Chinese authorities arrest "Fireball" malware operators

Chinese police arrest operators of Fireball malware campaign

Chinese authorities arrest Fireball malware authors

Chinese authorities have arrested at least 11 individuals who reportedly were working behind Fireball malware campaign[1]. All of the suspects were employees of Rafotech, the company behind the malware, and three of them were ones from the company’s management team – CEO, CFO and CTO.

All of the suspects allegedly admitted being operators of the massive Fireball campaign.

Reports show that nine of the suspects attempted to destroy information on their computers to wipe the proofs of the massive click-fraud operation.

According to reports, the malicious software earned a whopping $12 million (80 million yuan) for their developers[2].

The suspects were arrested by Being Municipal Public Security Bureau. The organization reportedly received help from “Haidian friends” who helped to track down the criminals.

Fireball malware compromised 250 computers across the globe, earning $12 million for the criminals

The malware reportedly compromised over 250 million computers worldwide and was used to turn victim’s browsers into money-making tools. The malware severely affected India, US, UK[3] and many other countries.

The software was capable of hijacking victim’s browsers and causing URL redirections to generate pay-per-click revenue. Fireball malware was pushing these browser hijackers into victims’ computers:

Each of these bogus browser hijackers replaced victim’s homepage and default search settings to force him/her to use a bogus search engine. Some of these search engines were so successful that they have made it to Alexa’s top 1000 sites list.

Victims report that it was “nearly impossible to remove” these hijackers. The malware contained components that were responsible for collecting victim’s web traffic, executing code on victim’s computer remotely, install additional spyware/malware and even more.

Malware was distributed via software bundling

Not surprisingly, criminals admitted that they used software bundling as the primary Fireball distribution technique. The malicious software was added to many popular free programs and suggested to users as “recommended download” during the installation.

Computer users should always check Privacy Policy document provided in software installers to find out how the program collects and uses user data. It is also important to check whether the installer suggests adding more than one program to the system.

Choosing Custom or Advanced software installation settings helps to notice all additional programs bundled with the primary one, and gives an opportunity to reject them. It goes without saying that anti-spyware or anti-malware programs can help to ward suspicious programs off, too[5].

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor at She covers topics such as computer protection, latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions