Alert for Viewers of Unauthorized Content on Google Chrome
Individuals who indulge in watching pirated content, including movies, web series, TV shows, and video games online, are at risk of harm. HP Wolf Security has identified a new malware campaign, ChromeLoader, that is infecting users with detrimental Google Chrome extensions. The most recent variant, ChromeLoader Shampoo, is disseminated through websites that offer pirated movies and video games.
How does this work? Hackers trick Chrome users into downloading the fraudulent extension Shampoo, which instantly redirects the victim’s search queries to malicious websites. As a result, these criminals collect substantial profits by participating in fraudulent advertising campaigns that appear on the screen in pop-ups.
HP Wolf Security experts say that getting rid of ChromeLoader Shampoo is not as simple as uninstalling the extension. This malware uses looping scripts and a scheduled task in Windows to automatically reinstall the extension whenever the victim tries to uninstall it or reboot the device. In order to disable ChromeLoader Shampoo malware, users need to disable its mechanism using certain steps.
What Chrome users should do: How to get rid of ChromeLoader Shampoo
- The report suggests that you need to disable the scheduled task prefixed with “chrome_”. Legitimate Chrome scheduled tasks usually start with “Google” if you’re a victim of the ChromeLoader Shampoo malware.
- After that, delete the registry key located at “HKCU:\Software\Mirage Utilities”.
- Now temporarily disable the loop script by restarting the machine.
- These removal steps must be performed immediately to prevent the loop script from reinstalling the malware.
- Also check for fake OneNote documents. It has been observed that “click here” icons are widely used to embed malware.
- The best practice to protect yourself from such threats is to avoid downloading content from untrusted or pirated websites.
How to identify if your device has Shampoo or similar ChromeLoader? A simple method involves checking if Chrome is running with the “–load-extension” argument. ChromeLoader uses this argument to load the extension into a Chrome session.