Google Chrome Archives

Google Ads Used to Push Fake Google Chrome Installer

google ads, Google Chrome, malware, Ophtek, SecTopRat, security software, security_updateschrome, Google ads, malware, Ophtek, SecTopRat, security, updatesOphtek, LLC

Mar 2025

Cybercriminals are exploiting Google Ads to distribute malware disguised as a genuine Google Chrome installer, tricking users into downloading the malware.

Threat actors are always innovative, and this recent attack underlines exactly why you need to be on your guard when online. Attackers have been purchasing ads which appear when PC users search for popular software downloads e.g. Google Chrome. Unfortunately, the ads which are served up lead to dangerous websites which closely resemble official download pages. This deception tricks users into downloading and installing malware.

As we spend a high proportion of our work time online, we’re going to dig deep into this attack to see what we can learn.

How Can Google Ads Compromise Your PC?

In this attack, users searching with terms such as “download Google Chrome” might find themselves confronted with a sponsored ad at the top of their search results. This ad can, at first, appear genuine, often having a URL which includes “sites.google.com” – a Google platform used to build free websites. Accordingly, users feel confident that these pages are official and trustworthy, especially when they look very similar to official download sites.

Once a user clicks the ad, they’re redirected to a malicious page which is a highly convincing imitation of the official Google Chrome download site. This page urges users to download a file named “GoogleChrome.exe” and, so far, everything appears as you would expect. With nothing unusual to suspect, users make the decision to trust the page, download the file, and then launch it.

However, once executed, the installer begins to act suspiciously. Firstly, it connects to a remote server to retrieve additional instructions. Secondly, it requests that they user grants it administrative privileges to assist in completing the download. At this point, alarm bells should start ringing, but most users still feel as though the software can be trusted. Once administrative privileges are granted, the installer executes a PowerShell command which prevents Windows Defender from scanning the malware’s location, enabling it to operate quietly in the background.

A further file is then downloaded to the BackupWin directory and, masquerading under the name of a genuine piece of software, opens up a communication channel with the threat actors’ remote server. The malware used is SecTopRAT, a Remote Access Trojan which allows the attackers to take remote control of the infected system and steal sensitive data such as capturing keystrokes, accessing files, and recording user activities.

Protecting Against the SecTopRAT Threat

Your employees are busy with their daily tasks and, therefore, it’s easy for them to have a lapse of judgement and quickly click on something they believe to be genuine. However, this can be disastrous for your IT infrastructure, so it’s crucial that your staff are mindful of the following:

Be Cautious of Sponsored Ads: Just because an ad is that the top of the search results, this doesn’t mean it can be trusted. This is why it’s important to always verify the authenticity of a URL before clicking it. Check for any unusual spellings or, to be fully safe, navigate directly to the official website for that software.
Only Download from Official Sources: The best approach is to always head straight to the developers website rather than trusting other online sources. Aside from sponsored ads, it’s critical that your team avoids downloading via links in emails or through torrent sites – both of these sources often lead to nothing but malware.
Keep Your Security Software Updates: One of the simplest ways to thwart attackers is to make sure your security software is up to date. This software regularly scans your system for threats, but it needs to be updated as soon as possible to detect the latest threats.

For more ways to secure and optimize your business technology, contact your local IT professionals.

A recent cyberattack has compromised several popular Google Chrome extensions, infecting millions of users with data-stealing malware.

In early January 2025, cybersecurity researchers at Extension Total discovered a malicious campaign targeting Chrome extensions which offer AI services. The threat actors hijacked at least 36 extensions – including Bard AI Chat, ChatGPT for Google Meet, and ChatGPT App – with approximately 2.6 million users affected. This widespread attack has raised the alarm among users and software developers as, previously, these extensions were highly trusted.

With 3.45 billion people using Chrome as their browser, it’s no surprise that threat actors would target it. This attack is especially ingenious, so we’re going to take a deep dive into it.

How Were the Chrome Extensions Compromised?

The affected extensions may be named after popular AI tools like Bard and ChatGPT, but they are third-party applications with no development from Google or OpenAI. Third-party extensions can, of course, be legitimate, but these compromised extensions were far from helpful. Instead, they were used to deliver fake updates containing malware.

The malware was designed to steal sensitive user information, specifically targeting data related to Facebook Ads accounts. Therefore, this posed a significant threat to businesses which rely on Facebook for marketing and sales. With this stolen data, the threat actors could use it for unauthorized access, financial and identity theft, or to fuel phishing attacks.

In response to the attack, many of the affected extensions have been removed from the Chrome Store to limit further infections. However, others remain available, exposing users to the malware. Chrome, as we’ve already mentioned, is hugely popular with around 130,000 extensions are available to install. The risk of a security incident, as you would imagine, is high; this recent attack underscores the importance of practicing vigilance when installing extensions.

Staying Safe from Rogue Chrome Extensions

Browser extensions are designed to help users by enhancing functionality and making everyday browsing easier. However, this recent attack has also demonstrated that they’re a security risk. Ophtek wants to keep you safe from similar attacks, so we’ve put together our top tips for protecting your PC from rogue extensions:

Install Extensions from Trusted Sources: you should only ever download extensions from reputable developers and official web stores. Before hitting that install button, always carry out some research on the developer, read user reviews, and check ratings to assess how legitimate it is.
Limit Extension Permissions: extensions often require permissions to function correctly on your PC but be very careful of any extension which requests a long list of permissions e.g. access to browsing data, microphone control, and cookies. You should only ever grant permissions to what is necessary for the extension to operate. If in doubt of a permission request, seek help from an IT professional.
Update Extensions: always ensure your extensions are kept up to date, as developers often release patches to fix security vulnerabilities. Regularly check for updates and keep an eye out for any unusual browser behavior such as strange pop-ups, redirects to other sites, or performance issues. Additionally, if you have extensions you no longer use, remove these to reduce your exposure to risk

For more ways to secure and optimize your business technology, contact your local IT professionals.

Malicious Extension Found Being Injected into Chrome

ChromeLoader, extensions, Google Chrome, malicious extensions, Ophtekchrome, ChromeLoader, Extentions, malicious, OphtekOphtek, LLC

May 2022

Chrome is the world’s most popular browser and, as such, is a major target for hackers, a fact highlighted by the emergence of a malicious Chrome extension.

If you’re a Chrome user, then you will be well aware of the wide range of benefits that Chrome extensions deliver. They not only making browsing easier, but their main objective is to make you more productive e.g. automating tasks such as blocking pop-up adverts. While Chrome extensions allow you to personalize your browsing experience, they are not without risk. Privacy concerns have surrounded browser extensions for as long as they have been available, and malicious extensions have been equally concerning.

It’s more than likely that your organization uses the Chrome browser in some capacity, so let’s look at the dangers of this most recent malicious extension.

The Lowdown on ChromeLoader

With a name that does exactly what it says on the tin, the ChromeLoader extension loads itself into Chrome. It begins its journey towards Chrome in the form of an ISO file – an image copy of the contents of an optical disc – which is currently being spread through social media sites and pay-per-install sites. Within this ISO is an executable file which, when activated, installs the ChromeLoader extension into Chrome and uses Windows’ Task Scheduler application to load the extension.

At present, the malicious activity of ChromeLoader has been recorded as relatively low. Rather than stealing data or encrypting files, ChromeLoader appears more concerned with redirecting victims towards spam sites. It’s a threat level which may not appear significant but, as with all malware, there’s a potential for ChromeLoader to evolve into something more powerful. It could, for example, be used to load ransomware into a compromised PC, and that’s when your productivity really will come under attack. And, even it remains only a minor nuisance with its spam redirection, it’s still a problem your organization could do without.

How to Tackle ChromeLoader

ChromeLoader is delivered via an ISO file, and the chances of your employees needing to handle ISO files at work are slim. Therefore, it makes sense to add ISO files to your list of prohibited files that can be downloaded. If an employee does need an ISO file downloading from the internet, then they should contact your IT team to arrange this securely. Banning torrent sites, such as PirateBay, will also limit the chances an employee has to access infected ISO files, so build this into your web filters as well.

Ultimately, extensions such as ChromeLoader prey upon the naivety of the common internet user. For the average person, a Chrome extension is a useful ally, not something to be feared. However, threat actors are always keen to deliver their malicious payloads as stealthily as possible. And that’s why they try to take advantage of routes, such as Chrome extensions, which are commonly trusted by PC users. As a result, educating your staff on the potential dangers of downloading files from the internet, such as ISO files or browser add-ons, should be a priority.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Chrome Users Targeted by Malicious Websites

anti malware, Google Chrome, malicious websites, Ophtek, SecurityAnti- malware, Google Chrome, malicious websites, Ophtek, securityOphtek, LLC

Nov 2021

Google’s Chrome browser is one of the most popular choices for accessing the internet, but this popularity makes it an enticing target for hackers.

A substantial number of business activities are conducted online in the 21^st century. Accordingly, most organizations find themselves accessing the internet with a browser almost every minute of the day. But each time we venture online we open ourselves up to numerous security threats. Malicious websites, of course, are a well-known security risk. At the heart of these threats is a determined effort to conceal their malicious payload. And that’s why a malicious website can be difficult to spot.

Chrome has an estimated userbase of 2.65 billion users and, as such, presents the perfect opportunity for hackers to cast their net far and wide.

How Chrome is Targeted

This latest malware attack specifically targets Chrome users who are running the browser on the Windows 10 operating system. Upon visiting an infected website, Chrome’s legitimate ‘advertising service’ delivers an advert which claims that Chrome requires updating. However, the advert contains a malicious link. Clicking this link will take you to a website entitled ‘chromesupdate’ which is designed to look like an official Google site. Unfortunately, it’s far from genuine.

The only thing that you will be able to download from this malicious website is malware. The payload in question is typical of modern malware, its main objective is to harvest sensitive data and steal cryptocurrency. Therefore, any login credentials you enter, while your PC is infected, can be logged and then transmitted to a remote server. Worst of all, the malware also grants remote access to your workstation. This opens you up to further malware downloads and, potentially, harnessing your machine into a DDoS attack.

How to Protect Your Browsing

Chrome is targeted by this latest campaign due to the manipulation of a Windows environment variable which allows Chrome’s advertising service to be exploited. The simplest way to avoid this attack is by using a different browser. But there’s a much bigger picture at play here. A better approach is to use the browser you are most comfortable with but remain vigilant. To do this, make sure you follow these best practices:

Disable Download Privileges: It’s very easy for a busy employee to lose focus for a second and click on a malicious download. But, in the case of this specific threat, an application update should be something that an IT professional handles. To minimize the risk of malicious downloads taking place, disable download privileges for your employees.

Use Anti-Malware Software: Malicious websites can be detected prior to accessing them thanks to the power of anti-malware software. Backed by huge databases, which are regularly updated, anti-malware software can instantly alert users when they try to access websites known to be malicious.

Don’t Be Rushed: The main strategy employed by malicious websites will be to instill a sense of urgency into their call-to-actions. For example, the threat of an imminent infection if a Chrome update is not installed is designed to create urgency. And it’s this urgency which can catch you off guard. So, if you feel that a website is rushing you into making a decision, always make sure you speak to an IT professional before going any further.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Category Archives: Google Chrome