Watch out for new browser hijacker – tolmkat

Recently, X-Sec Labs caught a new browser hijacker – tolmkat, which comes from China, it has 32-bit & 64-bit version.


  • Hijack browsers to specific pages, add extra parameters at the end of their shortcut link to let them open specific pages
    • Included browser:
      • iexplore.exe(Microsoft Internet Explorer)
      • chrome.exe(Google Chrome)
      • firefox.exe(Mozilla Firefox)
      • 360se.exe(Qihoo 360 Security Browser)
      • 360chrome.exe(Qihoo 360 Browser)
      • QQBrowser.exe(QQ Browser)
      • 2345Explorer.exe(2345 Browser)
      • 2345chrome.exe(2345 Browser)
      • baidubrowser.exe(Baidu Browser)
      • SogouExplorer.exe(Sogou Browser)
      • Maxthon.exe(Maxthon Browser)
      • liebao.exe(Cheetah Browser)
      • UCBrowser.exe(UC Browser)
  • Get config from server
  • Use kernel driver to protect itself
    • Driver is signed, a valid certificate
      • Signer: 深圳市忆艺科技有限公司
      • Sign date: 2016.6.21

Using X-Sec Antivirus can detect them easily~

X-Sec Antivirus detected tolmkat
X-Sec Antivirus detected tolmkat

Related MD5: