

























EpiBrowser is a Potentially Unwanted Program (PUP) that can install on a victim’s machine with or without their knowledge. To appear legitimate, it mimics Chromium-based browsers by using real Google Chrome components, most notably chrome_elf.dll, the library responsible for security initialization and system integration. It strengthens this deception with custom search engines (such as Yahoo!) and startup pages that mirror Chrome’s look and feel, exploiting user trust in the familiar brand.

We also notice that it creates and subsequently terminates WerFault.exe (Windows Error Reporting service) during execution based on the samples’ behavior, which is a technique commonly associated with process hollowing or injection attacks.
The threat actor signed the software using certificates issued to ‘Byte Media Sdn. Bhd.,’ a Johor, Malaysia–based digital transformation consultancy that provides IT modernization, usability, and advisory services.
Users tricked into installing this browser become victims of data collection and search redirection. They may also risk potential exposure to additional malware through sketchy ads and search results.
The certificate abuse is particularly concerning because it's eroding one of our core trust mechanisms. If attackers can consistently obtain legitimate certificates from multiple CAs, the community may need to rethink our code signing verification approach entirely. With more malware families adopting these Chrome-mimicking techniques, EpiBrowser is a preview of what's coming, and we need to start preparing our defenses accordingly.
Windows users can remove the browser from their system through the "Apps and Features" and "Programs and Features" options on Windows 11 and Windows 10, respectively.
Todyl’s security solution is designed to detect this specific type of cyber threat with precision. Backed by our expert MXDR team, we provide continuous monitoring of suspicious activity to quickly identify potential threats and safeguard your most sensitive assets. We also collaborate closely with your team to develop custom detection rules, ensuring full visibility, transparency, and a security approach tailored to your unique environment.
The subject name of code signature is “Byte Media Sdn. Bhd."
(HKEY_CURRENT_USER\Software\EPISoftware\EpiBrowser*)
(HKEY_CURRENT_USER\Software\EPISoftware\Update*)
(HKEY_CURRENT_USER\SOFTWARE\Policies\EPISoftware\EpiBrowser)
Description: Epibrowser registry persistence
C:\Users\<USER>\AppData\Local\Temp
\epibrowser-bin\epibrowser.exe
C:\Users\<USER>\AppData\Local\EPISoftware
\EpiBrowser\Application\130.0.6723.147\notification_helper.exe
Description: The file locations of the application.
f52ca24fd5f99891
e0385959bad2ddd9
14040c0474ba5e16
c6d4d6fc20181d5e
184f49cade4b27dc
435fe24f18d31f14
10a3f5c065831b6c
889b289c5aacb02d
60b336093ae1c56e
9bcd3b8322533101
ed5dc60c6dfda6b4
ca321f147369de68
73c97542fe54228e
a553be487a8d1665
97222a357a9f423e
f3eee840154af91e
Dc03f86386c87623
1cef5e82c78ab75f

Ahsan Ayub is a Security Research Engineer at Todyl with over 8 years of combined industry and research experience in Software Development, Cybersecurity, and AI. He is passionate about applying AI to solve real-world cybersecurity challenges, investigating security concerns within AI systems, and developing expertise in both defensive and offensive security practices.
Ahsan earned his Ph.D. from Tennessee Tech University with a focus on Cybersecurity and AI. Prior to joining Todyl, he worked as a Security Engineer at Vanderbilt University Medical Center (VUMC). He has published more than 10 peer-reviewed scholarly articles covering topics including ransomware, malware, cryptography, adversarial machine learning, responsible AI, domain generation algorithms (DGA), and network covert communication.
Outside of work, Ahsan enjoys traveling, playing sports, and connecting with people.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。