A newly identified trojan called ChrimeraWire is being used to manipulate search engine rankings by simulating real user activity through Google Chrome. The malware was detailed today by researchers at Doctor Web, who discovered it while analysing affiliate-linked malware distribution campaigns.
ChrimeraWire, instead of stealing passwords or encrypting files, is focused on boosting the visibility of specific websites in Google and Bing search results. It does this by automating searches, loading target sites, and performing clicks all through a hidden instance of the Chrome browser that it downloads and runs in debug mode.
The malware doesn’t arrive directly. It’s dropped in the final stage of a layered infection process. Doctor Web describes two separate chains that lead to its installation, both involving downloader trojans, privilege escalation, and system persistence tricks.
In the first chain, the infection begins with a downloader that checks for virtual environments. If the system looks real, it downloads a Python-based script and a malicious DLL, using a known Windows DLL search order hijack to elevate privileges. Eventually, it uses a signed OneDrive utility to load another malicious DLL, which leads to ChrimeraWire.
The second chain uses a downloader that mimics a legitimate Windows process and patches a system library to run its own payload. It abuses older COM interface vulnerabilities to gain administrator rights, then triggers the same final payload using scheduled tasks and DLL hijacking.
Once installed, ChrimeraWire downloads a specific Chrome build from a third-party site. It adds browser extensions designed to bypass CAPTCHA protections, launches Chrome in a hidden window, and connects to a command-and-control server over WebSocket. The malware receives encrypted instructions that define what to search, what sites to load, how many clicks to simulate, and how long to wait between actions.
The entire campaign is designed to look like real browsing. ChrimeraWire uses “probabilistic” click patterns, random pauses, and shuffles link order to avoid detection by bot mitigation systems. According to Doctor Web, this makes it effective at inflating traffic in a way that search engines may interpret as genuine engagement.
ChrimeraWire also support other tasks like reading page content, taking screenshots, and even filling out web forms. These functions aren’t fully used yet, but could be activated in future versions.
For now, the main use appears to be driving fake traffic to specific websites, likely as part of shady affiliate marketing or SEO manipulation. The malware infrastructure suggests room for expansion into broader automation or data scraping if operators choose to go that route.
Doctor Web has published technical details and MITRE ATT&CK mappings in their full report. Security teams are advised to watch for unsigned Chrome processes running at startup, PowerShell-based downloaders, and scheduled tasks linked to Python or Chrome activity.