New Malware Campaign Exploits Administrative Policy Keys to Hijack Chrome

Post Views: 8

A recently uncovered cyberattack leverages legitimate Google Chrome enterprise policy configurations to manipulate system settings and install malicious browser extensions. Attackers exploit Windows registry entries associated with administrative controls to circumvent security measures, enabling the deployment of harmful software without user awareness.

Mechanics of the Exploit

The operation involves a multi-stage process that begins with a deceptive Italian-language phishing email containing a disguised JavaScript file. Once executed, the malicious payload employs a technique called “DLL side-loading,” where a legitimate, digitally signed executable from Epic Games is accompanied by a compromised library file (d3d11.dll). When the trusted application runs, the system inadvertently loads the malicious component, allowing attackers to execute hidden PowerShell commands undetected by standard antivirus systems. The PowerShell script then alters Chrome’s enterprise policy settings within the Windows registry. Specifically, it modifies the ExtensionInstallAllowlist and ExtensionInstallSources keys, making the malicious extension appear as an approved administrative tool. This manipulation forces Chrome to automatically install a persistent extension, identified as “Cloud vn105rkj64,” which serves as a communication channel for the threat actors.

Rising Concerns for Browser Security

This campaign underscores a growing vulnerability in the modern reliance on web browsers as primary platforms for business operations. As enterprises increasingly depend on browser-based applications, cloud services, and identity management systems, the attack surface for such threats expands. Google has addressed related weaknesses through multiple high-severity updates in June 2026, including fixes for CVE-2026-11658 and CVE-2026-11645, which target flaws in Chrome’s handling of extensions and untrusted inputs. However, the attack highlights the limitations of patching alone. Threat actors are now exploiting legitimate administrative features rather than traditional exploitation vectors. Security professionals advise organizations to treat browsers as critical endpoints rather than standard user applications. Recommendations include implementing strict extension allow-lists, enforcing automatic updates, and deploying endpoint detection and response (EDR) solutions to monitor for suspicious processes such as PowerShell or command-line executions. The incident emphasizes the need for proactive measures to safeguard browser environments, as adversaries continue to refine techniques that exploit trusted system components.