How Fireball Malware Hijacked 250 Million Browsers – Origins, Impact, and Defense

Check Point researchers discovered a widespread malware named Fireball, infecting up to 250 million computers (Windows and macOS). It can fully control browsers, turn users into zombies, monitor traffic, and steal data.

The malware is linked to Chinese company Rafotech, which provides digital marketing and mobile games to about 300 million users. Rafotech uses Fireball to inject ads via browser hijacking, but the malware can be leveraged for larger‑scale damage.

Origin of Fireball

Fireball spreads through bundling: free software packages install a malicious browser extension that replaces the default search engine and homepage with a fake engine (trotux.com).

Bundled software includes other Rafotech products such as Deal Wifi, Wild Horse Browser, “Soso Desktop”, and “FVP Image Viewer”.

“When users install free software, the bundled component may not always be installed,” researchers note. “Rafotech may also use other distribution methods such as spoofed names, spam, or purchasing installs from hackers.”

The fake search engine redirects queries to Yahoo or Google while embedding tracking pixels to collect victim information.

“Technically, Fireball is highly sophisticated, employing multi‑layer architecture and C&C servers that bypass antivirus detection, comparable to genuine malware,” the researchers say.

Impact Scope

“Our estimates suggest that one‑fifth of enterprises could suffer large‑scale data breaches.”

Globally, 250 million computers are affected, with 20 % in corporate networks. Infections by country: India 25.3 M (10.1 %), Brazil 24.1 M (9.6 %), Mexico 16.1 M (6.4 %), Indonesia 13.1 M (5.2 %), United States 5.5 M (2.2 %).

Company Background

Rafotech, founded in February 2015, claims to be a leading multinational digital‑marketing firm. Its services target publishers (ad insertion without extra ad slots) and advertisers (cloud platform and big‑data‑driven precise ad targeting). It also develops four overseas‑popular games and partners with companies such as Taptica for promotion.

Detection & Defense

Users can check for infection by verifying homepage, default search engine, and installed browser extensions. Removal involves uninstalling the related program and resetting the browser. Prevention includes careful installation and avoiding bundled software.

Indicators of Compromise (IoC)

C&C Domains

attra…page[.]com s2s[.]rafotech[.]com trotux[.]com startpageing123[.]com funcionapage[.]com universalsearches[.]com thewebanswers[.]com nicesearches[.]com youndoo[.]com giqepofa[.]com mustang-browser[.]com forestbrowser[.]com luckysearch123[.]com ooxxsearch[.]com search2000s[.]com walasearch[.]com hohosearch[.]com yessearches[.]com d3l4qa0kmel7is[.]cloudfront[.]net d5ou3dytze6uf[.]cloudfront[.]net d1vh0xkmncek4z[.]cloudfront[.]net d26r15y2ken1t9[.]cloudfront[.]net d11eq81k50lwgi[.]cloudfront[.]net ddyv8sl7ewq1w[.]cloudfront[.]net d3i1asoswufp5k[.]cloudfront[.]net dc44qjwal3p07[.]cloudfront[.]net dv2m1uumnsgtu[.]cloudfront[.]net d1mxvenloqrqmu[.]cloudfront[.]net dfrs12kz9qye2[.]cloudfront[.]net dgkytklfjrqkb[.]cloudfront[.]net dgkytklfjrqkb[.]cloudfront[.]net/main/trmz[.]exe

File MD5 Hashes

FAB40A7BDE5250A6BC8644F4D6B9C28F 69FFDF99149D19BE7DC1C52F33AAA651 B56D1D35D46630335E03AF9ADD84B488 2579DF066D38A15BE8142954A2633E7F 8C61A6937963507DC87D8BF00385C0BC 7ADB7F56E81456F3B421C01AB19B1900 84DCB96BDD84389D4449F13EAC750986 5BCE955CF12AF3417F055DADC0212920 2B307E28CE531157611825EB0854C15F 7B2868FAA915A7FC6E2D7CC5A965B1E7 66E4D7C44D23ABF72069E745E6B617ED