtime binary to match the application name, while later variants used the default nw.exe filename.
A macOS variant has also been reported. It was delivered in DMG files using the same lure themes as the Windows variant, including baited social-media posts with QR codes or links to malicious download sites. The DMG contained an installer script that used cURL to retrieve a ZIP archive containing a malicious browser extension, unpacked it into /private/var/tmp, and executed Chrome with command-line options to load the extension. The macOS variant could target both Chrome and Safari and maintained persistence by writing a plist file into /Library/LaunchAgents.
Across platforms, ChromeLoader’s end goal is to load a malicious browser extension that hijacks search traffic and redirects web activity through advertising or malvertising infrastructure. Reported detection-relevant artifacts and behaviors include encoded PowerShell, browser launches with --load-extension, scheduled tasks including one named "ChromeLoader," installation under AppData\Roaming, persistence via Startup LNK or HKCU Run keys, ISO/DMG-based delivery, and malicious extension behavior involving search hijacking and resistance to removal.
The malware remained highly prevalent in 2024 reporting, including being listed as the most prevalent threat in multiple Red Canary monthly reports.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
ChromeLoader is a browser hijacker capable of redirecting searches for popular search engines such as Google, Bing and Yahoo, sending search data to its C2, and adding and preventing users from uninstalling a malicious browser extension.
Techniques & procedures
19 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Analysis of SmashJacker and ChromeLoader MSI files delivered via concurrent Charcoal Stork campaigns showed several distinctions that led us to suspect Charcoal Stork is a pay-per-install (PPI) provider, responsible for the file naming and SEO and/or malvertising to get the click.
Initial Access
2 techniques
Initial Access
Execution
8 techniques
Execution
Executing CS_Installer.exe creates persistence through a scheduled task using the Service Host Process (svchost.exe)... Once the extension is found, this PowerShell command will silently remove the ChromeLoader scheduled task using the Unregister-ScheduledTask function.
Early Charcoal Stork samples were ISO files with payloads leading to multiple phases, including a NodeJS-based app and PowerShell commands to achieve persistence and install ChromeLoader.
ChromeLoader’s scheduled task will execute through svchost, calling the Command Interpreter (cmd.exe), which executes a Base64-encoded PowerShell command...
ChromeLoader redirects an encoded command from a Bourne shell (sh) into a Bourne-again SHell (bash)... the installer script then initiates cURL to retrieve a ZIP file... finally executing Chrome with command-line options to load the malicious extension.
In 2023, we observed ChromeLoader using several different file types. Early in the year, we saw Visual Basic Scripts leading to PowerShell.
The HTML has the malicious JavaScript code to execute. In more recent versions of ChromeLoader, the JavaScript runs compiled JavaScript via the win.evalNWbin function.
Persistence
5 techniques
Persistence
Executing CS_Installer.exe creates persistence through a scheduled task using the Service Host Process (svchost.exe)... Once the extension is found, this PowerShell command will silently remove the ChromeLoader scheduled task using the Unregister-ScheduledTask function.
ChromeLoader’s MSI was built using Advanced Installer and it installed a NodeJS application in order to deliver a malicious browser extension. SmashJacker was not built with Advanced Installer and instead installs a trojanized version of 7zip, which installs the malicious extension.
To maintain persistence, the macOS variation of ChromeLoader will append a preference (plist) file to the /Library/LaunchAgents directory.
The application, installed in C:\Users\<username>\AppData\Roaming\ , established persistence through a LNK file placed in C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" or a registry key entry in "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ .
Privilege Escalation
5 techniques
Privilege Escalation
Executing CS_Installer.exe creates persistence through a scheduled task using the Service Host Process (svchost.exe)... Once the extension is found, this PowerShell command will silently remove the ChromeLoader scheduled task using the Unregister-ScheduledTask function.
Instead, we saw the installer executable load the Task Scheduler COM API, along with a cross-process injection into svchost.exe (which is used to launch ChromeLoader’s scheduled task).
To maintain persistence, the macOS variation of ChromeLoader will append a preference (plist) file to the /Library/LaunchAgents directory.
The application, installed in C:\Users\<username>\AppData\Roaming\ , established persistence through a LNK file placed in C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" or a registry key entry in "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ .
Stealth
4 techniques
Stealth
ChromeLoader uses the shortened -encodedcommand flag to encode its PowerShell command... ChromeLoader redirects an encoded command from a Bourne shell (sh) into a Bourne-again SHell (bash).
Pulling that thread led us to an interesting pattern of files masquerading as cracked games and software or wallpaper downloads.
Command and Control
1 technique
Command and Control
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named malware family referenced in the context of Sigma detection for malicious Chrome extension loading and browser-focused compromise activity.
ChromeLoader is described as a malware campaign delivered via disguised cracked software downloads that installs a Chrome extension to hijack search results and redirect users through attacker-controlled pages.
A browser hijacker delivered by Charcoal Stork. Early samples involved ISO files leading to multiple phases, including a NodeJS-based app and PowerShell commands to achieve persistence and install ChromeLoader. Its MSI was built using Advanced Installer and installed a NodeJS application to deliver a malicious browser extension.
Browser hijacker that redirects browser searches, exfiltrates search data to command-and-control infrastructure, installs a malicious browser extension, and resists user removal. Later variants used obfuscated NW.js/NodeJS applications for installation and persistence via Startup LNK files or HKCU Run keys.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.