Probe Portal browser Hijacker
BLUF
A sophisticated browser hijacking campaign active in late 2025 that uses "sleeper" extensions and deceptive software like "PDF Spark" to redirect users to malicious search portals, exfiltrate browsing metadata, and capture credentials.
Executive Cost Summary
This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.
For organizations affected by Probe Portal browser Hijacker:
Low-end total cost: $400,000 – $600,000
(Limited spread, rapid containment, no confirmed credential abuse)Typical expected range: $700,000 – $1.2M
(Multiple endpoints affected, credential rotation required, moderate productivity loss)Upper-bound realistic scenarios: $1.8M – $2.5M
(Developer accounts impacted, prolonged assurance effort, insurance friction)
Key cost driver:
Costs are driven less by visible system damage and more by the need for assurance. Browser hijackers like Probe Portal undermine trust in user activity, credentials, and developer environments. The financial impact scales with how deeply the organization must validate that no secrets, sessions, or downstream systems were compromised—making verification and confidence restoration the dominant cost factor rather than pure technical cleanup.
Targeted Sectors
· General consumers
· enterprise users
· Developers
Of particular concern is the potential for supply chain attacks via the theft of developer secrets and API keys.
Countries
· Global
Date of First Reported Activity
· November 25, 2025
Date of Last Reported Update
· Active through December 2025
APT Names
· ShadyPanda
o Researchers believe the infrastructure is based in China, noting the use of Alibaba Cloud for C2 hosting and Chinese language in extension descriptions
Criminal Organizations
Not associated with
Malware Names
· Probe Portal Hijacker
· PDF Spark (Trojanized app)
· WeTab (Sleeper extension)
Malware Sample
Probe Portal Hijacker
· Widely tagged in malware databases for its role in the Probe Portal redirect chain
sha256
680d8c18baa77878b4ec703d4575b3070d1792c817f9b457f0240a3a84679e57
URL link to sample
· hxxps://www.virustotal.com/gui/file/680d8c18baa77878b4ec703d4575b3070d1792c817f9b457f0240a3a84679e57
Malicious file related to the hijacker's persistence mechanisms
sha256
4c69ae447df0bf5b8021b8e34a19d4b625399a6581b3d22bb9d12a69eff749a7
URL Link to sample
hxxps://www.virustotal.com/gui/file/4c69ae447df0bf5b8021b8e34a19d4b625399a6581b3d22bb9d12a69eff749a7
Linked to artifacts that force browser settings to point toward probe-portal.com
sha256
4eb63630e3220c02b19736016b9d1bb141beaca4f3bf690f81873dbdf5391238
URL Link to sample
hxxps://www.virustotal.com/gui/file/4eb63630e3220c02b19736016b9d1bb141beaca4f3bf690f81873dbdf5391238
IOCs
· C2 / Redirect Domain hxxp://www.probe-portal[.]com.
· Fake Search Engine search.wiseghostapp[.]com (associated redirector).
TTPs
Initial Access
· T1566 Phishing
o Often distributed via deceptive pop-up ads or links on dubious websites that trick users into downloading the software.
· T1189 Drive-by Compromise
o Some browser hijackers use scripts on compromised websites to execute stealthy installations without direct user interaction.
(Bundle/Third-Party) Frequently arrives bundled with free software installers where it is presented as a "handy" feature in the installation setup.
Persistence & Execution
· T1176 Browser Extensions
o Installs itself as a malicious browser extension to maintain control over the browser even after restarts.
· T1547.001 Boot or Logon Autostart Execution Registry Run Keys / Startup Folder
o Modifies system registry entries or startup folders to ensure the hijacker or its redirect processes run automatically upon system boot.
Defense Evasion
· T1562.001 Impair Defenses Disable or Modify Tools
o Some variants may disable browser security features or utilize "persistence-ensuring" techniques that prevent users from easily modifying or reverting their browser settings.
· T1564.003 Hide Artifacts Hidden Files and Directories
o May hide its own files within system directories to avoid manual detection by the user.
Collection & Exfiltration
· T1185 Browser Session Hijacking
o Modifies the default search engine, homepage, and new tab URLs to redirect queries through its own infrastructure (e.g., probe-portal.com) before landing on a legitimate site.
· T1539 Steal Web Cookies
o Capable of targeting internet cookies to capture session information and authentication tokens.
· T1005 Data from Local System
o Tracks and collects browsing history, search engine queries, IP addresses, and potentially sensitive details like login credentials entered into websites.
· T1041 Exfiltration Over C2 Channel
o The gathered browsing data is typically exfiltrated to remote servers where it can be sold to third parties or used for further malicious purposes.
Impact
· T1491 Defacement
o Though typically a web-based attack, the forced modification of the browser's visual layout (homepage and toolbars) constitutes a form of local browser defacement.
CVE & CVSS Vectors
· This malware has not been associated with a specific CVE
Suggested rules / potential hunts
As a reminder, these are indicator rules. They are likely to be noisy.
For best results consider creating a data model and reviewing the traffic as a report.
Suricata
Detects any HTTP/HTTPS traffic directed toward the known malicious portal.
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE Probe-Portal Redirect Detected"; content:"probe-portal.com"; http_header; classtype:adware-detect; sid:2000001; rev:1;)
Alerts on DNS queries for the hijacker’s infrastructure
alert dns $HOME_NET any -> any any (msg:"ET DNS Query for Probe-Portal Hijacker"; dns_query; content:"probe-portal.com"; nocase; classtype:adware-detect; sid:2000002; rev:1;)
SentinelOne
Browser Extension Installation
Monitor for unexpected file writes to Chrome/Edge extension folders, which is a common persistence method for hijackers
EventType = "File Creation" AND FileFullName ContainsCIS "\Extensions\" AND (FileFullName ContainsCIS "\Google\Chrome\" OR FileFullName ContainsCIS "\Microsoft\Edge\")
Preference File Modification
Hunt for processes other than the browser itself modifying the browser's "Preferences" or "Secure Preferences" files.
EventType = "File Modification" AND FileFullName ContainsCIS "Preferences" AND SrcProcName Not In ("chrome.exe", "msedge.exe", "brave.exe")
Splunk
Search for registry or configuration changes that set probe-portal.com as the default homepage or new tab
index=windows sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=13 (TargetObject="*\\Software\\Policies\\Google\\Chrome\\RestoreOnStartupURLs*" OR TargetObject="*\\Software\\Microsoft\\Edge\\OnStartup*") Details="*probe-portal.com*"
Command Line Hunt for Browser Flags
Detect hijackers that launch browsers with specific --load-extension flags pointing to non-standard paths.
index=endpoint process_name IN ("chrome.exe", "msedge.exe") command_line="*--load-extension*" | where NOT match(command_line, "(?i)Program Files")
Delivery Method
· Bundling with free software (e.g., PDF viewers)
· Compromised developer accounts pushing malicious updates
· Phishing kits
References
VirusTotal
· hxxps://www.virustotal.com/gui/file/680d8c18baa77878b4ec703d4575b3070d1792c817f9b457f0240a3a84679e57
· hxxps://www.virustotal.com/gui/file/4c69ae447df0bf5b8021b8e34a19d4b625399a6581b3d22bb9d12a69eff749a7
· hxxps://www.virustotal.com/gui/file/4eb63630e3220c02b19736016b9d1bb141beaca4f3bf690f81873dbdf5391238
MalwareBytes
· hxxps://www.malwarebytes.com/blog/news/2025/12/sleeper-browser-extensions-woke-up-as-spyware-on-4-million-devices
· hxxps://www.reddit.com/r/chrome/comments/1p64g7e/cannot_get_rid_of_browser_hijacker_in_chrome
PC Risk
· hxxps://www.pcrisk.com/removal-guides/34455-probe-portal-com-redirect
The Hacker News
· hxxps://thehackernews.com/2025/12/two-chrome-extensions-caught-secretly.html
