Cybersecurity firm ReasonLabs has uncovered a large-scale Trojan malware campaign targeting Google Chrome and Microsoft Edge users. The campaign, active since 2021, has affected over 300,000 users by installing malicious browser extensions without their knowledge.
The Trojan spreads through fake download websites disguised as popular services like Roblox, YouTube, and VLC Media Player. Once downloaded, the malware silently installs extensions designed to steal sensitive information and manipulate browser behavior. These extensions can disable browser updates, tamper with shortcuts, and redirect searches through compromised servers.
The malware achieves persistence through scheduled tasks and modifies registry keys to make manual removal difficult. The latest versions even alter core browser files for deeper integration.
The campaign primarily targets Chrome and Edge users, with extensions like “Micro Search” and “Simple New Tab” garnering thousands of downloads before removal from official stores. New variants continue to emerge, posing a persistent threat.
ReasonLabs has urged users to:
- Check Task Scheduler for suspicious entries referencing PowerShell scripts in System32.
- Remove malicious registry keys responsible for extension installation. (Specific paths provided in the full report)
- Manually search for and delete malware files, particularly in System32.
- Utilize reputable antivirus software.
A complete list of affected extensions is available in the full report by ReasonLabs (https://reasonlabs.com/research/new-widespread-extension-trojan-malware-campaign). Both Google and Microsoft are taking steps to remove the malicious extensions and prevent further installations. Users are advised to remain vigilant and follow the recommended mitigation steps.