Chromeloader Malware aka Choziosi Loader and ChromeBack, which was first seen in January 2022 as a browser hijacker, has new variants out in the wild.
The malware is known for its persistence, volume, and infection route, which includes the aggressive use of PowerShell.

Let’s discuss the variants

Palo Alto Networks Unit 42 researchers have identified four variants of Chromeloader multi-stage malware to date.
  • Variant 0: This variant, spotted recently, was active before Variant 1 and it uses AHK-compiled executables and version 1.0 of the Chrome extension. The first known attack of this variant occurred in December 2021.
  • Variant 1: The initial infection vector section mainly active from January 2022, also called as Variant 1, uses versions 2.0-4.4 of the Chrome extension as its payload and obfuscated PowerShell as its dropper. 
  • Variant 2: Variant 2 has been active since March 2022 and uses the 6.0 Chrome extension version and an obfuscated executable as its initial dropper.
  • macOS variant: The newly discovered variant has been active since March 2022. It downloads a browser extension payload for Google Chrome or the built-in Safari browser from a remote installation server.

What’s the objective?

  • Chromeloader malware's primary objective is to hijack victims' browser searches.
  • The malware modifies the victim's web browser settings to fetch search results such as unwanted software, adult games, and dating sites. 
  • The malware's operators make money by redirecting user traffic to advertising sites.


Since December 2021, a total of four ChromeLoader versions have been found. Users must understand the need for security software, keep their systems in check, and run regular scans to avoid ChromeLoader attacks.
Cyware Publisher