Security Experts:

Connect with us

Hi, what are you looking for?



VMware Warns of ‘ChromeLoader’ Delivering Ransomware, Destructive Malware

VMware’s Carbon Black team warns that the ChromeLoader malware is now delivering malware such as ZipBomb and the Enigma ransomware to business services and government organizations.

VMware’s Carbon Black team warns that the ChromeLoader malware is now delivering malware such as ZipBomb and the Enigma ransomware to business services and government organizations.

ChromeLoader was initially observed targeting Windows users in January 2022 – a macOS variant was spotted in March – when it was being dropped as an ISO file and could leak users’ browser credentials, collect data on their online activities, and display ads by hijacking browser searches.

The threat is being distributed as pirated or cracked versions of applications or games, typically on social media platforms, pirating sites, torrents, and bundled with legitimate games and software.

Once executed on the victim’s machine, the malware uses scheduled tasks and modified registry keys to achieve persistence. The threat then attempts to load the Chrome extension chrome_zoom.

Since January, VMware’s security researchers have observed multiple variants of ChromeLoader, with some of the most notable ones including ‘opensubtitles-uploader.exe’ and ‘flbmusic.exe’, which mimic legitimate applications.

Over time, the initial infection technique has changed – with the ISO file running a batch script to install the main malware as a second stage payload – but the purpose of the attacks has remained the same: data harvesting and user tracking, complemented by adware delivery.

The most recent variants of ChromeLoader, VMware’s security researchers say, also deliver other malware families and can be used for additional nefarious purposes.

In late August, ZipBombs were being dropped on systems infected with ChromeLoader, embedded in the initial archive that the victim downloads. The ZipBomb is executed only if the user double-clicks it, which results in the system being overloaded with data and potentially destroyed.

“The ZipBomb, seen in ChromeLoader archives, is the classic and sophisticated –, which is 42 kilobytes in size when compressed but over 40 petabytes when decompressed. This file has been seen under the names vir.exe,,, AzizGame (1).zip,,,,,” VMware explains.

Also starting late August, the Enigma ransomware has been seen in the ISO archive, distributed in the form of HTML attachments. When executed, it would launch the default browser to run embedded JavaScript code, and then proceed with its infection chain.

“This campaign has gone through many changes over the past few months, and we don’t expect it to stop. […] The majority of the infected [victims] are with the business services industry, seconded by government,” VMware concludes.

Related: New ‘Shikitega’ Linux Malware Grabs Complete Control of Infected Systems

Related: Chinese Cyberespionage Group Starts Using New ‘PingPull’ Malware

Related: New ‘Bumblebee’ Malware Loader Used by Several Cybercrime Groups

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...