A sophisticated malware campaign has been discovered abusing legitimate Google Chrome enterprise policy keys to hijack user browsers. By manipulating the Windows registry, attackers are bypassing standard security boundaries to silently force the installation of malicious extensions, effectively transforming the browser into a full remote-command backdoor.
The breach, identified in June 2026, demonstrates a shift toward weaponizing the very tools meant to protect enterprise environments. Instead of relying on traditional phishing alone, the campaign utilizes a multi-stage attack that begins with a deceptive Italian-language phishing email containing a disguised JavaScript attachment.
The Anatomy of the Hijack
The attack chain relies on a technique known as “DLL side-loading.” Once the initial malicious script executes, it drops a legitimate, digitally signed executable associated with Epic Games alongside a malicious library file (d3d11.dll). When the trusted application launches, Windows inadvertently loads the malicious library, allowing the attackers to execute hidden PowerShell commands without triggering standard antivirus alarms.
The PowerShell script then performs the core of the attack by modifying Chrome’s enterprise policy keys within the Windows registry. By specifically targeting the ExtensionInstallAllowlist and ExtensionInstallSources paths, the attackers make their malicious extension appear as an administrator-authorized deployment.
“The attack effectively tricks the browser into believing the malicious extension is a mandatory, IT-approved tool,” security researchers noted. This forces Chrome to silently install a persistent extension—observed in recent cases as a file labeled “Cloud vn105rkj64”—which functions as a command-and-control conduit for the threat actors.
A Growing Threat to Browser Security
This campaign highlights a significant, recurring vulnerability in the modern “browser-as-an-OS” model. As organizations rely increasingly on browser-based SaaS platforms, identity providers, and cloud dashboards, the browser has become the primary target for account takeover attacks.
Google has been aggressively patching these weaknesses, with several high-severity security updates released throughout June 2026—including patches for CVE-2026-11658 and CVE-2026-11645—to address flaws in how Chrome handles extensions and untrusted input. However, patching alone is insufficient against attacks that exploit existing, legitimate administrative features.
Security experts are urging organizations to transition away from treating the browser as a simple user application. Instead, firms are advised to manage the browser as a critical endpoint, employing strict extension allow-lists, enforcing automated updates, and utilizing endpoint detection and response (EDR) rules to monitor for unusual browser-spawned processes like PowerShell or cmd.exe.
