ChimeraWire: The Click-Fraud Trojan Disguised as a Human User
Experts at Doctor Web have identified a new click-fraud trojan, Trojan.ChimeraWire, which disguises itself as the activity of a real user and artificially boosts website engagement metrics in search results. Infected Windows machines automatically query Google and Bing for specified resources, follow links, and click through pages as though operated by a human, enabling fraudsters to elevate the search ranking of their promoted domains.
At its core, ChimeraWire relies on the open-source projects zlsgo and Rod, typically used for automating interactions with websites and web applications. Once inside a system, the trojan downloads from a remote site an archive containing a portable Windows build of Google Chrome — with Linux and macOS builds stored on the same server. It then silently installs two legitimate Chrome extensions, NopeCHA and Buster, both designed for automated CAPTCHA solving. The browser is launched in a hidden debugging mode, and all control is routed through a WebSocket connection, enabling the malware to execute arbitrary scripts in the background without alerting the user.
ChimeraWire subsequently retrieves commands from its command-and-control server, which transmits an AES-GCM–encrypted configuration encoded as a base64 string. This configuration defines every operational parameter: which search engine to use (Google or Bing), target keywords, domains to promote, click depth, page-load delays, click-distribution patterns, and the timing of pauses to avoid the appearance of perpetual bot traffic. Essentially, it prescribes a highly adaptable behavior profile for an “ideal user” optimized for manipulation.
The trojan’s workflow is as follows: it enters the assigned keywords into the search bar, discovers the designated sites, and opens them — sometimes in background tabs. On each loaded page, ChimeraWire extracts all HTML elements containing hyperlinks, stores them in an array, and shuffles their order so that the click sequence does not mimic the natural link order — a tactic designed to evade anti-bot heuristics. It then compares anchor text with template phrases from the configuration and counts matches.
If enough relevant links are found, it sorts them by their “relevance” to the keywords and clicks one or several. If matches are scarce or absent, ChimeraWire resorts to a probabilistic model: for example, a configuration might specify a distribution of “1:90, 2:10,” meaning that in 90% of cases it should click one link, and in 10% — two. The trojan randomly chooses from the shuffled list and proceeds. After each transition, it either returns to the search-results tab or proceeds to the next target until it exhausts its action quota for that site.
To infiltrate a system and acquire the necessary privileges, the attackers built several intricate infection chains.
In the first chain, execution begins with the loader Trojan.DownLoader48.54600, which terminates immediately if it detects virtualization or debugging. If the environment passes these checks, it downloads a python3.zip archive containing the malicious script Python.Downloader.208 and the library ISCSIEXE.dll (Trojan.Starter.8377). The attackers exploit DLL Search Order Hijacking, causing iscsicpl.exe to load the trojanized DLL and thus grant administrator-level execution for the next stage.
With elevated privileges, Python.Downloader.208 retrieves onedrive.zip, which includes UpdateRingSettings.dll (Trojan.DownLoader48.54318) and the legitimately signed OneDrivePatcher.exe. This executable, too, suffers from a DLL-hijacking weakness and loads the malicious library. A new loader then scans for virtualization, downloads an encrypted ZLIB container with shellcode and an executable, decrypts and unpacks it, and finally launches the main payload — Trojan.ChimeraWire.
The second chain employs a separate loader, Trojan.DownLoader48.61444, which masquerades as explorer.exe (via Masquerade PEB), escalates privileges through legacy COM interfaces (CMSTPLUA), and again abuses DLL Search Order Hijacking — this time by substituting ATL.dll and triggering the WMI console (mmc.exe). After gaining administrator rights, it downloads two archives: one.zip (containing OneDrivePatcher.exe and UpdateRingSettings.dll) and two.zip (containing Python.Downloader.208 as update.py and the auxiliary files required to execute it, including Guardian.exe, a renamed pythonw.exe). Tasks are created in the Windows Task Scheduler to ensure persistence across reboots, effectively duplicating parts of the first chain and increasing the likelihood of successful delivery.
The trojan’s name is no accident: “Chimera” evokes the hybridized nature of the attack chain — loaders in multiple languages, an assortment of anti-analysis techniques, several privilege-escalation methods, and a fusion of off-the-shelf frameworks, plugins, and legitimate software for covert manipulation of web traffic. “Wire” underscores its invisible yet constant network activity, from module retrieval to persistent C2 communication.
For now, ChimeraWire’s primary mission is relatively simple: artificially inflating site popularity by simulating genuine user behavior in search engines and on webpages. Yet the components on which it is built enable far more. In theory, attackers could automate web-form submissions (including in advertising and survey platforms), read page content, capture screenshots, or harvest vast quantities of data — such as email addresses and phone numbers for spam or phishing campaigns.
Doctor Web specialists expect future variants of ChimeraWire to feature expanded capabilities and continue to monitor its evolution. For users and administrators, the conclusion is a familiar one: signature-based detection is no longer sufficient. Sophisticated infection chains leveraging DLL hijacking, administrator-level privilege escalation, and anti-debugging techniques can persist for long periods unless complemented by behavioral and proactive defensive measures.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
