Security analysts at Doctor Web have reported the discovery of Trojan.ChimeraWire, an unusual Windows-focused Trojan that weaponizes the Google Chrome browser to generate fake yet highly realistic user activity. Instead of encrypting data or stealing funds, this malware is designed to manipulate search rankings and traffic metrics while staying largely invisible to the victim.
How Trojan.ChimeraWire Runs a Remote-Controlled Chrome on Windows
ChimeraWire is built on top of the legitimate open-source frameworks zlsgo and Rod, normally used for automating browser interactions. Threat actors repurpose these tools to gain remote programmatic control over Chrome on infected hosts.
The Trojan targets Windows systems and downloads a portable build of Google Chrome from an attacker-controlled server. It launches this Chrome instance in remote debugging mode, without a visible window, and communicates with it via a WebSocket connection to the debugging port. This gives the malware full control over navigation, clicks, and page interaction, effectively turning the victim’s machine into a stealth browser bot.
Multi-Stage Infection Chains and Privilege Escalation
Chain 1: Python Loader and OneDrive DLL Search Order Hijacking
In the first observed infection chain, ChimeraWire is delivered via Trojan.DownLoader48.54600, which performs anti-VM and anti-debugging checks before downloading an archive python3.zip. This archive contains a Python script (Python.Downloader.208) and a malicious library ISCSIEXE.dll (Trojan.Starter.8377).
If the script lacks administrator rights, it abuses DLL Search Order Hijacking—a technique where Windows loads a malicious DLL placed in a trusted directory before the legitimate one. The script copies the rogue DLL into WindowsApps, creates a VBS file, and launches iscsicpl.exe, which in turn loads the attacker’s DLL. This DLL restarts the Python loader with elevated privileges.
With admin rights, Python.Downloader.208 retrieves onedrive.zip, containing a legitimate, signed OneDrivePatcher.exe and a malicious UpdateRingSettings.dll (Trojan.DownLoader48.54318). The process again exploits DLL search order hijacking so OneDrivePatcher.exe loads the malicious DLL, which then downloads, decrypts, and unpacks Trojan.ChimeraWire from a ZLIB container along with embedded shellcode.
Chain 2: Masquerade PEB, ATL.dll Patching and WMI Abuse
A second infection chain begins with Trojan.DownLoader48.61444. Without admin rights, it uses the Masquerade PEB technique to make the process appear as explorer.exe in the system’s Process Environment Block, helping it blend into normal system activity.
The loader then patches a copy of ATL.dll (a Microsoft Active Template Library DLL), injecting decrypted bytecode and a path to its executable, and registers the modified DLL inside WMI (Windows Management Instrumentation). To escalate privileges, it abuses the legacy COM interface CMSTPLUA, a known avenue for UAC bypasses in misconfigured or outdated systems.
After privilege escalation, the tampered ATL.dll is copied into %SystemRoot%\System32\wbem. Launching WmiMgmt.msc through mmc.exe triggers another DLL search order hijack, causing Trojan.DownLoader48.61444 to restart with admin rights. It then executes PowerShell scripts that download two archives: one.zip (with OneDrivePatcher.exe and UpdateRingSettings.dll, mirroring Chain 1) and two.zip (Python.Downloader.208 as update.py and a renamed interpreter Guardian.exe). Both components are registered in Task Scheduler for persistence.
Browser Automation, CAPTCHA Bypass and Search Manipulation
Once installed, ChimeraWire downloads chrome-win.zip with a portable Chrome build; the same server also hosts versions for Linux and macOS, indicating cross‑platform plans. The malware attempts to silently deploy the Chrome extensions NopeCHA and Buster, which are designed to automatically solve CAPTCHA challenges, making automated traffic look more like genuine human activity.
ChimeraWire connects to the Chrome debugging port via WebSocket and retrieves tasks from its command-and-control server. The server responds with a base64-encoded, AES‑GCM–encrypted JSON configuration containing the target search engine (Google or Bing), keywords and domains to promote, click limits, browsing depth, delays between actions, and probabilistic click models such as “1:90, 2:10” to decide how many links to follow.
The Trojan issues search queries, parses result pages, collects all hyperlinks into an array and then randomly shuffles them. This breaks the natural on‑page order that anti‑bot systems often rely on to detect scripted behavior. It then evaluates each link against the configured patterns, prioritizes the best matches, and performs controlled click sequences, including back navigation, opening new tabs, and time‑delayed browsing—until the specified click quota is met.
Business Impact: Beyond SEO Fraud to Large-Scale Web Abuse
Currently, ChimeraWire functions primarily as a browser clicker for SEO and traffic fraud. However, its architecture essentially provides a general-purpose, remotely controlled browser automation framework that behaves like a real user. In practice, this could be repurposed for mass form submissions (surveys, registrations, promo campaigns), metric inflation on advertising and social platforms, and data harvesting such as scraping page content, screenshots, and contact information.
Industry estimates regularly put global digital advertising fraud losses in the tens of billions of dollars per year. Malware like ChimeraWire increases this risk by making fake traffic harder to distinguish from legitimate users, undermining marketing analytics, search engine integrity, and the reliability of audience measurement across sectors.
Detection and Mitigation Strategies for Organizations
To reduce exposure to ChimeraWire and similar threats, organizations should strengthen endpoint and configuration hardening. Recommended measures include monitoring the integrity of system libraries (such as ATL.dll), detecting suspicious Task Scheduler entries, and closely auditing PowerShell activity for unexpected download or execution patterns.
Security teams should limit the execution of untrusted interpreters and scripting engines (for example, unmanaged Python runtimes and ad‑hoc console tools), and ensure timely patching of Windows components and COM-related vulnerabilities to reduce the effectiveness of DLL search order hijacking and CMSTPLUA-based privilege escalation.
Modern EDR/XDR platforms and network monitoring can add an important detection layer by flagging unusual downloads of portable browsers and browser extensions, unexpected use of Chrome’s remote debugging mode, and anomalous outbound WebSocket traffic to unknown hosts. Combined with user awareness and robust patch management, these controls significantly increase the chances of detecting and disrupting ChimeraWire’s activity before it can be leveraged for large-scale fraud.
