CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Malware & Threats

Fireball Malware Infects 250 Million Computers

A newly discovered piece of malware managed to infect more than 250 million computers in a widespread campaign run by a Chinese digital marketing agency, Check Point researchers warn.

A newly discovered piece of malware managed to infect more than 250 million computers in a widespread campaign run by a Chinese digital marketing agency, Check Point researchers warn.

Dubbed Fireball, the malware can take over the targeted browser, run arbitrary code on a victim’s computer, and spy on victims. Thus, its operators can download any file or malware onto the machine, and can also manipulate the infected user’s web traffic to generate ad revenue.

“Currently, Fireball installs plug-ins and additional configurations to boost its advertisements, but just as easily it can turn into a prominent distributor for any additional malware,” Check Point says.

The campaign, the security company reveals, is run by a large digital marketing agency based in Beijing, called Rafotech. With the help of this malware, the agency manipulates the victims’ browsers to turn search engines and home-pages into fake search engines, redirect queries to or, and collect victims’ private information via tracking pixels included in the fake search engines.

Rafotech’s fake search engines have high popularity, with 14 of them ranked among the top 10,000 websites, some occasionally reaching top 1,000. Despite denying the use of browser-hijackers and fake search engines, Rafotech claims to have 300 million users worldwide, a number similar to the estimated infections.

To date, Fireball has infected over 250 million computers worldwide, being distributed mainly bundled with legitimate programs. India (25.3 million infections) and Brazil (24.1 million) were hit the most, followed by Mexico (16.1 million), and Indonesia (13.1 million). A total of 5.5 million infected machines are located in the United States.

Check Point also says that 20% of all corporate networks have been affected. Indonesia (60%), India (43%) and Brazil (38%) were hit the most. The hit rate in the US is of 10.7%, while reaching only 4.7% in China.

Related reading: China, U.S. Most Affected by WannaCry Ransomware

Advertisement. Scroll to continue reading.

As a browser-hijacker, Fireball is capable of driving victims to malicious sites, spying on them, and also successfully dropping malware onto their machines. The malware also “displays great sophistication and quality evasion techniques, including anti-detection capabilities, multi-layer structure and a flexible C&C,” Check Point says.

Thus, Fireball provides Rafotech with a potent backdoor that can be further exploited, the security researchers point out.

By using digital certificates, Fireball’s distribution can appear legitimate, and “Rafotech carefully walks along the edge of legitimacy,” Check Point says. For that, the company uses bundling, where a wanted program installs additional software, either with or without user’s consent.

Rafotech’s distribution methods, however, don’t follow criteria that would allow for them to be considered legal. The malware and the fake search engines, on the other hand, don’t carry indicators that could connect Rafotech to them. They can’t be uninstalled by an ordinary user either, and they conceal their true nature.

For distribution purposes, the malware is believed to be bundled with other Rafotech products, such as Deal Wifi and Mustang Browser, or with products such as “Soso Desktop”, “FVP Imageviewer” and other software from freeware distributors. The distribution of freeware under fake names, spam, or even buying installs from threat actors might have also helped Rafotech in its distribution efforts.

“It’s important to remember that when a user installs freeware, additional malware isn’t necessarily dropped at the same time. If you download a suspicious freeware and nothing happens on the spot, it doesn’t necessarily mean that something isn’t happening behind the scenes,” Check Point says.

Other browser-hijackers that behave similarly have been also discovered, including one designed by ELEX Technology, a company that builds software similar to that of Rafotech’s and supposedly related to it (either in the distribution of hijackers or in the trading of customer data).

Having a great sensitive information-harvesting potential, Fireball and similar browser-hijackers can pose a huge threat to users and organizations worldwide, provided that Rafotech (or a similar company) decides to indeed gather user information. It could steal banking and credit card credentials, medical files, patents and business plans, and other type of sensitive information.

“Based on our estimated infection rate, in such a scenario, one out of five corporations worldwide will be susceptible to a major breach. Severe damage can be caused to key organizations, from major service providers to critical infrastructure operators to medical institutions. The potential loss is indescribable, and repairing the damage caused by such massive data leakage (if even possible) could take years,” Check Point says.

While this is not a typical malware attack, the campaign has a huge potential to cause harm, and should be blocked, the security company says. Check Point also provides instructions on how users can remove the malware and add-ons from their machines (for both Windows and Mac users).

Related: This Stealthy Malware Remained Unnoticed for Three Years

Related: Linguistic Analysis Suggests WannaCry Authors Speak Chinese

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.