Cloud9 Botnet Hijacking Web Browsers and Compromising Windows Operating System

Microsoft® Windows OS Browsers
Advisory ID:
CVE-2016-0189, CVE-2014-6332, CVE-2016-7200, CVE-2019-9810, CVE-2019-11708
November 14, 2022


Two Cloud9 malware variants have been discovered in the wild, one of which is a significantly improved version of the other (with added features and bug fixes) that affects web browsers. Cloud9 is a malicious web browser extension that targets a variety of browsers. It can introduce malware into a device and functions similarly to a Remote Access Trojan (RAT), allowing the threat actor to remotely control a device.

Description & Consequence

Cloud9 is a botnet, or computer network, controlled by a group of hackers that allows hackers to remotely access any computer, including all of its data, and use it for any purpose. Instead of installing a Trojan on victims' computers, they used a malicious web browser extension distributed via web stores such as the Chrome store. The extension appeared in the browser as a Flash plugin, allowing it to load this type of content. If you install the plugin, it will join the botnet and wait for orders from hackers. Furthermore, hackers could steal online accounts, record all keystrokes, and inject ads and malicious JavaScript code without raising the user's suspicion. Infected computers are also used to launch denial of service (DDoS) attacks. Even if the Windows malware component is not present, the Cloud9 extension can steal cookies from the compromised browser and use them to hijack legitimate user sessions and take over accounts.

The malicious browser extension is not available through any official web store; instead, it is distributed through malicious websites and, in one case, as a free Adobe Flash Player download. It is composed of three javascript files, each of which is in charge of a malicious compromise that, depending on the browser, will also load exploits for the aforementioned CVEs. The malware within these extensions is also capable of leveraging various vulnerabilities to escape the browser and infect the Windows operating system.

The consequences of a compromised device are numerous:

  1. The device can be controlled by the threat actor.
  2. Keylogger and clipper that scans the clipboard may steal username, passwords and other sensitive information.
  3. Online user accounts may be compromised.
  4. Use browser as part of a botnet to launch DDoS attacks.
  5. Inject unwanted advertisements and/or malware into the device.


In order to be better prepared to counter such an attack:

  1. Install an anti-malware solution with strong internet security.
  2. Always ensure that your web browser is updated to the latest version.
  3. If you are using Google Chrome, go to privacy and security in the settings menu and enable ‘Enhanced protection’.
  4. Enable multi-factor authentication on all accounts.
  5. Check the extensions installed on your web browser and delete any one that seems dubious/hasn’t been used in a long time.



Related Articles