Reason Labs uncovered a polymorphic malware campaign that has infected at least 300,000 Chrome and Edge users through fake download sites mimicking Roblox, YouTube, VLC, and KeePass. The trojans install browser extensions that steal search queries, cannot be removed even in developer mode, and modify the Windows registry to mark the browser as “managed by organization” — locking users out of their own browser settings.
Stories Covered
Extension Trojan Campaign: 300K Users Hit via Fake Download Sites, Fileless PowerShell Delivery
The campaign, active since 2021 and documented by Reason Labs in August 2024, exploits the trust users place in browser extension ecosystems. Victims are lured via ads pointing to look-alike download sites for popular software — Roblox FPS Unlocker, YouTube downloaders, VLC, KeePass. The downloaded executable doesn’t install the expected software. Instead, it registers a scheduled task (Windows equivalent of a cron job) running a PowerShell script named to blend with system processes — patterns like Updater_PrivacyBlocker_PR1 or Microsoft_Windows_Optimizer_Update_Task — which then contacts a remote C2 server to download the second-stage payload directly into memory. Writing nothing to disk at the payload stage is deliberate: in-memory execution leaves no file artifact for antivirus to scan or forensic analysts to extract. At time of writing, Reason Labs reported that almost no AV engines were flagging the C2 domain or the installer. The installers are signed by “Tommy Tech Ltd” — a certificate used across campaign variants going back to 2021.
The extension behavior once installed is the technically interesting part. The malware modifies the browser’s registry entries to declare the machine “managed by an organization,” a legitimately intended enterprise control mechanism that overrides the user’s ability to remove or disable extensions through the normal browser UI — even with developer mode enabled. Search queries are hijacked and routed through attacker-controlled infrastructure. Newer campaign variants also tamper with browser LNK shortcut files to load local extensions and disable automatic browser updates — preventing the browser from patching vulnerabilities the attacker may want to preserve access through. The C2 architecture handles staged execution: the scheduled task runs a short PowerShell script, that script fetches a second-stage script from C2 to memory, which then handles the browser modification. This multi-hop, in-memory architecture makes the campaign resistant to both detection and analysis.
The user-facing symptom is an extension that reappears after every attempt to remove it — reviews on the Chrome Web Store extension pages were filled with complaints from users who had tried and failed to delete it. The core defense is straightforward: only install software from official sources (the Chrome Web Store, Microsoft Edge Add-ons, or software vendor’s official site). Executable downloads from third-party sites — especially ones linked from ads — should be treated with extreme skepticism. The scheduled task persistence mechanism means that even successfully removing the extension leaves a recurring trigger behind; full remediation requires identifying and deleting the scheduled task and its associated PowerShell script from C:\Windows\System32 and the NV Optimizer Log folder. Reason Labs alerted Google and Microsoft, who began taking action, but the underlying distribution vector — fake download sites — remains active.





