A new strain of Adrozek malware infects devices and modifies browser settings in order to inject ads into search results pages so that the attackers can collect fees from referral programs. The malware can also extract credentials from the browser and upload them to the attacker's servers.

Adrozek spreads through "drive-by download" where users are redirected from legitimate sites to malicious ones where they are tricked into installing malicious software. The attack works against Microsoft Edge, Google Chrome, Mozilla Firefox and Yandex browsers.

The installer file names use the format of setup__.exe. Attackers drop a file in the Windows temporary folder, and this file then drops the main payload in the program files directory. The payload uses a file name that makes the malware appear to be legitimate audio-related software, with names such as Audiolava.exe, QuickAudio.exe, and converter.exe. The malware is installed the same way legitimate software is and can be accessed through Settings > Apps & Features and is registered as a Windows service with the same file name.



  • Disables browser updates, file integrity checks and Safe Browsing feature
  •  Installs malicious browser extensions which can run in incognito mode and without obtaining the appropriate permissions. The malicious extensions are hidden from the toolbar.
  • Modifies the browser's default home page
  • Modifies the browser's default search engine
  • User's credentials are exposed



  • All Windows-based web browsers


  • If Adrozek is found on your device, re-install your web browser and update to the latest version
  • Change your credentials immediately with strong passwords
  • Always update and patch operating system
  •  Install antivirus software and make sure it's always updated
  • Avoid suspicious links and emails
  • Carefully review software before downloading