Google Chrome has had a rough go of things this year. Just back in May, the Google-built browser suffered from at least four zero-day exploits, all of which Google was able to fix in a pretty timely manner, forcing Chrome users to update pretty often. However, a new exploit appears to be making the rounds, and it’s a pretty tricky one.

According to a new report from ProofPoint, the newest attempt to get Chrome users to install malware on their computers comes in the form of fake errors. The fake errors can also appear as Word and OneDrive errors, the security company reports.

The campaign is being used by multiple threat actors, including the group behind a new attack called ClickFix, as well as those behind existing attacks like ClearFake. Well-known threat actor TA571 is also believed to be involved. Much like previous ClearFake attacks—which used website overlays to push visitors to install fake browser updates riddled with malware—the new threat causes a popup to appear on the screen, prompting users to resolve an issue with their browser.


Credit: ProofPoint

The instructions included in the fake Chrome error suggest that users click a “copy” button, and then paste a “fix” into their Windows Powershell application—while running it as an Admin. This is exceptionally bad news, as it gives the instructions within the copied command complete access to your computer.

ProofPoint says the command checks if the computer is a viable target, and then essentially opens the floodgates to install various malware on it. One of the primary downloads included in the package is an info-stealer, which can gather your personal info for threat actors, allowing them to use it however they want.

ProofPoint also said the malware is being spread through an email-based infection chain, which uses an HTML attachment claiming to be a Word Online extension. When trying to open it, an error message will display, asking you to complete the same steps as the Chrome error. The fundamentals of the command are a bit different, ProofPoint notes, but the overall goal is the same: to install malware on your computer so that bad actors can harvest your data.

Legitimate Chrome or Microsoft Word messages will never ask you to paste anything into Windows Powershell. If you’re worried you might already be infected, run an antivirus or malware scan as soon as possible.